Its occurrence can evoke feelings of frustration and denial. But the trigger of these emotions may not be as dire as you think. It's the passing of regulations that require technological intervention and, whether CIOs are coming to terms with lost man-hours or budgetary funds, the occasion can trigger emotions of grief. But these mandates, which are becoming increasingly frequent in today's business environment, should not be viewed as the end of the world. In fact, the quicker you can start emoting feelings of resignation, acceptance and eventually hope, the better off your organization will be.
"Compliance works like death - the first emotions felt are shock and anger, and then those feelings move on to ones of acceptance," explains John Hagerty, vice president, AMR Research (Boston), and one of the authors of the "2004 Sarbanes-Oxley Spending and Project Planning Study." He explains that there is a risk in responding to compliance with feelings of helplessness. CIOs "who are experiencing the anger phase will approach compliance saying, 'I am not going to do more than I have to,' and, 'I am only doing this because I am forced to.'"
But CIOs who view compliance in a more positive light can create competitive advantage by approaching regulations as opportunities for improvement - rather than obstacles. A study by TowerGroup (Needham, Mass.), "Seven Points You Should Know About IT Spending for Compliance," reports that "IT presents the opportunity to strike a balance between the immediate tactical results of compliance and the longer-term strategic value of business improvement and competitive advantage." Because compliance is so pervasive and it "cuts across the traditional business silos, financial products and services, as well as departmental controls and processes," it's the perfect opportunity for IT to contribute to an organization's long-term growth, the study suggests.
Some insurers, for instance, may choose to view Sarbanes-Oxley compliance as an opportunity to protect their reputational risk and the USA PATRIOT Act as an opportunity to improve fraud detection programs, according to Virginia Garcia, senior analyst, TowerGroup. In fact, she says, more and more companies are adopting this viewpoint.
A 2004 InformationWeek (a sibling publication of Insurance & Technology) Research compliance study, which surveyed 200 business-technology professionals from a cross-section of vertical industries, including insurance, reports that the majority of respondents believe that compliance with government regulations has spurred positive changes in their companies. Mike Malwitz, senior product marketing manager for consolidation and reporting products at Hyperion (Sunnyvale, Calif.), agrees. "Companies are looking toward achieving the highest return on investment when it comes to technology compliance," he says.
Guardian Life Insurance Company's (New York, $34.1 billion in assets) chief security officer, Marc S. Sokol, CISM, CHS-III, reports that his organization is among those companies. Guardian "always looks at opportunities to improve quality, value and efficiency in our business processes while meeting our regulatory obligations," he says. "Currently, we are developing solutions that enable us to comply with our regulatory obligations with a focus on business goals, risk tolerance, cost benefit and corporate objectives."
As chief security officer of Guardian, Sokol is responsible for "ensuring that reasonable measures are taken to comply with regulations that pertain to protecting the confidentiality, integrity and availability of information and physical assets," he explains. His office collaborates with Guardian's law department on privacy- and identity-related regulations. Sokol also sits on the company's compliance committee. Despite the fact that the carrier has a strong multidisciplinary team to contend with compliance, Sokol concedes that compliance itself - not to mention business improvements beyond the bare minimum - is no easy task.
"From a security perspective, many of the laws and regulations provide differing levels of details and requirements for compliance," Sokol asserts. "Additionally, new regulations are continuously being proposed and released. This presents a significant challenge for keeping track of the ever-growing landscape of regulatory requirements while ensuring ongoing compliance."
Also contributing to the difficulties is the fact that, with compliance, "There is a steep learning curve," contends Brian Casey, partner in the corporate and regulatory insurance practice, Lord Bissell & Brook (Atlanta). "Legal [departments] need to first understand requirements and then educate the compliance people," he says.
Lawson Software's (St. Paul) Steve Brandano, a vertical solutions architect, agrees. "A lot of the unknown relating to compliance is fueling its complexity," he says.