• United States



by Adrian Bowles

Building A Defensible Compliance Strategy

Dec 01, 200312 mins
CSO and CISOData and Information Security

RFG believes the tide of new regulations affecting all industries, and additional rules aimed at specific regulated industries, will rise unabated for the foreseeable future. IT executives, as well as all other executive management, need a process to ensure that they are aware of and in compliance with these regulations. A prudent strategy should attempt to assure demonstrable compliance, while mitigating the risks associated with non-compliance. In the unfortunate case of non-compliance, it will be critical for corporate executives to be able to demonstrate that industry best practices have been followed consistently to minimize penalties. The most defensible processes are likely to be those defined by collaborating competitors.

Business Imperatives

New regulations that impact all public companies operating in the U.S., including the Gramm-Leach-Bliley Act (GLBA), the Sarbanes Oxley Act (SOX), and the U.S.A. PATRIOT Act are placing an increased burden on IT resources. (“U.S.A. PATRIOT” is an acronym for “Uniting and Strengthening America by Providing Appropriate Tools to Intercept and Obstruct Terrorism.”) Likewise, regulations focused on specific industries nationally and internationally, such as the Health and Insurance Portability and Accountability Act (HIPAA) and Basel II drain resources from strategic projects. IT executives need a process to identify and track relevant regulations, and ensure that appropriate resources are allocated for compliance.

Global businesses face special burdens. For example, the same regulation may be interpreted in different ways in different countries, and a regulation from a single country may require a different process for multi-national accounting roll-ups. IT executives responsible for global operations should develop a process to identify these emerging regulations and their subsequent IT requirements, along with processes for ongoing compliance management.

When regulators come calling, the best defense is absolute compliance. Failing that, however, the best defense is generally to have, and consistently follow, a process that demonstrates best practices as found within your industry. IT executives should explore the potential for collaboration with peers to share practices that may mitigate liability.

We’re from the Government, and We’re Here to Help

Regulations aimed at protecting consumers, investors, and workers are nothing new. What is different in the 21st century is the pace of introduction of these regulations, the significant demands on IT posed by many, and the extent of the penalties to be levied for non-compliance.

Whereas IT executives could once count on their internal colleagues to monitor emerging rules and provide requirements for them to implement, such a passive strategy is untenable in the current global environment. Furthermore, RFG hears from IT executives that their legal departments often lack the expertise to advise IT on compliance issues.

Most regulations that require IT support fall into one or more of the following categories.

  • Environmental includes issues such as pollution control and hazardous waste disposal.
  • Governance includes regulations aimed at improving the public visibility of business processes likely to impact the viability of large enterprises. This is a broad category that includes e-mail retention requirements for financial services to SOX requirements for attestations of accounting accuracy. Within this category, specific vertical markets may be further restricted. Within financial services, for example, a variety of risk management requirements govern acceptable practices.
  • Safety issues range from statues on ergonomic furniture to transportation of hazardous materials
  • Security/Privacy addresses restrictions on the collection and handling of sensitive corporate, government, and personal data. In some jurisdictions, this may include detection of money laundering and specific prohibitions.
  • Trade Restrictions including embargoes and tariffs.

All of these categories are popular with national governments, and in some cases, provincial authorities exercise the prerogative to enact more stringent requirements. (The State of California’s automotive environmental restrictions and recent privacy legislation are well known examples.) In some cases, similar regulations in different states require different actions, which further compounds the problem.

More recently, there has also been an increase in specific regulations aimed at ensuring business continuity in the event of a natural or man-made disaster to preserve financial markets and national infrastructures.

Numerous resources both free and fee-based exist to help firms plan their compliance efforts. The problem for most firms is not a lack of information; it is a lack of appropriately organized information. As the small sample of sites shown in Figure 1 demonstrates, there are Web sites aimed at specific regulations, specific vertical markets, and even general regulatory categories.

Figure 1: Sample Resources for Monitoring Emerging Regulations
ResourceCategory (general or vertical)Publisher/Notes
Banking Risk IssuesBankingRegulatory Risk Monitor best practices
Compliance ConnectionHR and payrollCeridian newsletter
Compliance ReporterSecurities regulation reportsAffiliated with Institutional Investor News
Corporate Governance ServicesGovernanceConsulting services focused on SOX and emerging regulations
Hazardous Materials RegulationsArms trafficking, hazardous materials transferUnz and Co.
HIPAA UpdatesSecurity/PrivacyCenters for Medicare & Medicaid Services (CMS) /HIPAA regulation news and emerging practices
Organization for Economic Cooperation and DevelopmentInternational GovernanceOECD
Transportation RegulationsTransportationThe Compliance Network
U.S. Defense RegulationsDefenseU.S. Department of State Directorate of Defense Trade Controls

Source: Robert Frances Group

What is missing is a single source that operates in both “push” mode to alert a firm that a relevant regulation is emerging or evolving and “pull” mode to allow the firm to request more details on demand. Ideally, such a resource would allow a profile-based member registration that could send just the right information to the right people at the right time. In the real world, that would include regulations in all five of the categories mentioned above, from at least the 191 Member States of the United Nations, and their aggregated member organizations, such as the European Union (EU) and the North Atlantic Treaty Organization (NATO). A quick glance at the combinatorics and the potential for liability due to errors and omissions makes it easy to see why no single source has yet emerged.

Typically, internal resources from cooperating departments, such as accounting, human resources, legal, and perhaps compliance, have worked together to identify appropriate regulations and communicate the requirements to IT when systems changes are indicated. Coordinating these efforts may be assigned to a staff compliance officer, but in general, IT is often the last to know what preventive or remedial actions will be required. As the pressure and the penalties increase, IT executives must take a more active role or be prepared to take the blame when efforts fail.

A Sample Process

With a typical firm attempting to comply with dozens to hundreds of regulations, it is imperative to have a process in place to determine first which rules apply, and second, how to comply with each one.

Establishing a process to monitor emerging and evolving regulations to determine their potential impact on information systems requires a commitment to ongoing research. Although numerous consultants may offer services to alert firms to pending regulations, the ultimate responsibility for identification and compliance cannot be delegated. Today, therefore, it is prudent to assign internal staff to this task. Organizationally, this role (which may in fact be several people full or part time depending on the complexity of the organization’s activities) needs good communication channels with intra-firm stakeholders from compliance (especially for regulated industries), finance, and tax/audit.

IT executives and their organizations should start by identifying the appropriate top categories of regulatory statutes, and then deriving the list of specific regulations. Alternatively, one could start by identifying the top current regulations, and then expanding to find the appropriate categories. For example, if HIPAA were a top issue, then one would look at general categories of privacy and health sciences.

For global firms, one would begin with the highest-level government authority that exercises jurisdiction over corporate activities. For example, one should look at the EU regulations before focusing on Italy, even if Italy happens to be the only EU member nation in which the firm currently does business, and then dig down to provincial authorities as required. The enterprise should take the following steps:

  • For each governmental authority review:
  1. Each applicable category of regulation (all general plus vertical specifics)
  • For each candidate regulation review:
    1. All relevant IT-enabled/facilitated business processes
    2. All products/deliverables used/developed
      1. Internal
      2. External (including subcontractors and packaged software)

    For each relevant (binding) regulation identified, firms face three general courses of action, each with its own risk profile as shown in Figure 2.

    Figure 2: IT Choices for Compliance
    Build a solutionFull control over the process, possibly the fastest and cheapest route for some regulations, if the appropriate infrastructure is in place.In the event that a firm is found to be out of compliance, this is the worst possible scenario, and maximum penalties may apply. It also has the greatest potential for reputational risk, in addition to punitive risks.
    Buy a solutionIf a packaged solution exists, maintenance of the process should be less expensive. If the solution achieves significant market share, the defensive position of the firm is enhanced in the event of non-compliance. Moreover, keeping up to date with regulations is a very challenging task. If this application were to be built in house, the organization would have to devote a minimum of one full-time employee to this. Regulations not only change daily, but multiple times a day. Additionally, vendors that get into this business already have experience with doing business internationally. Their consulting services may also provide the organization with some best practices for maintaining compliance. Moreover, their solutions may offer improvements (automation) over current processes.This option entrusts, but cannot delegate, some aspects of compliance to a third party. Typical vendor due diligence concerns are magnified based on potential exposure, including reputational risk.
    Share a solution

    Developing a common solution with peers and competitors, perhaps facilitated by a third party, is a risk mitigation strategy.

    Peers are in the best position to develop common best practices, and in the event of non-compliance a penalty to one participant results in a penalty to all. While this may sound trivial, it is potentially the best risk mitigation strategy available, if a sufficiently impressive peer group can be established. Minimized if sharing partners have similar or better reputations in one’s market.

    Vendors that offer these solutions include (but are not limited to): Nextlinx Corp., OCR Services Inc., Open Harbor Inc., Tradebeam, Inc., and Vastera, Inc.

    When the regulators show up be they bank examiners, Occupational Safety & Health Administration (OSHA) inspectors, or perhaps your friendly auditors there is nothing like a rigorous process and demonstrable history of compliant behavior to quell the natural reaction of fear. Unfortunately, there may be times when even the best laid plans and processes fail, and a firm with good intentions finds itself out of compliance. Even if it is a matter of a technical violation rather than a violation of the spirit of the regulation, the issue will be easier to resolve amicably (minimizing penalties) if it can be demonstrated that the enterprise’s efforts met or exceeded current industry norms. Basically, defenses fall into the same three categories first encountered in primary school:

    “I made a mistake.”

    “No one else did it better.”

    “Nobody could do it better.”

    In the first case, the enterprise is at the mercy of the evaluator. If this is an individual effort, the results may be calibrated against market norms, but the enterprise cannot depend on any leniency. If, however, the enterprise can show that it falls into category two, it is in a stronger position. Of course, there have been recent prosecutions that remind us that entire industries may be condemned if irregularities are widespread, but one’s chances are still somewhat better in this group than going it alone. Using a market dominating commercial software package offers such a defense, although for compliance, the norm includes some local customization of processes, which reduces the effectiveness of this argument.

    The final defense may be thought of as the “NP-complete strategy.” (In mathematics, a Nondeterministic Polynomial time or NP-complete problem is not just hard it is provably hard.) If a group of leading firms collaborates to develop a best practice for compliance and fails, it may serve as an informal proof of difficulty or regulatory ambiguity. It would be much more difficult to extract the maximum penalty from each of them than if any one individually came up with the same solution and failed alone. “The dog ate my homework” really is a better defense if it can be proved that the same dog actually ate everybody’s homework.

    None of these regulations inherently adds value in the eyes of end users. Excellence in compliance is thus more of a defensive strategy than a source of competitive advantage, unless competitors appear unlikely to remain viable in the face of regulatory onslaught. Therefore, it is likely that collaboration can both reduce the cost of compliance, and increase the defensibility of the process. IT executives who understand the limited utility of individual excellence in non-differentiating activities will be rewarded for such collaborations.

    RFG believes the pressure on IT to provide compliance solutions, and the potential penalties, will both continue to increase in severity. IT executives who wait for guidance from their compliance, finance, or legal departments may find themselves and their firms at a disadvantage. Taking the initiative to find and track emerging regulations for partner departments rather than waiting for direction from these partners demonstrates a leadership role for IT management, and prudently mitigates enterprise risk. Also, recognizing that good intentions have little legal benefit when the regulators come calling, it is incumbent upon IT executives to band together with market peers to develop and share best practices for these non-differentiating initiatives.

    RFG analyst Adrian Bowles wrote this Research Note. Interested readers should contact RFG Client Services to arrange further discussion or an interview with Dr. Bowles.