Understanding Compliance

Compliance should not be driven by regulations alone, but must come from the necessity to have a credible, transparent, repeatable and well-documented system in place and should span across the enterprise

Saturday, March 10, 2007

Print

Comment

Email

Digg

Del.icio.us

Reddit

Twitter

There is a lot of noise out there about compliance, enough to make it sound like something new. Recently, one storage vendor released a product claiming it was in line with regulatory requirements and a noted lawyer penned a whitepaper around that product and how it helps. But somewhere in the background of all that noise, there is a tune that insists that all these regulations, statutes and laws only serve to make the organization you are running and its business more transparent, credible and trustworthy. This is the tune you should listen to. Block out the rest of the sound-bands, including warnings of dire consequences and media stories and hype about this or that organization suffering huge penalties for non-compliance.
Concentration must be focused around building a set of uniform, documented and repeatable processes across the enterprise, where every employee, user or an external entity knows the flow of request, response and arbitrator. Once that is done, true compliance will naturally follow.

Recognize the need
Ask yourself: why do I need compliance? Other than the answer we gave above, is there a need to adhere to some regulation or standard that initiates the compliance drive in the organization? For instance, if you were in the medical industry, you need to be HIPAA compliant. If you have an IT department (as you obviously do), then consider COBIT and ISO 17799-2005. Other reasons to strive towards compliance are external requirement (are you a BPO?) or better user perception (marketing strategy).

The drive towards compliance is an asymptotic exercise, but so mainly because it is a continual recursive activity. First you evaluate where you stand and where you want to get to. Then you implement some policies and protocols. Evaluate if there are any problems with that, are there any non-complying entities and so on and attempt to rectify these. As long as your organization grows, extends markets, sees turnover of manpower and updates its vision and mission, compliance will never be completely achieved. You will get infinitesimally close to it, but never actually stand on a point and say, “Today we are fully compliant, we need not do anything further from here”. That's Utopia.

You should be willing and able to create the resources and marshal them till a reasonable point of compliance is achieved, to start off. For instance, enterprises frequently appoint a dedicated wing of audit personnel headed by a 'Chief Compliance Officer' to monitor compliance related activities in the organization. They would need assistance from a legal wing (or expert consultant) from time to time to help interpret new laws and regulations and their relevance to your specific organization and business needs. Can your organization provision such a department for this exercise?

Workout your plan
Now decide what particular requirements you need to address. Even if the agenda in question is regulatory in nature, are there parts of it that are optional? For some standards, you may find an international version, a local-national (say Indian) version and a version that's specific to the entities you do business with or the regions you have markets in. For instance, as an Indian organization with business interests in the UK, what would you follow ISO 17799 or BS7799? Some of these standards also let you pick and choose specific points that you can comply with. This lets you fine-tune your level of compliance to exactly what you require.

There would be documents to be maintained, resources to be organized and responsibilities affixed. Many processes that earlier could go on without fixed authorities at their heads now must follow a prescribed workflow. If it is a legal requirement, certifications would be necessary from key personnel (like you) stating that all the information in a published report are accurate and verifiable.

Now, in order to achieve such a guarantee-able level of trust, your processes must be foolproof. And beyond a certain point, your IT cannot safeguard information that has been rendered to the offline world. For instance, if a confidential business deal was being worked on and your personal assistant saw the mail, even though he may not be able to print it up or forward it to someone in your competition, he can still photograph it with a camera or write down the salient points on a piece of paper and take that out. And how would you track if your purchase officer was actually getting a kick-back from stores inventory orders whatever kind of sophisticated system you implement? Even the Indian IT Act 2000 says you cannot be held guilty about something you did not know (not knowing the law is still not an excuse) and if you can prove you did everything possible to remove the problem.

What are the risks of not complying? If the weight of such risk calculates to zero, then you need not spend time, money and other resources trying to achieve a particular compliance. Some forms of compliance are good for safeguarding the interests of the enterprise and the risk of not implementing them are too great to ignore. Other forms of regulatory compliance are necessary from the legal standpoint and would invite legal action if not complied with.

Implement and audit
Unlike IT implementations, implementing compliance is not about deploying software. Of course, IT can help you with compliance (even with specific standards or regulations) by providing you with appropriate reports or checklists. For instance, a tool that says it can help you with Sarbanes-Oxley will generate the required financial reports, make sure that the level of required data integrity is maintained and give your CFO the mechanism that the information is accurate to his information. Within such a system, every change to the data, every addition and deletion will be recorded with stamps of who did it and when. This helps trace back and verify what happened, and affix responsibility for action or inaction on a specific individual in the organization.

Like all implementations, the compliance drive too needs a periodic audit cycle. This can be as simple as health check to find out if everything is working as planned and implemented, and if there are problems, remedial measures are taken. Remedies can be as simple as re-assignment of tasks or reworking entire workflows. Experts suggest that for the implementation, audit and remedial cycles, different sets of consultants be called in. They warn that otherwise, consultants may pad their bills with spurious requirements or measures.

Page(s)   1