Compliance to Standards

Wednesday, December 06, 2006

Print

Comment

Email

Digg

Del.icio.us

Reddit

Twitter

Standards are of two main types: management/ process and regulatory. Regulatory standards are mandated by law. Management or process standards are not mandatory and the organization is usually free to choose the ones it wants to or needs to follow. However, there could be circumstances that make it necessary for an organization to toe the line of such standards-like being associated with another organization or a government that mandates its partners to follow a certain standard. While the importance of adhering to standards, both to be within the bounds of the law as well as to maintain a minimum level of competency cannot be denied, their implementation and enforcement can be assisted with IT.

Management/process standards
These are a set of guidelines or principles set forth by reputed management institutions or experts. The four most common standards are as follows.

Six Sigma
A quality of process standard that measures perfection of that process or deliverable. It can be applied to any process to measure how much quality is delivered. It measures how many opportunities existed to deliver a unit of perfect quality and how many of them had at least one defined defect. Depending on how critical the process is, the specification can be relaxed.

For example, one can define that a manufactured car chassis is completely defective if there exists even one deviation from the exact technical specifications for that chassis (even though the car may still work fine with that defect). To be considered a Six Sigma compliant process, the calculation must not yield more than 3.4 defects per million opportunities. The implementation requires the assistance of experienced Six Sigma leaders called 'green belts' who are themselves overseen by a master called a 'black belt.'

ITIL
Information Technology Information Library (ITIL) is a set of management best practices that lead the enterprise toward the achievement of value for money, as well as maintain quality in their IT services. ITIL is vendor independent and is published as a series of books by the OGC (Office of Government Commerce), a UK treasury office. Different international standards like ISO 20000 have come out of ITIL practices. It standardizes IT practices of all organizations, along a set of guidelines, amongst different organizations. Although IT services are covered under the original/existing ITIL specifications, the OGC has issued a new specification of the ITIL to specifically deal with various aspects of IT services. These include the design, introduction, operation, improvement and strategies of IT services. ITIL v3 is expected to become available in Q2 of 2007.

Just-in-time (JIT)
This is an inventory strategy that improves cost management by reducing in-process inventory. JIT is the standard that gave us the well known 're-order level' for stocks, which is nothing but a pre-defined limit based on historical demand patterns for stocks of different products or components. Visual signals known as 'kanban,' govern the re-order rate, by calling for fresh supplies when stocks disappear from the shelves.

However, when demand increases suddenly in an unpredicted manner, JIT can actually hinder the process and increase costs. JIT recommends that to smoothen the ride over such unstable periods, two standard deviations of stock be maintained. The right balance is achieved when reorder levels are reduced to very low quantities and refreshed frequently instead of keeping surplus stocks.

CMMI
The SEI (Carnegie-Mellon Software Engineering Institute) developed the original CMM as a process assessment model that helps refine processes in an organization. The original CMM dealt only with software development. The model evaluates the maturity of a process (benchmark) in an organization based on the project and its client.

The SEI upgraded CMM to CMMI (CMM Integration) in 2002. CMMI helps you integrate different organizational processes. The latest version of CMMI (version 1.2 released in a few months ago) supersedes the CMM and this has three main areas for development, services and acquisition. The CMM identifies five key areas to evaluate the maturity for: goals, commitment, ability, measurement and verification and sets up five levels of maturity for each: initial, repeatable, defined, managed and optimizing.

CMM and CMMI are not off-the-shelf models, they need to be customized on a per organization basis. For this reason, no organization can be 'certified' as being CMMI compliant. They can only be benchmarked/appraised and the results of that appraisal released.

Regulatory standards
Devised by various regulatory bodies and governments of different nations, these are rules that organizations must follow to continue functioning within the framework of law.

Sarbanes-Oxley & Clause 49
The actual name of Sarbanes-Oxley is Public Company Accounting Reform and Investor Protection Act of 2002. The Act, among several other provisions it contains, mandates financial disclosure. In order to make the reporting as effective, transparent and trustworthy as possible, two kinds of certifications are required under the Sarb-Ox.

One is from the authorized signatories of the organization, certifying that they are responsible for establishing and maintaining internal controls and that they have designed such controls to provide information about the company and its subsidiaries to the internal officers for the period that these reports are about.

These signatories must also certify that they have verified the effectiveness of these controls. Similarly, the management must prepare and present an internal controls report as a part of each report as per the US Annual Exchange Act.

This report must certify that the management is responsible for establishing and maintaining accurate financial reporting processes and that they have been assessed and found effective.

Companies listed with the Indian Stock Exchanges must adhere to the Listing Agreement. Clause 49 of this agreement is currently in the limelight because of changes inculcated into it based on the recommendations of the Committee on Corporate Governance chaired by Narayana Murthy.

This clause sets out guidelines for companies regarding their disclosure policies with specific steps that key decision makers in the organization must take. The key requirement of Clause 49 is the CEO/CFO certification that proper controls are in place for financial and non-financial processes and that no transactions have been entered into that are fraudulent, illegal or violate the code of conduct of
the company.

COBIT
The Control Objectives of Information and Related Technology is an internationally accepted IT governance framework. COBIT allows for effective policy development and IT control practices throughout the enterprise. The current version of COBIT is 4.0. The framework identifies four domains of planning and organization, acquisition and implementation, delivery and support, and monitoring of 34 IT processes. For each domain, the framework defines criteria like effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability.

COBIT is a learning process that prompts the top management of an enterprise to ask of each IT process, questions pertaining to the relevancy of a particular domain to their business, its performance, accountability for the process; and how or whether the process and its control is formalized. As a framework, COBIT is useful for the management, users and auditors.

Basel II and RBI
This is a banking standard that looks at risk improvement in the measurement of capital requirements, regulatory compliance to risk management and market- facing disclosures by the bank. Basel I adopted in 1988 did not take risk management into account and arbitration by regulators can easily circumvent the provisions of Basel I. Therefore in 2001, the 'three pillar' Basel II was adopted by the BCBS (Basel Committee on Banking Supervision). The first 'pillar' of Basel II takes care of credit, operational and market risk management. The second pillar arms regulators with tools to assess and govern risk of various types including legal and liquidation. The final pillar gives the market a better picture of the risk position of the bank.
The RBI in February 2005 decreed that stipulations of the Basel II regulation would apply only to scheduled commercial banks. Further, it had allowed banks in India only to use supervisory haircuts (extent of marginal capital for a particular asset) and no internal haircuts.

The regulation does not take into account factors of double default (obligator and guarantor defaulting) before a loss is recorded as incurred. Neither does it take portfolio diversification (which is a standard practice today) into account. Post-Basel II, the onus for assessing and maintaining capital requirements (including implementation of required processes for doing them) is put squarely on banks.

HIPAA
This is a standard for the medical health insurance industry that was voted into effect by the US Congress in 1996. The act governs individual and group health insurance and how they can be accessed, transferred, renewed, protected against misuse (fraud). Basically, group health plans are placed out of reach for individuals with the exclusion of private health plans. The regulation also specifies how to deal with misuse of health insurance plans and claims and sets out penalties for this. A privacy rule was added in 2003, which governs how certain types of health related information can be disclosed or protected-this is called PHI (Protected Health Information). The specified types were: status of health, how health care was being provided for/availed of and payments made as applicable to an individual within certain types of entities. Such individuals can also safeguard contact information. They must then maintain records of all disclosures made, appoint a privacy official and give training about PHI.

Page(s)   1