The compliance conundrum

In the wake of recent high-profile corporate failures and fraud, information-management initiatives are enjoying renewed interest and investment. Jason Schofield looks at the challenges that lie ahead.

These are anxious times. Hardly a week goes by without another story about a company that has failed to conform to the latest compliance regulations.

Corporate failures and fraud, from Enron to Shell, from WorldCom to Nortel, are making companies more aware of the need to secure their electronic data. Whether you’re a public-sector organisation that needs to meet the forthcoming demands of the UK Freedom of Information Act, a CFO losing sleep over section 404 of the Sarbanes-Oxley Act or a financial institution that needs to comply with Basel II, the underlying message is clear – develop effective and transparent information-management practices or risk the consequences of non-compliance.

In the past, IT departments have often struggled to justify, in monetary terms, the reasons for investing a lot of time and effort into changing information systems. Today, the maelstrom of incoming legislation governing how businesses handle data should provide CIOs/CTOs with myriad funding opportunities to drive organisational change and improvement.

According to a survey of 166 senior executives around the world, conducted by the Economist Intelligence Unit (EIU), 59 per cent of companies are investing heavily in their existing IT systems to meet compliance objectives, while 34 per cent are buying new systems.

But solutions will not be cheap. Preparing a medium-size or large bank for International Accounting Standards will cost between £15m and £60m says the EIU, and Sarbanes-Oxley, which affects those with a US listing, will cost £4.4m per organisation.

Basel II, meanwhile, which requires banks with international business lines to collect and analyse data from disparate systems, business units and geographies, with near real-time recall, could cost $2bn across Europe. The EIU study states that “Basel II alone is more complex than Y2K and euro projects”.

This would appear to be very good news for IT solution providers who are busy selling software on regulatory issues. The need to keep records of every communication entering and leaving the organisation is spurring interest in document-capture and records-management systems, while the requirement to provide clear audit trails is expected to drive uptake of single-sign-on systems. Content-management systems, which help control the document-management lifecycle, and search tools, will also play key roles.

With a glut of compliance solutions entering the marketplace, however, it’s important that companies do not view new regulations as a burden or a cost centre. Those organisations that look beyond the minimum compliance requirements of various regulations will reap the benefits of improved records-management and information-management practices and disciplines, higher standards of customer service, and better internal communications and information sharing. A holistic approach to information management will also protect companies from forthcoming legislation.

But vendors will have to work hard to persuade corporate buyers. Burned by broken promises and bewildered by a dizzying array of hardware and software that’s still underused, they are more sceptical than ever before.

As CIOs, CFOs and other executives deliberate on how to deal with the demands and costs of complying, it’s worth remembering that compliance is not solely an IT solution. The EIU survey indicates that top of investment priorities is ‘employee training’, cited by 65 per cent of respondents. Continuing this theme of non-IT investments, 49 per cent said they would be ‘revising products and services to meet new regulatory requirements’, 38 per cent said they would be ‘employing specialists in risk analysis’ and 34 per cent mentioned ‘expansion of the compliance department’.

Analysts are quick to point out that compliance issues will also affect smaller companies. Having witnessed the collapse of corporate giants in recent years, a growing number of privately held companies are adopting corporate-governance practices and incorporating accounting standards stipulated by Sarbanes-Oxley, even though they are exempt from the law’s requirements. Such organisations are acutely aware that compliance with Sarbanes-Oxley is a precondition for going public, being acquired or raising money from venture capitalists. Some of these companies are also adding outside directors to their boards to strengthen their defences against corruption.

And if there is any doubt over the longevity of the compliance market, we need only look to the US, which passed 4,000 new regulations dealing with records management last year alone. In Europe, the forthcoming Environmental Information Regulations and a new auditing directive from the European Commission, announced as recently as March 2004, are merely signs of things to come.