Compliance: Ahead of the game
- Article 10 of 33
- SC Magazine, June 2007
Don't sit around waiting for the next piece of legislation. It's better to be adaptable and make general compliance your aim. Rob Buckley reports.
Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | All 5 Pages
No industry or organisation in the country is untouched by compliance. Whether it's employment law, data protection or more notorious pieces of legislation, such as Sarbanes-Oxley, the way companies and their employees behave and conduct business is under ever greater scrutiny. It's no longer enough just to say that everything is being done correctly - now you have to prove it.
How organisations do this varies, as you might expect. Some bury their collective heads in the sand, but others are facing facts and are at least looking at their compliance responsibilities. Some are even buying information technology in an effort to make themselves compliant.
However, as almost every consultant will tell you, compliance is more about process than anything else - technology, if it comes into play at all, comes much, much later. “Compliance, almost by definition, is about process. Technology just automates the process,” says Steven Cox, principal consultant at CA.
So, from the outset, the first step for any organisation is simply finding out what they have to do to be compliant and what they need to be compliant with. Most pieces of compliance legislation talk about “protection of end-user data” and the prevention of data loss, but few discuss details, according to Andy Green, security solutions specialist at support services group Alfred McAlpine.
Depending on the sector, there are some clear first stops for information, such as the industry regulator itself. The Information Commissioner will offer advice on Freedom of Information Act compliance, for example, while the Financial Services Authority offers guidance on complying with its many rules and regulations.
However, for more detailed information, particularly with regard to IT systems, bodies such as the International Security Forum (ISF) can provide advice to its members. “The ISF has a database of all the laws in all the countries around the world,” says Dave Martin, lead security consultant at LogicaCMG. “It is maintained by its members around the world. It's one of the best sources I've seen.” He warns that few of the members are lawyers, so anyone consulting the database should also check with their legal department before acting on any information.
Another important set of regulations, the PCI rules, will affect any company processing credit-card transactions from this month. A considerable source of knowledge, thanks to the PCI Security Vendor Alliance, is the website www.pcialliance.org.
To supplement these sources, a new breed of consultants, compliance specialists, has started to arise. These will typically concentrate on specific pieces of legislation or areas of compliance. Ash Salluja of law firm CMS Cameron McKenna specialises in the pan-European financial services regulations, MiFID (Markets in Financial Instruments Directive), which are set to come into force in November. “MiFID affects so many different areas. It has a whole host of disclosure obligations. How you comply is determined by the IT person,” he says.
LogicaCMG maintains a knowledge-management system based on the input of its consultants around the world. It also maintains a research facility to keep an eye on current legislation, as well as forthcoming sources of new laws. CA's Cox estimates that there is one new piece of important compliance legislation each year, with the European Commission worth watching closely: often, several pieces of compliance legislation will be passed at once and require big changes by organisations. It's a good idea to keep an eye on what is being discussed in order to be ready to comply. A pan-European replacement for the Companies Act is one such piece of legislation bubbling under.
As might be expected, technology vendors are also trying to help bridge the gap in compliance knowledge. A growing area of technology is the governance, risk and compliance (GRC) market. Forrester Research's vice-president of risk and compliance research, Michael Rasmussen, predicts that the GRC software platform market will grow steadily over the next few years to £650 million by 2011.
Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | All 5 Pages