Compliance: Ahead of the game

• Article 10 of 33
• SC Magazine, June 2007
• View the original article online

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | All 5 Pages

An all-singing, all-dancing GRC platform is usually not necessary, and there are other, smaller or more conventional pieces of technology that can help. In many industries, retention and disposal of documents may be one of the few things that need to be considered for compliance, so a document or records management system may be all that's needed - although implementing of those is by no means a simple task.

Proving that all employees are up to speed with the organisation's policies is an important factor in most compliance regulations. A policy management system such as Netconsent's can be of help. It works by forcing all employees to agree to the policy before they can log onto the corporate network, and can also make them answer questionnaires about it to ensure they have understood it. A central database records how long each person took to read the policy, flagging up anyone who took too short a time, and who needs further training.

“Policies on paper don't stand up with legal and regulatory bodies. This is a serious emerging management problem,” warns Robin Saunders, managing director of Netconsent.

All the same, with the torrent of compliance regulation unlikely to abate and an EU version of Sarbanes-Oxley still being developed, companies can either fight fires now or work on a compliance strategy for the longer term. Certainly, those affected by MiFID will find that its terms are still in flux, according to Salluja, so even if you are compliant now, you soon may not be. Involving risk and compliance thinking in IT strategy where possible is certainly wise.

If possible, evolving the architectures to the point where they can support frequent process changes through business process management, service-oriented architectures or workflow will help with future compliance. Indeed, says Cox, it can be worth taking your mind off the specific regulations you're trying to adhere to now. “Just try to comply in general. One set or another will change. When that happens, you'll be able to insert a new configuration.”

However, despite great advances, the costs of trying to achieve such a “state of nirvana” might prove prohibitive, admits Paul Beach, a partner at Atos Consulting.

Lack of action
Knowing what to do and actually doing it are two different things, however. The FSA, for instance, carried out research recently to see how compliance consultants were used in small mortgage, general insurance and financial advice firms. Of the 22 companies visited by the FSA that employed compliance consultants, half still had significant weaknesses in their processes and systems. More than a third of the firms failed to act on recommendations from their consultants that would have improved their compliance, the FSA found.

Cox says compliance projects sometimes fail because of short-termist thinking. “There's a 50/50 split in companies. There are those who spend their time planning and those who ignore the problem and end up short on time.” Budget is another constraint. When there is any money allocated for compliance, it tends to be too little, generally as a result of optimism on the part of the company as to how much the project would cost to implement.

As a result, says Green, most companies don't try to create an underlying compliance-friendly architecture. “The focus has been on 'getting this bit compliant'.” Consequently, they don't make any of the possible gains available from wider systems changes.

Compliance - or GRC - isn't going away. It will place increasing demands on infosec professionals, to varying degrees depending on the industry they work in. The fully compliant enterprise may well be possible, but whatever happens, it won't be compliant for long unless it learns to adapt.

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | All 5 Pages