The reason why this law is needed, explained one US executive recently, is that the market cannot be trusted. “It requires everyone to behave like grown-ups. You can’t keep putting all these risks onto shareholders.”
He was talking about the Sarbanes-Oxley Act, a new law passed as a direct reaction to the big financial scandals at Enron, WorldCom and elsewhere. But he might have been making a more general, and perhaps philosophical point: almost everyone agrees that better risk management in business is needed; and almost everyone agrees that where failures in business continuity or accountability occur, then a wide constituency of stakeholders is affected.
If that failure is in banking, then shareholders, investors and account holders may be affected; if in manufacturing, then suppliers, partners and investors are hurt; and if in public services, the consequences may range from loss of privacy to loss of life.
But these factors alone have not reduced risks to levels that legislators, at least, think is acceptable. Most executives accused of wrong doing in any of a dozen financial scandals in the US from 1998 to 2001, for example, simply pleaded ignorance.
Similarly, executives at those companies that are brought low by acts of God or by man are rarely deemed to be responsible for having failed to put up sufficient – and usually expensive – defences. In spite of all the publicity, and the dramatic mood change of recent years, most researchers in this area find repeated examples of poor business continuity planning, sometimes bordering on the reckless. “Do we still come across organisations that have outrageously neglected this area? Yes, absolutely,” says Philip Carter, head of professional services for SunGard.
That, in part, explains the raft of new laws, directives and accords that are being put in place across the world, addressing such issues as executive accountability, processes for reducing risk and fraud, maintenance of accurate and secure records, and the ability to withstand major disasters.
Cause and solution
Very few of these laws are specifically about IT – but IT is partly the cause and the solution. When interconnected, high-speed business processes fail, the impact is immediate and serious; similarly, when automated processes fail to prevent fraud, or to protect and record data integrity, then the risks quickly become dangerously high.
This has proved to be particularly true in the banking sector, which has been so affected by new legislation that analysts have dubbed it ‘The perfect storm’. In Europe, Basel II relates directly to business continuity, but was not a reaction to a major disaster or scandal. Rather, financial companies argued that banks should be assessed by their overall level of risk, rather than just by their capital. The aim is to set down clear guidelines on how banks should manage all kinds of risk, and to provide objective benchmarks that they must pass. Those that do pass will be able to carry less capital.
The US Sarbanes Oxley Act addresses another issue – accountability. It makes executives at all listed companies directly accountable for what happens in their companies – and removes the excuse of ignorance by forcing them to put in place processes that document and reduce risk.
Although the law has recently been amended to be slightly less strict, many US companies have now put in new systems that ensure procedures are followed and that provide a clear, auditable record of all financial transactions through the entire business. A key problem is that they are expected to be able to control risk at their international subsidiaries – and even, in some cases, at close trading partners. In effect, the provisions of the Act are exporting good practice out across the supply chains.
In the US, Fortune 100 companies have spent an average of more than $2 million each on compliance with Sarbanes-Oxley. In Europe, one report suggests that spending on Basel II will eventually exceed the total bill for the dealing with the Y2K millennium bug.
Many organisations now find themselves attempting to comply with several major pieces of legislation – and no one knows if another scandal or another big disaster will require more changes. IT vendors and advisors, attempting to grapple with the issue, are increasingly advising clients to take a holistic approach, incorporating workflow and governance systems that enforce compliance by their employees, but which are flexible to change.