When energy giant Enron collapsed in December 2001, few observers could have forecast the wave of legislation that followed.
Within seven months, the Sarbanes-Oxley Act was on the statue books in the US, while financial authorities across the world started tightening their regulations in an attempt to bolster confidence in equity markets and prevent further Enrons.
In truth, however, the pendulum was already swinging in the direction of greater regulatory intervention, particularly in Europe. The Data Protection Directive passed by the European Union in 1995 had become law in various countries in the region during the latter half of that decade, while country-specific legislation, such as the UK’s Freedom of Information Act, was passed in 2000 for implementation in 2005.
Meanwhile, industry-driven regulation was also taking shape. In 2000, the European Union adopted the International Financial Reporting Standards, an ambitious attempt to harmonise accounting standards around the globe, with a start date of 2005, and in the financial services sector, the New Basel Capital Accord (or Basel II) was proposed in January 2001 and timetabled to take effect over 2005 and 2006.
Those are just some of the major pieces of regulation; the list of other new rules runs to pages and has varying levels of impact depending on an organisation’s sector. But the upshot is clear: 2005 is the crunch year for regulatory compliance.
Interpreting this raft of regulation is no mean feat. Many of the rules overlap or even contradict each other. And translating them into specific changes in business processes and ensuring that these are adequate to fulfil the regulatory demands is proving challenging for senior management. In most cases they are looking to IT to satisfy these requirements.
As a result, IT organisations are having to ensure that systems meet the specifics of each set of regulations and satisfy the auditors of those rules.
What is evident is that this is no one-off change, neither is it only about regulations. There is a broad movement towards greater governance and organisations need to use and adapt technology to minimise the impact.
“Governance is about more than complying with statutory regulations. Organisations are facing requirements that incorporate auditability, timeliness, accuracy and risk management, and this will not be an isolated experience,” says Lee Geishecker, an analyst at IT industry consultancy Gartner.
In some areas, analysts estimate that 75% of the effort involved in complying with this level of governance is IT-related.
There are contrasting views on how that impacts the IT function. Some are viewing compliance as another Y2K – an obligation that brings no intrinsic benefit. “Compliance is soaking up all my budget, yet it gives us nothing in terms of greater functionality. It is a huge distraction,” says one CIO at a large chemicals company.
Others take a different stance, seeing a level of ‘compliance dividend’. The fact that, under legislation such as Sarbanes-Oxley (SOX), senior executives within an organisation face severe sanctions, has actually freed up budget. But the practical elements of compliance come down to confidence in how well the systems fulfil the regulatory requirement.
That demands the creation of some kind of overall control framework, designed to show an auditor that the IT department has systems under control. “The combination of business processes, supporting technology and infrastructure is key to establishing an effective framework to deal with the regulations and requirements associated with governance,” says Gartner’s Geishecker.
Many organisations faced with the need to implement the new regulations have already decided that a useful starting point is COBIT (Control Objectives for Information and Related Technology), a framework developed by the IT Governance Institute. Others are drawing on ISO17799, the international standard for security management.
Such moves underscore the fact that the new world order is one of greater executive accountability and transparency. “The era of deregulation is over, and the pace of new regulations is increasing for all industries, including government,” says Geishecker. “Compliance needs to be seamless and transparent within business systems.”