Too many companies are wasting millions of dollars on manual, redundant compliance systems, say experts.
In fact, according to a new survey of 132 finance and technology executives by compliance software vendor ControlPath Inc., 74% said their companies use mostly manual processes, such as spreadsheets and Microsoft Word documents, to comply with government regulations. Even more grim: 70% admitted they had multiple projects in place for each regulation, even though it's redundant. Only 25% say they're automated.
Matt Speare, chief information security officer at M&T Bank, a $56 billion Buffalo, N.Y., financial institution, said when he joined the company two and a half years ago, the bank was wasting about $500,000 a year with its compliance program.
"It was definitely a manual approach and not centralized," Speare said. "The lines of business were very much responsible for documenting their own controls and compliance. There were a lot of spreadsheets flying around."
John Hagerty, vice president of Boston-based AMR Research Inc., said many companies take a manual approach to compliance because "it's the path of least resistance." It only costs manpower to maintain manual compliance processes, rather than a technology investment.
"They don't see a need to organize and manage it, but the larger the company gets, the more pain people feel with manual approaches. The place they start feeling the pain is around cost. But it also comes down to an issue of visibility. Where do I have problems? Where do I have exposure? That's when it starts to become a more strategic issue because management is asking for an overall view of this."
Indeed, Englewood, Colo.-based ControlPath's survey found that executives at companies that automate their compliance processes are more than twice as confident that their companies are compliant. Forty-eight percent of executives whose companies are mostly automated said they are confident in their compliance programs. Only 23% of executives whose programs are mostly manual felt the same.
When Speare came on board at M&T Bank, the institution was subject to the privacy regulations of the Gramm-Leach-Bliley Act (GLBA), and was in its first year of establishing a compliance program for the accounting regulations of the Sarbanes-Oxley Act (SOX).
Speare said there was significant overlap in the controls required by both regulations, but there was "no mechanism to cross-match them. Sarbanes-Oxley was a totally redundant exercise."
Khalid Kark, an analyst at Cambridge, Mass.-based Forrester Research Inc., said compliance software vendors are partly to blame for compliance redundancy. He said many vendors have developed products that focus on one set of regulations.
"Vendors came out and said, 'This is a one-off thing,'" Kark said. "'Our product is going to help you do HIPAA [the Health Insurance Portability and Accountability Act].'"
When Sarbanes-Oxley or another regulation came along, vendors would offer a separate module, Kark said. "It made more revenue for vendors, but there has been a lot of mistrust because of that. Some people have been put off and they are saying, 'Let me do this myself until someone offers a holistic solution.'"
Hagerty, of AMR Research, said customers can't wait for vendors to offer a unified approach to compliance.
"Vendors have sold to companies on paying points, on an initiative-to-initiative basis, but it's up to larger firms to recognize a need for a holistic approach to compliance. Vendors can provide the technology, but if an organization doesn't recognize that it has to happen, then it's not going to happen."
Kark said, "The whole industry is moving towards a holistic approach to compliance, because they're getting feedback from security managers."
This approach not only improves efficiency, but it also helps companies prepare for future regulations that are as yet undreamed of by Congress.
Speare adopted ControlPath's Compliance Suite, which take a unified approach to GLBA and SOX compliance. It has automated more than 500 processes at the bank and improved Speare's confidence in his compliance program.
"My level of confidence is much higher, but I will never say I am 100% confident in anything just by virtue of my job."
Speare said he feels ControlPath has improved his organization's ability to react to new regulations in the future.
"Regulatory environments change constantly," he said. "By having mechanisms in place that help us understand what we do today to mitigate risk across all 15,000 employees, it puts us in a better position to react to changes in regulations and legal requirements."
Let us know what you think about the story; email firstname.lastname@example.org.