Regulation redundancy: Money down the drain

By Shamus McGillicuddy, News Writer 05 Sep 2006 | SearchCIO.com

IT news and analysis for CIOs Digg This!     StumbleUpon     Del.icio.us

In fact, according to a new survey of 132 finance and technology executives by compliance software vendor ControlPath Inc., 74% said their companies use mostly manual processes, such as spreadsheets and Microsoft Word documents, to comply with government regulations. Even more grim: 70% admitted they had multiple projects in place for each regulation, even though it's redundant. Only 25% say they're automated.

More on compliance Compliance software: Build a technology toolbox Cut SOX costs by limiting what you test

Matt Speare, chief information security officer at M&T Bank, a $56 billion Buffalo, N.Y., financial institution, said when he joined the company two and a half years ago, the bank was wasting about $500,000 a year with its compliance program.

"It was definitely a manual approach and not centralized," Speare said. "The lines of business were very much responsible for documenting their own controls and compliance. There were a lot of spreadsheets flying around."

John Hagerty, vice president of Boston-based AMR Research Inc., said many companies take a manual approach to compliance because "it's the path of least resistance." It only costs manpower to maintain manual compliance processes, rather than a technology investment.

"They don't see a need to organize and manage it, but the larger the company gets, the more pain people feel with manual approaches. The place they start feeling the pain is around cost. But it also comes down to an issue of visibility. Where do I have problems? Where do I have exposure? That's when it starts to become a more strategic issue because management is asking for an overall view of this."

Indeed, Englewood, Colo.-based ControlPath's survey found that executives at companies that automate their compliance processes are more than twice as confident that their companies are compliant. Forty-eight percent of executives whose companies are mostly automated said they are confident in their compliance programs. Only 23% of executives whose programs are mostly manual felt the same.

When Speare came on board at M&T Bank, the institution was subject to the privacy regulations of the Gramm-Leach-Bliley Act (GLBA), and was in its first year of establishing a compliance program for the accounting regulations of the Sarbanes-Oxley Act (SOX).

Speare said there was significant overlap in the controls required by both regulations, but there was "no mechanism to cross-match them. Sarbanes-Oxley was a totally redundant exercise."

Khalid Kark, an analyst at Cambridge, Mass.-based Forrester Research Inc., said compliance software vendors are partly to blame for compliance redundancy. He said many vendors have developed products that focus on one set of regulations.

"Vendors came out and said, 'This is a one-off thing,'" Kark said. "'Our product is going to help you do HIPAA [the Health Insurance Portability and Accountability Act].'"

When Sarbanes-Oxley or another regulation came along, vendors would offer a separate module, Kark said. "It made more revenue for vendors, but there has been a lot of mistrust because of that. Some people have been put off and they are saying, 'Let me do this myself until someone offers a holistic solution.'"

Hagerty, of AMR Research, said customers can't wait for vendors to offer a unified approach to compliance.

"Vendors have sold to companies on paying points, on an initiative-to-initiative basis, but it's up to larger firms to recognize a need for a holistic approach to compliance. Vendors can provide the technology, but if an organization doesn't recognize that it has to happen, then it's not going to happen."

Kark said, "The whole industry is moving towards a holistic approach to compliance, because they're getting feedback from security managers."

This approach not only improves efficiency, but it also helps companies prepare for future regulations that are as yet undreamed of by Congress.

Speare adopted ControlPath's Compliance Suite, which take a unified approach to GLBA and SOX compliance. It has automated more than 500 processes at the bank and improved Speare's confidence in his compliance program.

"My level of confidence is much higher, but I will never say I am 100% confident in anything just by virtue of my job."

Speare said he feels ControlPath has improved his organization's ability to react to new regulations in the future.

"Regulatory environments change constantly," he said. "By having mechanisms in place that help us understand what we do today to mitigate risk across all 15,000 employees, it puts us in a better position to react to changes in regulations and legal requirements."

Let us know what you think about the story; email: Shamus McGillicuddy, News Writer

Tags: Information technology laws,  Compliance strategies and best practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information technology laws Avoiding gotchas of security tools and global data privacy laws Information security and IT governance guides for CIOs E-discovery and litigation guide for CIOs Document retention and disposal strategy Top 10 reasons to give thanks you're in IT PCI compliance deadlines have retailers scrambling Customized e-discovery tool lightens law firm's litigation load Firms bridging the gap between IT and the law Avoid lawsuit nightmares: New rules of engagement for e-discovery Regulatory compliance management guide for CIOs Compliance strategies and best practices Enterprise risk management solutions for CIOs Addressing compliance requirements in cloud computing contracts Avoiding gotchas of security tools and global data privacy laws Information security and IT governance guides for CIOs CIO turns to identity and access management to solve business problem Log management tool, SIM boxes combine to form security architecture Economic downturn hits IT budgets Tips on how to dodge the scariest of IT worst-case scenarios Health care CIO tackles complex security, privacy mandates PCI DSS compliance requirement looms but lacks punch, critics charge

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary GRC (governance, risk management and compliance) software  (SearchCIO.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary