Without a doubt, compliance spending has become a significant portion of the IT budget and, according to AMR Research, IT compliance budgets are expected to rise 10% in 2005. As a result, CIOs need to include more time, resources and budget dollars in their planning process. But how much is enough? How do you forecast how much you will spend on compliance next year or even five years from now? What are the software packages and services available to help companies meet compliance needs? The issue of compliance is not going away and CIOs need to do their best to prepare to meet these requirements. The SearchCIO budgeting for compliance Executive Guide includes valuable resources and practical information and advice to help CIOs with planning and budgeting for compliance.
This Executive Guide is part of the SearchCIO Executive Guide series which is designed to give IT leaders strategic guidance and advice that addresses the management and decision-making aspects of timely topics. For a complete list of topics covered to date visit the Executive Guide section.
| Expert's Corner
Table of Contents
IT compliance costs continue to rise as firms everywhere struggle with governance, privacy, security and environmental regulations. These rules are typically designed to shape corporate behavior and improve investor confidence, protect individual rights, and thwart terrorists. In the long run, compliance intentions are good, however they also distract CIOs from their core business intentions.
We all know compliance regulations are here to stay, and CIOs are addressing them in two extreme ways. Some are dropping everything to ensure compliance, while other IT executives are simply crossing their fingers and hoping not to get caught. For most firms, however, there should be a balance between these extremes that shows up first in the planning and budgeting processes.
The typical IT budgeting exercise is all about defining priorities. The goals of the process are to create customer value, control costs and grow the business.
But the problem with budgeting comes in identifying the optimal portfolio of IT expenditures, where optimal means keeping management out of jail; increasing customer spending; and decreasing business spending. To achieve these goals in a world where thousands of regulations are passed annually and IT spending faces increased scrutiny, I offer the following rules for budgeting for compliance:
- Adopt a portfolio management approach to IT budgeting, in which each request (including regulations) must be justified.
- Build the business case for all projects, including compliance efforts, using traditional economic measures like ROI, NPV and others. Make sure to add a flexibility component in the form of a real options measure.
- Make the link between compliance and risk management explicit – both require cross functional teams with varied expertise. So combining these efforts can have a big payoff.
- Identify compliance patterns – look for overlapping compliance elements among similar regulations, such as the class of compliance elements found among the privacy laws in different jurisdictions. By factoring these elements, a firm can eliminate redundant efforts and improve quality while mitigating costs and risks.
- Look at comparables- spend within the range of your peers on commodities like security and governance. Under spending is as dangerous as overspending, because it demonstrates a lack of awareness that raises questions under the harsh light of an enforcement action. Firms like IT-Centrix track budget trends, and can provide insights into appropriate spending levels.
- Focus on standards – there is often a temptation to build a seemingly inexpensive "quick-fix" for an emerging regulation, but the long term cost is almost always higher than an off-the-shelf solution based on open standards.
- Go for coarse-grained solutions wherever feasible – integrated hardware/software solutions for records retention, for example, are available from leading vendors like IBM and EMC. This approach simplifies portfolio management by reducing complexity.
- A missing link for most IT organizations is feedback. Once an application – including a compliance component - is approved, especially with a real options approach, it is critical to provide ongoing feedback on the justification assumptions. These progress reports will be used to make funding decisions for ongoing development or termination. They should also be used to improve the next budget and prioritization cycle.
Budgeting for IT in general and compliance projects in particular will likely continue to be as much an art as a science for the foreseeable future. One thing is certain, though: overall IT budgets are not likely to rise with new demands for compliance requirements, so firms must become more creative to keep up. Factoring in requirements to identify and leverage common compliance patterns will now become a critical process that should precede most budget discussions.
Adrian Bowles is Program Director, Regulatory Compliance, with the Object Management Group (OMG) and principal of CoSource.net, a consulting firm he founded in 1998. Dr. Bowles has over 25 years of experience as an entrepreneur, practitioner and academic in IT with a focus on IT strategy and management.
| Compliance budgeting
Table of Contents
- Article: Salaries for SOX accountants on the rise
- Article: SOX: Seven steps to CYA
- Article: SEC: 404 budgets filled with waste
- Article: Will Cox cure SOX pain?
- Tip: Retrofitting IT for e-checking rules
- Article: SOX: New rules for year two
- Article: Regulations bite into the bottom line -- but for how long?
| IT budgeting
Table of Contents
- Article: Old buying habits die hard
- Article: A dangerous gap: End users vs. executives
- Article: CIO survey reveals confidence dip
- Tip: Smart IT investments: Plan, produce and prosper
- Tip: CIOs shift priorities in a post-recession economy
- Tip: With ROI, there's no finish line
- Tip: What's the prognosis on HIPAA?
| How are your peers budgeting for compliance?
Table of contents
- Q&A: Wachovia compliance chief 'joined at hip' with CIO
- Q&A: A CIO Conversation: BMC's Jay Gardner
- Q&A: A CIO Conversation: Insurance exec says business experience a 'must' for CIOs
| More resources
Table of Contents
- Definition: Compliance
- IT Compliance Institute