On the Horizon: More Compliance Regulations

By Todd Wasserman

The amount of regulation compliance paperwork for IT departments will double by 2012, according to an estimate by Gartner Inc. For most IT departments, new regulatory demands are an unpleasant fact of life, but compliance obligations must be faced head on because the risk of non-compliance is huge.

Failure to act could result in an additional 40% to 50% in costs to an organization, according to John Bace, vice president and research director for Gartner. Such a financial hit could face an organization that fails to assign a specific person or group to address the need for additional paperwork to comply with new regulations.

There are a variety of reasons why such new compliance demands are being created, but many point to 2002 when major accounting scandals at Enron, WorldCom, Arthur Andersen, and Tyco, among others, prompted lawmakers in Washington, D.C. to demand more accountability from businesses.

The chief example of this, the Sarbanes-Oxley Act of 2002, has introduced a flood of new forms and regulations for IT departments, including the onerous Section 404 on documenting internal controls. But there are many other state and federal regulations that have also added to this burden.

Different states have different laws
There are now 36 states that have passed legislation requiring companies to notify customers about identity theft.

"Imagine a CIO who does business in all 50 states," said Bace. "They have to now comply with 36 different state requirements."

The Personal Data Privacy Act, a bill sponsored in Congress by Sen. Patrick Leahy (D-Vt.) and Sen. Arlen Specter (R-Pa.), seeks to federalize such authority, but Bace said many fear that bill will become Sarbanes-Oxley II and only add to the regulatory burdens on business.

In addition, this past December new federal e-discovery rules went into effect that dictate requirements for submitting electronic evidence like emails in civil court cases.

Since increased regulation appears to be an incontrovertible fact of life, analysts suggest several ways to address these new demands.

"The regulation issue is an ongoing process," said Michael Rasmussen, vice president of risk and compliance research at Forrester Research.

Create a chief of compliance
One realistic option is to create something akin to a chief compliance officer. That's an idea promoted by French Caldwell, another Gartner analyst. The main reason Caldwell gives is accountability -- when someone holds that title, you can at least pinpoint what went wrong and who was responsible.

To ensure a chief compliance officer does his or her job, Caldwell suggests the following:

• Set up a corporate compliance council composed of the CIO, the CFO, and other C-level executives
• Create a compliance committee that works closely with the chief compliance officer and communicates with internal and external auditors
• Create the post of an IT compliance manager

Caldwell stresses that many industries with a lot of regulatory issues, such as banks, have already created chief compliance officer positions or delegated those responsibilities. Other organizations in different industries may have created a similar post in the wake of Sarbanes-Oxley.

Once a company has created such an infrastructure, Bace recommends that the organization pool all the compliance issues, rather than silo the responsibilities. He breaks down such issues into three categories:

• Regulatory compliance This refers to government-imposed legislation like Sarbanes-Oxley.
• Commercial compliance These are demands by business partners. Bace cites a one-person novelty t-shirt proprietor in Chicago, for instance, that was forced to comply with 135 pages of terms and conditions by a national retailer that wanted to carry one of his products.
• Organizational compliance This type of compliance is "self-inflicted" and is based on a code of ethics or some other sort of in-house dictum.

Corporate responsibility is the new mantra
Since many companies lack the latter, Bace suggests consulting the U.S. Sentencing Commission's Compliance Guidelines, which, he says, "provide a valuable framework for compliance and ethics programs."

Even after Enron and WorldCom, Bace acknowledges that stressing such corporate responsibility may seem more suited to public relations efforts than reality for some companies. He presents a scale of corporate responsibility ranging from "Honest Abes" to "Slick Willies" that "rewards those who are most adept at covering their tracks." Bace isn't asking everyone to become Honest Abes. His argument is that creating a culture of compliance will lead to cost savings in the end.

Creating a business unit specifically charged with addressing regulatory compliance also helps. Organizations that do so, Bace said, will spend one-tenth that of organizations that opt not to create such units.

Todd Wasserman has more than 15 years' experience writing for The New York Times, The Industry Standard and Business 2.0, among other publications. He is currently news editor for Brandweek magazine.