Containing Compliance Costs

By Lauren Barack

Compliance is cutting a deep swath across many CIO budgets. Over the next two years, enterprises are expected to allocate an additional 23 percent of their budget to IT compliance, according to a recent PriceWaterhouseCoopers survey of business executives. And even if corporate IT spending is expected to increase 7 percent this year, according to Forrester Research, that is not enough to cover the growing costs of compliance. As CIOs address compliance needs, they will need to implement new requirements in the most cost-effective way possible.

Cost demands are likely to come first from meeting storage, security, automation, and backup needs, as these areas are addressed by nearly every regulatory act, including Sarbanes-Oxley, the USA Patriot Act, and the Health Insurance Portability Accountability Act. Case in point: 53 percent of CIOs surveyed recently by CIO Magazine said they would be making investments in storage.

Storage and backup have taken such a front seat because enterprises must now save large volumes of data, often for years, and prove they have specific, distinct measures and a secure IT system for containing and organizing the data. Firms will want to automate many of these processes, as the cost of labor to make sure they are compliant can be prohibitive. Under the new rules, companies will be tested periodically to make sure they are in control of their financial environment.

From an investment perspective, a critical mistake CIOs can make is to treat compliance as a project -- in the same way they treated Y2K concerns five years ago. Instead, meeting and proving compliance requirements are going to be ongoing concerns for enterprises and therefore should be integrated into overall budget strategies. It is unlikely that shifting costs, and using creative accounting to spread them out over several years, will actually save money. CIOs who don't prepare wisely may find themselves having to spend more money than if they treat the problem properly at the beginning.

But just because compliance will be an ongoing situation doesn't mean CIOs need to let it run their entire IT budgets. Instead, they may use compliance as a window into several overall IT investment approaches. For example, relationships with current vendors can yield discounts on software, as can forging new relationships. CIOs may also find that automating an IT network could save on funds currently allocated to employee labor. "Most people will realize that if they don't automate now, [compliance] is going to be a sink hole that continuously eats up money," said John Hagerty, vice president of research at AMR Research.

Two over-arching strategies can help guide CIOs in saving costs on compliance. The first involves revisiting relationships with outside vendors and taking account of the resources available in-house, assessing which ones may be available for double duty:

• Unlock existing options in IT One simple way to save time and money is by automating processes -- essentially, taking work out of the hands of a staffer and letting software tackle it. "Every time an invoice over $10,000 is presented for payment, a network can turn on a check that will flag the right person, instead of a person doing it," said AMR's Hagerty. "Human time equals money."
  
  
• Document only what's required Data storage space costs money. Enterprises should pore carefully over their data and make sure they are saving only what's necessary to meet regulatory rulings. Not only is the storage of extraneous materials expensive, so too are the man-hours that will have to be spent saving the unnecessary data.

If an enterprise decides to turn outside, there are some tools that can help it keep costs in line:

• Turn to current vendor partners first If an enterprise already has relationships with certain vendors, the company should turn to them first for savings of both cost and time. "You may have rights to their compliance software package because of what you bought in the past, or it may be that they have something that slides right into your firm's existing architecture easily," said AMR's Hagerty. An outside compliance consultant can help to assess whether these partners' packages are suitable for a given organization.
  
  
• Find deals on software Brokering a new relationship with a vendor can result in a steep discount for necessary compliance software, especially if an enterprise can promise additional purchases in the future. While this may require additional spending down the road, the immediate savings for compliance can be substantial, and could also potentially be spread out over a few years rather than allocated immediately.
  
  
• Buy second-hand Purchase additional storage equipment that has been refurbished. Used items such as tape and optical libraries, which can be used to meet storage requirements, can result in a 60 to 70 percent savings compared with the price of new hardware.
  
  
• Try to reuse Compliance is composed of four major technology pieces: security, documented records management, business process management, and reporting analytics. Instead of buying four different software products, buy one software package that will do at least two of these. "Try and reuse across their architecture," said AMR's Hagerty.
  
  
• Reduce bandwidth charges Enterprises that turn to outside vendors for storage can save money by reducing bandwidth costs. One way is to send data over IP (Internet Protocol) lines as opposed to dedicated networks over a WAN. In some cases it can cut charges in half.

Meeting compliance requirements is not negotiable. But by looking in-house first, making deals with existing or new vendors, shifting to used equipment, and adopting newer technologies such as IP for transmitting data, enterprises can find ways to cut costs.

Lauren Barack's work has appeared in Business 2.0 and Wired.