Tags Data management, Risk Compliance Governance (GRC), Bottom Line, Collaboration

Pieces of a puzzle

Compliance is a growing concern for business, but it can be very tricky, especially for the IT side of the equation. Keith Ryan looks at the fundamentals.

Imagine trying to solve a puzzle without being certain what the end result should look like, much less how the pieces fit together. Now imagine trying to build the puzzle pieces themselves. Bit of a challenge? To say the least.

But this is the situation facing many company owners when it comes to compliance.

Companies across a range of industries are under more pressure than ever to comply with a variety of regulations, though recent legislation – from Sarbanes-Oxley to Basel II and the Health Insurance Portability & Accountability Act (HIPAA) – has turned the spotlight on financial services and health providers. And these industries are spending money on the problem, with mixed results – in the US, for example, an estimated $2.5bn will be spent by Fortune 1000 companies on compliance-related projects.

It doesn’t help that compliance requirements are often a puzzle in and of themselves: they are mandatory but do not necessarily outline the steps to achieve compliance; they are ever-changing and not necessarily certifiable, but businesses are required to be demonstrably compliant; and they involve risk without clear guidelines on managing that risk.

“The challenge with compliance is that it says businesses must have good practices – if you look at Sarbanes-Oxley, for example, it says you must have good and general controls in section 404 of the act – but it doesn’t tell you what or how to do it. Compliance is all about encapsulating the business processes,” says Iain Gavin of IBM Rational. “Clarifying and formalising the way you do business – everything from taking an order to preparing goods for shipment, shipping and taking payment, and then allowing for scenarios like credit returns or faulty products or discounting – and appropriately recording that information.

“Over the last 20 years, a number of companies have automated these processes with software, either buying off-the-shelf IT packages or, in many cases, building their own custom-made applications. The latter option involves development teams writing software based on how the business works. And this is where compliance can become a real issue.”

Above and beyond compliance in the end-to-end processes of the business, companies that have automated IT systems handling the processes have to be able to prove the systems themselves are up to standard.

“In tailor-made systems especially, there can be a lot of people working on the development of the applications and errors can creep in, things can change,” Gavin explains. “To be considered truly compliant, a business has to be able to prove that the software system it said it was going to build is the one it actually built, and that the software it built is then the one it ultimately deployed – three distinct stages.” Effectively, businesses affected by compliance issues must be able to demonstrate the reliability and accuracy of any process automated by software tooling.

“You then have to maintain all of that evidence – of compliance, transparency, traceability and so on – in the system, which is part of what IBM Rational is designed to so. It provides guidance to customers with regards to best practice in developing software. We also provide a wide range of tools that capture information about what’s going on and what changes were made, what tests were done, what the design documents were and so on, – they’re all encapsulated in the tool. It’s an ongoing thing, so businesses don’t have to do lots of expensive manual processes to capture the information and prove. When the auditor comes along and says, ‘Show me the documentation, test results, source code’ and so on, it can be shown easily. A lot of companies, if they don’t have that level of automation in place, would have to manually go around and recreate these things. And that in itself is an error-prone activity.”

According to Gavin McDermott, who also deals with IBM Rational software solutions for a range of clients, to develop compliant business systems, organisations must understand the requirements and adapt their processes, tools, methodologies and applications. They need to identify existing process and transaction flows, and implement systems that meet the requirements, balance multiple compliance standards with individual processes and monitor on-going status.

“Nothing is static,” McDermott points out. “Managing the changes that inevitably occur, whether through a change in business strategy or regulation, or even a defect in the software, is just as important. Managed properly, you should know when and why changes have been made, and what the effects of those changes might be, both on the individual application and the systems connected to that application.

“With the right software tools in place, such as IBM Rational for example, a number of people in various locations can sign off changes and allocate work using automated workflow systems. Instead of an hour a day spent on compliance issued, an hour-long conference call per week may be all that is required.”

Hidden benefits

Each business is responsible for its own overall compliance with legal requirements and should consult competent legal advice when identifying and interpreting relevant laws and regulatory requirements.

This is important because there is a range of potential issues that any business may face and regulatory auditors may demand any number of controls be in place, depending on the industry or regulation.

However, this doesn’t necessarily mean that compliance should be treated as merely a legal necessity and a cost to be minimised. In fact, if handled properly, it can change a business for the better.

“Typically, businesses will tackle compliance with a ‘hair on fire’ approach – they’ve got an audit coming up and aren’t certain they’re particularly clean and want help to achieve compliance,” says Gavin. “Once they’ve got through that phase – which could be a couple of months or a couple of years, depending on the scope of the organisation – the next phase is to improve the overall capability of the applications. This may involve some re-structuring of IT, possibly adding some new applications or consolidating systems – all of which sounds a bit administrative, but necessary.

“The third stage is turning the process into a real opportunity, structuring the company’s whole business-to-business strategy around compliance and building it from the bottom up. This can really transform the business.”

Aside from the assurance that comes from knowing the business is compliant, businesses can benefit from reduced risk and lowered costs of compliance in the long-term, improved infrastructure and project ownership, as well as better governance and understanding of business processes.

Ultimately, an effective compliance initiative can help streamline a business – and that’s got to be good for the bottom line.

Printer Friendly Email This Article