Lead

Compliance and the CIO

With the SEBI deadline looming large, CIOs are facing the challenge of building up the requisite infrastructure and streamlining their internal controls and processes. Kusum Makhija reports

“Compliance is forcing CIOs to look at more tactical issues. During the first year of a company’s efforts to comply with regulations, a CIO spends close to 40 percent of his time on these activities. In some companies we have seen compliance costing up to 46 percent of the total IT budget. Compliance is a major issue in the first year. Companies have seen a major rise, almost 200 percent, in their engagement fee for compliance in 2005,” says T R Madan Mohan, Director, Consulting, ICT Practice, Frost & Sullivan.

Managing data

A major challenge for organisations today is managing the huge volume of information generated. IT departments must provide access to this information to maintain service levels to their end-users, and be able to securely and systematically capture and retain the information in a manner that can quickly be recalled to satisfy litigation or industry-specific regulations. “A major constraint that CIOs face on the compliance front is resource shortages and the consequent trade-offs that they have to make,” Mohan points out.

Consider an Indian IT company providing outsourcing services to an American health service provider. It has to be Health Insurance Portability and Accountability Act (HIPAA) compliant. Indian coders have to be registered with the American Association of Professional Coders, employees need to clear various certifications to handle certain data which cannot be stored or transferred into any form. Comments Mohan, “As HIPAA and other acts evolve, modifications have to be brought in to the core content, process and structure of compliance management. Moreover, as HIPAA evolves, so do the compliance issues. The same is the matter with QS 9000 and other standards.”

To help reduce the strain on e-mail systems, in particular, by the growing number and size of electronic communication, many companies have resorted to offloading data overflow onto storage media such as discs and tapes. But this process is time-consuming and does nothing to stabilise the costs associated with e-mail growth. It may not even address compliance regulations.

In an effort to address regulatory compliance, companies are re-examining their e-mail storage systems. The costs associated with purchasing and maintaining additional storage devices can be considerable. Growing e-mail volumes can also negatively impact the response time of mail servers. “Recently, we have built a secondary data centre to meet the growing data volume and storage needs,” says Akhilanand Pandey, HoD, IT, New Delhi Power Corporation.

Adds Shyam Sunder Sharma, GM, IT, JK Industries, “Documentation and records management, information storage and management, business process management, risk management and business intelligence, information security as well as business continuity are some of the issues that we deal with. If compliance can help us address these effectively, then I do not see any reason why we should resist it. We have identified these areas by coordinating with other business heads and are now bracing ourselves for compliance this year.”

Resistance to adoption

"There has been considerable resistance (to compliance) among CIOs. That’s changing now, partly because SEBI has been prompt and also because Indian companies are facing global competition" -Diwakar Nigam Managing Director Newgen Software Technologies

Indian enterprises have been lax when it comes to compliance. The cost associated and absence of concrete benefits could be the reasons for the same. Moreover, it is seen more as a statutory requirement that they have to abide by rather than something that they would opt for willingly considering the gains it can bring to their businesses. Still, the initial dilemma is more or less gone as there is some sense of vision and clarity among the CIOs towards compliance.

“There has been considerable resistance among the CIOs. However, now that’s changing, partly because SEBI has shown promptness and partly because Indian companies which are part of the global supply chain are waking up to the demands of global competition,” points out Diwakar Nigam, MD, Newgen Software Technologies. “There has been a lot of passing the buck among companies on issues like appointment of independent directors for auditing, which was a diversion from the main challenge of IT infrastructure required to be built up, thus delaying the compliance process.” The adoption however has been increasing, and so are the awareness levels among CIOs towards compliance. Yet this adoption does not seem to be percolating down to the growing SMBs.

Internal resistance from employees towards stringent control and auditing by third parties are other concern areas for CIOs. “Compliance is like a by-product of security issues in a company. Therefore, CIOs understand that it is important to educate the employee to understand the assumptions behind any particular regulatory system so that they can manage systems based on their importance to the organisation. Resistance is high, but if employees are made to understand that compliance is a business hygiene issue, the experience of implementing compliance is worth the effort,” notes Mohan.

The cost of compliance

Compliance initiatives require a multi-faceted approach involving people, policies, processes and technologies. Beyond the initial investment of time, personnel and financial resources, compliance is an opportunity for organisations to instill best practices and internal controls, enhance productivity and performance, improve operational efficiencies, and eliminate the risk of losing information. According to Frost & Sullivan, the cost of compliance includes certification (10 percent), staff education/training (23 percent), transaction standard and record management (43 percent), privacy and security tools and procedures (20 percent).

“Compliance costs are significant and many a time senior management’s involvement becomes a requirement. Buy-ins become a major challenge. Seeing compliance as a ‘yet-another’ format kills the initiative,” explains Mohan. By not complying with these regulations, companies could not only incur fines but could also endanger their business. By not actively managing the retention and disposal of information, companies are exposed to increased legal risks.

Third-party consulting for compliance-related issues is also increasingly picking up as a trend in organisations. The need for such consulting services stems from the complex nature of regulations and processes to be followed. “We are contemplating third-party consulting in order to manage our compliance policy effectively. This will also help us understand the systems better,” says Sharma.

There are others like Thomas Cook who feel that they have the necessary know-how in-house to weather the compliance storm. Comments the company’s CIO, Anil Nadkarni, “We did not need to use a third-party consultant because we found that the required expertise existed among our in-house personnel as we have been in the business for a long time.” Thomas Cook has built an elaborate IT infrastructure that maintains detailed records of all currency purchases made by customers, and stores this information for the mandatory eight years.

Many of the issues can be mitigated with internal communication and preparing employees to gear up for compliance. “A CIO must organise inter-departmental meetings where business leaders are asked to present, and even attend training sessions, to clarify what the specific requirements are from the IT department,” says Nigam.

Coordinating with external consultants and auditors is also critical as they play an essential role in validating the process. Internal and third-party experts should conduct regular audits to ensure that business units, including the IT department, perform consistently. As Pandey puts it, “Periodic audits let a CIO identify strengths and weaknesses in systems and processes, and provide scope for development. It is also a good practice to discuss audit findings in front of a review committee staffed by trusted internal and external members. We wish to take advantage of the compliance and use it to upgrade and streamline our IT systems and processes.”

A chance to improve

Compliance poses opportunities with an equal number of challenges. Large telecom, manufacturing and services organisations are using compliance together with the existing corporate governance frameworks to improve their processes and reform their infrastructure, thus satisfying their customers better. According to Mohan, “Companies are getting prepared on compliance issues more aggressively. Frost & Sullivan internal data indicates, on a scale of 1-5 (5 being the highest), that many companies are at 3.5, particularly medium and large ones.”

For most regulations, establishing and implementing policies regarding compliance is necessary but not sufficient by itself. The policies and procedures that are used to carry these out must be comprehensively documented. Such documents are a required deliverable during regulatory audits.

“Compliance for us is more of an opportunity than a challenge because we see our processes being streamlined and our customers being better served as we brace ourselves to be fully compliant this year,” says Pandey. The company has significantly reduced complaint processing time for its customers after it streamlined its processes.

Compliance is not a one-time activity, but a continuous process. It is important to ensure that performance standards do not drop once compliance has been achieved. This is partly because regulatory requirements and personnel keep changing.

“Compliance is moving away from being seen as a cost-oriented process forced upon organisations to being an absolute imperative for smooth business operations, although limited to large organisations where IT is mission-critical,” sums up Nigam.

kusum@expresscomputeronline.com