Coping with compliance

Regulations have raised the bar when it comes to data security. Combine that with the desire to gain the top management’s support and you will see what is prompting Indian CIOs to get their organisations ready for regulatory compliance. By Chirasrota Jena

Emerging government regulations, coupled with ever-increasing data storage needs, have exacerbated the urgency for IT administrators to ensure that their information systems and records are archived accurately and efficiently. Public and private companies in virtually all data intensive industries, such as financial services, pharmaceuticals, life sciences and government, face a tremendous burden to comply with regulations including Sarbanes Oxley, HIPAA and SEC Rule 17a-4. Demand runs high in the IT, telecom and BFSI sectors. Sivarama Krishnan, Executive Director, ricewaterhouse Coopers says, “Organisations in India need to comply with RBI guidelines, Basel II, IT Act 2000, Sarbanes-Oxley Act, Clause 49 SEBI, HIPAA, GLBA, VISA CISP, Data Privacy Acts and many others, based on the nature of the industry and other dependencies. IT needs to play an integral part in these compliance efforts, thanks to the increased number of such regulations and their complexities. Today, for CIOs, the challenge lies not only in achieving compliance, but also in sustaining it with limited IT resources, skill sets and budgets. CIOs also face the challenge of ensuring that the compliance efforts evolve from ad-hoc IT projects to cost-effective and efficient processes that can be applied across various compliance domains involving the security and availability of information.”

Compliance is a critical business issue, not just a distraction. When the Sarbanes-Oxley Act was passed, many CIOs thought they could use their compliance efforts to help streamline their businesses and improve their systems. But CIOs are giving up on that hope. Although spending on compliance is still increasing, CIOs will spend grudgingly—as little as they can—on compliance, doing the minimum needed to meet the letter of the law. Still, since security, transparency and privacy concerns are now critical business issues, companies need to attempt to leverage the time, money and effort they are putting into compliance even if there is no clear return. RBI has mandated that all banks in the country have to become Basel II compliant by 2007. Indian enterprises are realising that they have to manage critical data and address compliance issues effectively. Emerging issues for enterprises include data privacy, copyright for enterprises. RBI, CRISIL and SEBI have issued various guidelines to enterprises to ensure compliance. There is an increasing realisation within organisations that proactive risk management and good corporate governance is not only a mandate to comply with regulations but a strategy for building and sustaining competitive advantage, for which a comprehensive Operational Risk Management framework is needed. Organisations are starting to look beyond ‘adherence to regulatory compliances’ and to a broader ecosystem of organisational compliance to enable not only meeting of regulatory norms but for accruing business benefits through improved risk management.

Investment is a concern area

If we look at the global figures first, approximately one-third of the total spend on compliance involves IT spending as per some international research figures. In India, such figures vary based on a number of factors, out of which the most important one is the nature of the industry. The BFSI, ITES (such as BPOs, KPOs, Call Centres) and telecommunications industries are typically more regulated and therefore their IT investment on compliance is greater, compared to other industries. Without doubt, there is substantial IT investment in services, hardware and software as far as compliance is concerned for organisations in these three industry segments. Comments Krishnan, “It is also interesting to note here that many organisations in the BFSI and ITES segment have hired or are in the process of hiring dedicated Compliance Managers, as indicated in the last CII-PwC Information Systems Security Survey.”

From a CIO’s perspective, the challenge is to deal with new regulations or mandates and track the same using systems to manage them. India is a conservative and cost conscious market, it is always the cost of the product rather than the ROI that matters for CIOs here. Keshav Prakash, Country Manager (India), Serena Software says, “It is difficult to predict the quantum of IT investment that goes towards compliance but typically as per the global market data available, it depends on the organisation, its size, financial and privacy regulations, criticality of process compliance to its existence and success. Spending has been around 8.3 percent of IT budgets globally; it is lower in India. Given the increasing importance of IT in regulatory compliance, and the smooth running of businesses, the CIO and the IT organisation have a more important role to play today than ever before.” CIOs are nowadays, more involved in not only functional but also strategic decisions.  So they need to understand the importance of making an investment on compliance.

Daya Prakash, Senior manager, IT, LG Electronics India Limited says, “In order to implement compliance the major challenge is to get the investment sanctioned. As it requires huge investment so CIOs have to think twice before taking any decisions. CIOs always expect to achieve the maximum with the minimum resources. So vendors should take initiatives to bring innovative tools by keeping our cost concerns in mind. As it is mandatory to follow standards in order to operate the business smoothly, we at LG India are getting ready for SOX compliance. We have already got certifications from ISO and BS 7799.”

Diwakar Nigam, MD, NewGen Software opines, “The cost associated with implementing a compliance solution and perceived lack of awareness of concrete benefits are some roadblocks for CIOs. Compliance is seen more as a statutory requirement that they have to abide by rather than something that they would opt for willingly considering the gains that it can bring to their businesses.”

Securing corporate information

The value of information has grown. This is driving the recent impulse towards new systems for either Information Lifecycle   Management (ILM) or Data Lifecycle Management (DLM).   Enterprises view electronic documents and records as corporate information assets deserving purposeful management. The world has moved away from a records-oriented view of the world to an information-centric one. Krishnan says, “Information security has been an integral part of the business and has been a subject for the boardroom because of the regulatory requirements and the consequences of not complying with them. The CII-PwC Information Security Surveys had earlier reflected that security measures in India are primarily reactive in nature, rather than proactive.” Current requirements provide organisations with a great opportunity to shift focus from reactive to proactive controls and align business and IT processes to best practices.

Sunny John, Country Manager for India, Quantum says, “The common features demanded by CIOs are security of the data stored, high availability and the right price. With a growing body of legislation dictating how enterprises may create, use, share, and retain electronic records, CIOs must develop data storage and management strategies that comply with regulations and support their organisations’ overall business goals.”

India is turning into a hot destination for outsourcing and there is huge pressure on the IT department as far as information is concerned. Nowadays corporate information—whether it is on research and development or on financial statements—is stored in an electronic format. Security is a major concern here. Radhakrishnan Menon, Head IT, Biocon says, “As a research based organisation, we have to be cautious about our data. In order to protect and manage our data we are adhering to various compliance standards.” The major challenge for organisations today is to manage the huge volume of information generated and to safely and systematically capture and retain the information in a manner that can quickly be recalled to satisfy litigation or industry-specific regulations.

The roadblock that most CIOs face is with regard to the storage of data. Compliance has emerged as an important trend that has defined the adoption of storage techniques by Indian enterprises. The need for storing information for long periods and then retrieving it at short notice while adhering to regulations has given an impetus to the storage market around compliance. LG Electronics has 125 sales offices and 60 stock points across India. So it is important for the company to collect and manage data keeping regulatory compliance in mind. The company has deployed some compliance tools which Prakash calls as Warriors in its remote monitoring systems. Near about 7.5 percent of its IT spending goes into obtaining compliance tools.

Awareness and training

Some leading enterprises are evolving their compliance efforts from ad-hoc IT projects to processes that can be applied across various compliance initiatives like HIPAA, GLBA, Data Protection and Privacy Acts. In some cases, organisations have started to deploy automated tools and processes that can proactively measure and monitor compliance across a variety of IT platforms and trigger alerts in case of any non-conformity in technical configuration. There is bound to be some resistance from employees if the importance of compliance is not effectively conveyed to them. Hence, training employees to ensure compliance is as important as putting the systems in place for CIOs. Compliance has to be a day-to-day affair with systems regularly audited by third parties. Though companies are looking at compliance as a must-have, the issue of compliance needs to be considered as a strategic initiative. India should be perceived as a country which respects and implements global practices. The perception should not be limited to individual companies. Daya Prakash says, “Vendors should organise seminars and symposiums on regulatory compliance and its impact on business and should take awareness to the next level. They should be more aggressive on software as a service with a reduction in overall costs. As we are facing problems internally from employees regarding compliance issues, IT vendors should provide extensive training programs for them.”

Many organisations are at different levels when it comes to their compliance initiatives, oftentimes they are subject to multiple compliance requirements. That said they can leverage compliance as a business benefit through operational excellence. Comments Nigam, “After realising the levels of compliance initiative of different customers we help enable organisations to move from departmental to enterprise level initiatives in a methodical manner. The objective of the modular offerings of products for compliance requirements is to provide IT tools and automation technologies to help organisations move from subjective risk management, to active assessment and monitoring, to risk quantification and valuation and ultimately to leverage compliance as an effective capital management strategy.”