The Path to Compliance as a Business Strategy
by Richard L. Ptak
Since the headlines early this century revealed the level of corporate malfeasance that began in the free-wheeling 90s at a number of now notorious companies, enterprise and IT services have become subject to an increasing number of business monitoring, control, and reporting mandates. Enterprise and IT management teams are learning to deal with an escalating burden of compliance related mandates a combination of legislation, licensing/certification processes, and executive directives to achieve better business governance.
In the management suite, the response followed the enterprise equivalent of the personal cycle of acceptance in the face of emotionally disruptive news. The personal responses are: shock, denial, anger and guilt, despair and depression, and, finally, acceptance. In the enterprise, the response process was more compressed and focused but nearly as traumatic.
During opening remarks at the …. U.S. Treasury's conference on the level of competitiveness in capital markets, [former] Treasury Secretary Henry Paulson, Jr. called into question the suitability of current financial regulatory and accounting systems, suggesting they needed revision "with a particular eye toward more rigorous cost-benefit analysis of new regulation."
reported by Helen Shaw, www.cfo.com
An understanding of it can be enlightening and helpful for executive and management teams still working through the operational thicket as the assault of mandates continues. That enterprise response cycle is explored here.
The old quote by ex-Treasury Secretary Paulson (see text box) recognizes the negative results of poorly thought through regulation. However, any hope that overzealous micro-management and egregious interference in business operations will cease are long gone. All indications are that external imposed reporting and behavioural mandates, if not more direct control will continue.
There exists little choice for today’s enterprises but to make ‘lemonade from the load of lemons’ delivered to their doorstep. For enterprises, the attitude towards and use of monitoring and reporting practices implemented in response to compliance mandates evolved from ‘letter of the law’ compliance to enlisting compliance initiatives as a strategic tool for improving business operations and governance. However, isn’t this the very essence of Business Service Management (BSM)? Isn’t this an aggressive and constructive application of IT resources to accomplish business goals and tasks? Let’s take a look at how this is happening.
What’s the problem?
Why is IT concerned? First, IT, IT infrastructure and associated services provide the foundation for the successful delivery of enterprise business services. IT operations reside at the epicentre of data collection and storage upon which the enterprise depends. Second, the compliance effort focus has been on specific requirements covering the security, protection techniques, access, and accuracy of enterprise data and information. Finally, IT is responsible for configuring and maintaining the underlying operational infrastructure where the data resides and information is created.
IT is responsible for the processes and workflows to implement specifically defined and regulated operational tasks to assure compliance. They must endure a double-headed hit which impacts both the efficiency and effectiveness of its operations.
Historically, tasks concerned with routine maintenance consumed over 50% (and up to 80%) of the IT budget. Opportunities to creatively contribute to business success fall further with the burden of operational compliance monitoring, management, and reporting programs and the specific requirements for auditable procedures and detailed mandates that cover record keeping, change control, and reporting.
IT manages to meet its enterprise responsibilities despite increasing load. Tightened links to business operations, new technology and a growing sophistication in end-users act increase pressures to evolve. This helped drive adoption of ITIL best practices. The additional burdens and accountability of compliance mandates severely strained existing operational modes.
The Evolution in Attitude – the path to active effort
Stage 1 – Adhering to the Letter of the Law
The initial enterprise response to compliance mandates was to create and implement whatever manual procedures were necessary to ‘get it done’. The goal was to simply meet the ‘letter of the law’ to satisfy the audit with as little financial and operational impact possible. Compliance tasks were to be completed as quickly as possible so all could return to ‘real’ business tasks.
Compliance was an externally imposed distraction. It represented just one more burden on an over-stretched enterprise and IT staff. The focus was to identify and implement the minimal set of activities needed to meet reporting and procedural mandates. To complicate matters, in the early days there was little understanding and guidance on what was really expected and how to comply.
There was a hope that the interest in restrictions and pages of detailed requirements would decrease over time. Unfortunately, the opposite happened. Once gaining a foothold, the pressure continued for more intrusive and detailed controls, expanded monitoring, and more reporting.
Failure to meet compliance targets was tied to very real financial and personal penalties that apply not only to the enterprise but directly to executives and implementation staff as well. Executives had to personally attest to the accuracy of all of the detailed contents in corporate reports. This approach meant compliance efforts received a significant amount of management time and attention.
Escalating demands for more comprehensive monitoring and detailed reporting consumed more and more scarce resources. These left undone or delayed completing business tasks. However, some of the data collected did reveal information about inefficient processes. Unfortunately, the manual effort didn’t resolve problems as audit after audit documented the same problems.
Manual creation and application of compliance processes lowered staff productivity and dragging down business operations. The attitude and procedures followed to meet compliance-related activities and reporting had to change if the business was to survive. It became clear that the ‘get it over with’ approach had to be the first step to a long range plan to meet compliance goals without permanently handicapping business operations. There had to be better way to meet monitoring and reporting requirements as well as to get instructive, constructive information about operations. This led to Stage 2 in the evolving attitude.
Stage 2 – Compliance is an integral business task
As enterprise management and operations teams worked to define and implement a different approach to compliance, the regulators were also adapting and expanding. New mandates were issued that covered not just the creation of policies but also included specifics regarding the task of monitoring their implementation, use and effectiveness.
Enterprise management and implementation teams are being held accountable not just for the implementation but also the effectiveness the effectiveness of the actions taken to meet mandated requirements. They must track and report on the success of compliance efforts. This entails measuring and reporting levels of non-compliance, providing plans for advancing to compliance, and detailed tracking of the progress made towards compliance.
These new mandates motivated compliance implementation teams to new approaches. BSM principles emerge in practice as compliance was integrated into corporate governance and operations – as part of the long term operations plan. It evolved to where it was viewed as much a part of operations as quality control, accounting, or any physical operation necessary to deliver a complete product or business service.
Past BSM experiences, involving both IT and business functions, with standardization and performance improvement were brought to bear on compliance related business and operational functions. The implementation and operational approach to compliance now shifted to one emphasizing efficiency, consistency, and flexibility in implementing the applications and services necessary to meet compliance mandates.
Efficiency and consistency in operation meant standardizing procedures for all compliance related operations. Ad hoc procedures and processes for operations, let alone compliance were too inefficient and risky to continue. To improve compliance and smooth audits, operations began to focus on documenting and standardizing best practices for their day to day tasks. Best practices became an operational imperative and not simply a ‘nice-to-have’. BSM provided the guidelines as Business and IT operations pursued structured tasks and disciplined processes to the benefit of overall operations.
The normalization of tasks also impacted the way data was collected, stored and accessed. Data collection and processing went from ad hoc, privately held, and hoarded treasures to structured, shared repositories accessible for analysis and reports performed using standard tools which were also shared. The change in attitude toward compliance operations helped to drive the evolution in demand away from IT and infrastructure management tools and towards a greater interest in
integrated management solutions to the benefit of BSM orientations. Interest was being directed toward solutions that used and were built upon technologies such as CMDB, automated workflows, and end-to-end performance management. It helped to drive interest in emerging technologies such as infrastructure virtualization and cloud computing.
Meanwhile, the growing complexity of operations, new technologies and implementation processes compounded by the high risk of non-compliance moved auditors, external and internal, as well as cautious, at-risk executives to demand more data, analyzed in more ways with increased frequency. IT faced a growing mandate for continuous monitoring with customized reporting to assure that both compliance requirements are met and to guarantee that the integrity of the overall process is not compromised by accident, sabotage, and changing conditions.
Stage 3 – Compliance efforts contributes to strategic governance
Enterprise and IT operations management found that efforts to implement, monitor, track, analyze, and report on activities to meet compliance requirements actually helped improve business governance. The old saw about management requiring measurement and information was, once again, proven accurate.
It turns out that operational results, efficiency, and effectiveness all improved as detailed data gathering about practices and procedures in operations highlighted conditions needing attention and change. Compliance activities not only provided data about current practices but also highlighted areas where increasing the level of control could yield greater efficiencies in operation.
This wasn’t true for all of the effort and data collection required by legislated mandates, some of which were written and treated with a view to legalistic niceties rather than operational realities. As was pointed out by Secretary Paulson, better corporate governance could result if a principles-based approach and attitude was taken to compliance activities. "In my judgment we must rise above a rules-based mindset that asks, 'Is this legal?' and adopt a more principles-based approach that asks, 'Is this right?'" He went further to make the point that corporate governance "is a means to an end, not an end in itself."
BSM knowledgeable management, in IT and at enterprise levels, now views compliance as an integral part of corporate strategy. Compliance activities contribute to better governance by:
- Adding directly to the business value of reports and reporting that is focused, comprehensive and correlated across multiple business functions;
- Increasing the efficiency and effectiveness in completing audit functions;
- Easing the task of meeting requests for new reports and data from auditors;
- Improving and standardizing operational control that results from consistent tracking and reporting on configurations, change management and procedures;
- New reporting tools and data accessibility resulting from compliance efforts enable and encourage the creation of new reports and views to explore and reveal interpretational dependencies to improve operations.
It is now clear that linking together and analyzing data involving multiple functions leads to higher customer satisfaction and improved business results.
There is a benefit of correlating data across multiple areas such as customer experience reports, infrastructure performance and compliance change management policies. This can reveal a performance degradation link between unapproved changes that damage the user experience enables corrective action to be taken and avoid more serious problems.
The data collected as part of the compliance process represents a valuable resource for information that can be used to highlight the impact of IT operations on business services. Mandated collection and reporting reveal an unexpected treasure trove of information to guide more effective management and use of resources. It can also provide information to justify new or revised policies, practices, processes and procedures as well as purchase of management tools.
Well thought thru mandates for compliance can be effective contributors to good business governance and an aid to enterprise success. This will hold true especially if those dictating and enforcing them are able to refocus their efforts on the principles of good governance rather than legalistic interpretations and punitive enactments. Compliance data and the associated reporting can provide the informational foundation to make strategic decisions on resource allocation, asset management, capital expenditures, operational cost management, investment, etc. Forward looking enterprises, solution providers, and operations staff are already discovering the benefits from compliance-influenced governance strategies directed by good BSM principles.