The impact of regulatory compliance continues to resonate across the CIO landscape on business and technology frontiers alike. Enterprises of all sizes have felt the strain on their resources of the Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act, and other government mandates. And the unpleasant truth is that the age of regulation has just begun.
I envision a future in which government agents tap into your enterprise to assess your information management practices and compliance level. So how can you insulate your organization from the disruptive effects of regulation?
This CIO Habitat report represents the views of 184 executives (67% from midmarket firms and 33% from large enterprises) within some 17 vertical markets that include aerospace, health care, retail and transportation.
Our research reveals intriguing differences between midsized and larger enterprises' responses to compliance mandates. Many midmarket companies, for example, have turned their more constrained resources into a surprising advantage. In contrast to larger firms, they are establishing transparent processes that will ultimately yield regulatory economies of scale. Midmarket CIOs also have an advantage over larger firms in that they generally understand what is going on within their IT departments. Large-company CIOs are frequently out of touch with such day-to-day happenings.
Bracing for Regulatory Compliance Costs
So with all your concerns as a CIO, why should long-term compliance costs be foremost? Because the costs of regulation will become as important as the cost of your products.
Economist Thomas Hopkins, dean of the Rochester Institute of Technology College of Business, estimates that the cost to the economy of federal laws alone exceeded $843 billion in 2000 -- or more than $8,000 per household.
Midmarket CIOs were less prepared than their large-company compatriots to comply with new regulations (see Figure 1). Of course, midmarket IT shops have always run lean, so there has been no surplus of resources to dedicate to the challenge. Large enterprises were also further along in automating IT and implementing software (such as portfolio management systems) to aid their preparation. Yet this initial large-enterprise advantage was diluted by the misguided adoption of resource-intensive regulatory strategies, such as adding staff and hiring consultants.
Compliance Regulations Straining Resources and Infrastructure
Both midmarket and large enterprises have felt the strain of increased regulation (see Figure 2), with the midmarket registering that strain more intensely. "At my organization, SOX has changed day-to-day life for IT significantly," says an IT auditor from one Midwestern manufacturer. The CIO of a midsized division of a financial institution echoes this notion: "I am now devoting 25% of my time to SOX. Over 50% of my time goes to regulatory tasks."
Many of our survey respondents note the additional layer of cost associated with compliance work as the most burdensome issue they face. "There is certainly an increased emphasis on controls, but at considerable cost," says the CIO of a services firm.
The chief security officer at a financial institution identifies several important effects of SOX:
- The company spends less on new features because dollars go to implementing regulatory
- Poor IT compliance reviews negatively affect bonus awards, employee ratings and career
- IT teams have to implement compliance features (i.e., more rigorous change control, logging and auditing reviews, and security administration) that are unpopular with business and that slacken business processes.
The question many wrestle with is, does compliance get in the way of doing business? Our research suggests that the initial stages of the compliance effort created a crowding-out effect (i.e., funding compliance reduced spending on grow-the-business projects).
"There is more fighting and turmoil because there isn't any new money," observes the chief security officer at a financial institution. "So those sponsoring regulatory projects are seen as stealing from those sponsoring business projects."
During the first few years of compliance efforts, high-performance firms didn't seek to optimize the workarounds put in place to meet regulatory requirements. And here we begin to see a difference between large firms and midmarket enterprises. In the jumbos, those in compliance roles have viewed these professions as separate from the business of the business. In the midmarket, compliance was just a part of the job.
Many publicly traded midmarket companies have had an experience similar to that detailed by an IT auditor at a Midwestern manufacturer. "We did not have the cultural discipline or focus around documentation of controls, so [our] initial pain was considerable," he notes.
"One of the key principles behind SOX is assessing operating effectiveness of controls designed to provide assurance of information systems processes that contribute to the generation of financial statements," this auditor says. "A basic presumption is that we know which controls need to be assessed to obtain that assurance."
Faced with limited IT resources and inadequate staff skills in documenting and testing controls, the first year of instituting compliance efforts called for "wholesale efforts" in IT, he adds. Now in its second year of compliance efforts, this manufacturer is focusing on transforming the results of year one into a sustainable process. This means hiring additional staff and consultants to coordinate the testing and remediation efforts that SOX requires.
For this company, at least initially, compliance was a distraction. And the test is, how soon can a company bounce back from compliance shock? Large enterprises have institutionalized the bureaucracy associated with compliance (see Figure 3). Going forward, midmarket players are seeking to build more transparent business processes.
Is the Glass Half Full When it Comes to Regulatory Compliance Efforts?
All of our respondents admitted that at some level the objectives of regulation are not intrinsically bad. A film studio CIO, for example, notes some positive aspects of compliance efforts: "SOX forced us to document more of our internal procedures. We have also automated more IT-related processes, helping to ensure that we meet our SOX requirements."
The chief security officer at a midsized manufacturer also views the impact of regulation as positive. "Compliance has provided a big stick for getting remote folks on the program," this CSO notes. "It furthered our ongoing efforts to automate IT and surfaced that we really need to use data mining to find suspicious activity."
The CIO at a midmarket retailer views implementing compliance standards philosophically: "We were headed in this direction anyway, toward standardized and centralized services (to improve customer experience and save money). The regulations forced us to be more efficient, structured and a little quicker in getting there."
Being perceived as an ethical company -- and a positive compliance record is an important aspect of such a perception -- is emerging as a key ingredient in the secret sauce of early-21st-century branding. Having transparent processes is actually a competitive advantage.
As the chief operating officer at one midsized oil company puts it, "We are much more disciplined [about] capturing process. We have embarked on a service management journey and embraced ITIL [the IT Infrastructure Library] framework, with an initial focus on incident, problem, change and release management." (ITIL is a set of best practices for and documentation on providing IT services.)
Operating With a New Regulatory Compliance Mind-Set
Midmarket companies and their IT executives are wired differently from their tech brethren at the jumbos. Nowhere is this more apparent than in their respective approaches to compliance.
The big-company thought process is this: "I have to comply with new laws, so I have to spend money. The organization must be developed and staffed up." Midmarket enterprises start from a different place, where the thought process is this: "I have no money to spend, yet I must be compliant. How do I get compliance for free?"
So the resource constraints of the midsized enterprise fuse the concept of doing business with that of being compliant. Whereas in large companies there are often two budgets -- one for business and one for compliance -- midmarket firms have one budget for both priorities.
On the staffing front, Figure 4 shows how differently large companies and midmarket firms reacted when confronted with compliance requirements. For most midsized players, increasing staffing hasn't been an option. Indeed, even where it has been, few went down that path. So thousands of CIOs started thinking about their resources this way: "How do I reallocate the resources I have to be compliant without negatively affecting what we're currently doing?"
Resource constraints frequently give rise to better solutions. Where many large enterprises are hiring compliance executives or creating sophisticated compliance organizations, midmarket companies are mapping compliance into the genetic code of organizational behavior.
One midmarket CIO summarizes it this way: "We bake compliance into methodology and operating process after routinizing them." (Though to be fair, 16% of large enterprises are changing from within as well.)
Regulatory Compliance Efforts: Past Imperfect, Future Questionable
One media company CIO holds out the hope that the future will resolve some questions. "In a few years, all this compliance stuff will shake out, but it's a rocky place right now."
Over the next few years, finding ways to achieve compliance at lower cost will likely dominate CIO conversations, agrees Cheryl Smith, the former CIO of McKesson Corp. and now principal of CS Associates, a consulting firm. "The goal of increased integrity and control is one we all embrace, but we need to find a way to achieve this at a lower cost," she notes. "Regulations will make IT better, stronger, more disciplined, more capable of providing true predictable strategic and financial advantage to a corporation."
Still, midmarket executive teams are going to have to get better insight into regulatory processes and better intelligence about which bills will become law. Minimizing the cost and maximizing the advantage associated with being an easy-to-regulate company requires midmarket CIOs to put on their futurist hats. Regulations do not occur in a vacuum; the "demand" for regulation can be forecasted.
CIOs should build on their insight about their businesses and the mind-sets of senior executives to encompass the mentality of regulators and the constituencies they serve. Just as the successful CIO is sensitive to the priorities of the CEO, the enterprise should be sensitive to regulators' concerns.
Instead of lobbying to block legislation -- an ineffective strategy in today's environment -- CIOs should be early implementers, engaging in prototypes designed to demonstrate the costs associated with prospective regulations. In this new age of regulation, a CIO's proactivity can ultimately brand a company as an industry leader.
SURVEY METHODOLOGY: In a series of open-ended questions, 184 CIO Habitat e-mail survey participants were asked about their organizations' compliance with governmental regulations. The CIO Habitat Report research team then conducted phone interviews with a subset of respondents, who were asked to expand on their replies. Among respondents, 67% are from large enterprises, and 33% are from midsized firms; companies span 17 vertical markets, including aerospace, construction, energy, financial services, health care, manufacturing, retail and transportation.
Thornton May is a respected futurist, adviser and educator whose insights on IT strategy have appeared in Harvard Business Review, The Wall Street Journal, BusinessWeek and numerous computer industry publications. To comment on this story, email firstname.lastname@example.org.
This was first published in March 2006