A Rosy Look at Compliance

NEW YORK It’s no secret that storage companies and their affiliates see the spate of new government regulations as a boon to sales (see Insider Assesses Compliance Impact and The Real Cost of Compliance). It's nothing new to hear them put a cheery face on the necessary hassles of compliance. But in case you're still wondering why you should be grateful for new regulations, speakers at an executive briefing here today offered fresh reasons.

As much of an expensive, time-consuming headache compliance has become, the process of meeting guidelines set by Sarbanes-Oxley and other regulations can benefit IT staffs in the long run, according to input from representatives of EMC Corp. (NYSE: EMC), Unisys Corp. (NYSE: UIS), Cap Gemini, and Information Builders.

Some of the benefits of swallowing compliance castor oil include:

Leveraging processes put in place for Y2K. The U.S. Department of Commerce estimates businesses spent $100 billion between 1995 and 2000 on Y2K. Experts say the technology and processes put in place with that money can help companies comply with the raft of new regulations.

“A lot of work for Y2K helped set the foundation for compliance, just like a lot of disaster recovery is the result of work done for Y2K,” says Don Montgomery, director of Business Intelligence for Unisys.Montgomery holds that IT should treat compliance as an umbrella project that includes all of its areas of expertise. Outfits that treat compliance as a series of distinct projects aimed at individual pieces of legislation can wind up spending up to 10 times as much money. On the other hand, upgrading internal processes to handle a raft of laws can simplify the task.

Others agree. “Take a holistic approach,” says Grego Kosinksi, director of product marketing for EMC’s Compliance Unit. “Don’t look at compliance as something that should be attacked one piece at a time.”

There is one major difference between Y2K and compliance, as Unisys Global Infrastructure Services partner Barry Lurie points out. “Unlike Y2K, Sarbanes-Oxley is not a one-and-done event,” he says. “You not only need to be compliant today, but you need to be compliant tomorrow and the day after that.”

Giving IT more sway in corporate issues. Like Y2K, compliance provides IT greater importance inside the company. “It’s a clarion call to pull the CIO into the boardroom,” Lurie says. Once there, the CIO can do more than make sure the company doesn’t break the law.

Lurie didn't have specific recommendations for how to restructure corporate boards that don't currently feature the CIO. But we digress...Montgomery says companies should not see compliance merely as keeping the CEO out of jail and avoiding fines. He says the average large company will spend $2.5 million on Sarbanes-Oxley alone, and should look at it as a strategic investment in improving management of its data: “The enlightened company says, ‘Let’s look at it as taking $2.5 million, and instead of just complying, let’s set ourselves up for a strategic advantage.' "

Money spent on compliance can be used to improve projects such as enterprise reporting, analytics, and business intelligence. “Remember the line about, ‘Water, water everywhere, and not a drop to drink?’ ” Montgomery asks. “We’ve got data everywhere and we can’t make sense of it.”

Insuring good business practices. Kosinksi points out there are 20,000 or so regulations a company may need to comply with. To do so, it must guarantee integrity, confidentiality, and accessibility of its data. All of that is good, even without government regulations.

“It’s the same sort of behavior that should’ve been governing your practices without being told what to do,” Kosinski says. “All that’s new are the penalties.”

Everyone involved with compliance should take a page from the software developers' book, Lurie maintains. “The process of auditing data isn’t different. What’s different is validating the result, and that’s where we can learn lessons from software development: Test, validate, insure it works the way we think it should work, and think about how to mitigate if we’re wrong.”So much for the pep talk. Nobody says compliance is a walk in the park -- especially people who sell services to help companies comply. So the forum also included ominous warnings.

“I’ll offer one guideline: This is harder than you think it’s going to be, and it will cost more than you think it is going to cost,” Lurie of Unisys says. “So set your expectations appropriately.”

The execs also pointed out the November 15 deadline for Sarbanes-Oxley compliance is fast approaching: “It’s 2004 and it’s June. We’ve got to get there,” Montgomery says.

Pointing out that the deadline for Sarbanes-Oxley has already been pushed back once, Lurie says, “I don’t think I’d bet my company on deadlines slipping again.”

— Dave Raffo, Senior Editor, Byte and Switch0