Through 2008, investigation of new technologies will slow as discretionary budgets divert to regulatory compliance.

Everybody in the IT industry is aware that Sarbanes-Oxley is a big part of the compliance burden, but won’t most of the effort be completed within a year or so? Why will the resource drain continue through 2008?

Submit a Comment | Permalink

Who says compliance efforts are a resource drain? It's a real mixed bag. CEOs will complain in public, but in private they say they're more confident that, because of compliance, their financial numbers are really the numbers. Some CFOs tell me that they are now able to make day-to-day financial decisions faster, because they have more reliable operational data as a result of the improved processes and controls. What no one likes is the cost - that's the real pain. So what happens next is to get some automation into the compliance process. First, companies automate the compliance process itself - putting some workflow, dashboarding, reporting and document management in place - and then they look at automating the controls themselves - taking manual process controls and making them inherent in the system. Segregation of duties has been the first focus of eliminating manual process controls in favor of system controls. Also, not knowing what needs controlling is an issue: Where should companies focus their internal control efforts? Most have yet to do good top-down risk assessments to identify significant risks. If you don't do that, then how do you know which controls are key? You don't - so you spent lots of money on testing and monitoring things that are low risks, and you have no negotiating position with your auditors. Believe it or not, there is still a subset of auditors in the stone age who are focused on covering themselves and therefore want to cover all the bases. If you don't do a risk assessment, you can't argue with them. The bottom line here is: Do risk assessments and apply automation - and then you can quit paying your auditors so much.

The key point is that CEOs are concerned because of the ability of regulations to impose business costs virtually without warning. You can have new regulations emerge from sources that are local, regional, national, international across regions, and global. We are in a period that is the opposite of the revolution toward smaller government most successfully prosecuted by Reagan and Thatcher in the 1980s. It would appear that citizens are insisting their governments intervene to reduce risks that are present in society that would not be attended without these laws.

But apart from SOX, is there really a more general growth in regulations?

The best way to describe the growth in regulations would be to look at what is happening within individual industries. In the European automotive industry, for example, the European Block Exemption has expired and resulted in independent automotive dealers being able to conduct business without direct interference by the manufacturers. This implies different systems that support independent dealers. The condition that existed before was mandated by regulation, and the current situation shows what happens when regulations expire as well. Across the landscape, changes that emerge from concerns of trade (NAFTA, CAFTA, Mercosur, etc.), safety (pharmaceutical, automotive), pricing (utilities, pharmaceuticals), transparency (SOX), and so on will most certainly advance until the costs to society are deemed much higher than any benefit that could accrue. This will lead to Reagan/Thatcher Part 2 and could plausibly affect the 2012 U.S. presidential election.

SOX does not apply to private companies or government. Does this mean that those organizations will be able to innovate and progress faster, while public companies are held back?

I think the transparency that is demanded in SOX will also be important in the private sphere. Private companies also need to make a profit, and if improved transparency helps that, they will adopt it willingly to ensure they remain competitive with their public-company cousins.

The prediction says compliance will be at the expense of investment in new technologies, but are we implying there are no new technologies that help compliance?

This depends on the regulation. If you need safety, the technologies there are different from those that are needed for trade, and those are different from the ones needed for transparency. In the end, a distinct study of each segment is needed to see where this is literally true and where it isn't.

Perhaps the new technologies have been appearing faster than companies' capacity to absorb and apply them. Often, it seems to be business change that is lacking. Will regulatory compliance provide an injection of the change discipline companies need to exploit the technology they have and perform better because of it? Or is it right to see it only as a cost of doing business?

The experiences of DuPont in safety, Toyota in quality, and J&J in managing the Tylenol poisonings are case studies of how government-mandated requirements for legal performance can provide sound business performance as well. It is also clear, however, that there are management teams that do not look at regulations this way. These teams will always have to create a "reserve" to account for the burden of regulation on the business, and they will also be challenged to compete with their colleagues that have undertaken this as well.

Accountability is a good thing..

Most of us agree that besides the mandates, it would be nice to know the health of the business objectively - for our own sanity at the minimum

Transparency of business processes is key to allowing instrumentation - today's BPM and SOA technologies can make that happen - guess it boils down to corporate resolve and the small thing called budget..

Further to NAFTA, Mercosur, SOX et al, Compliance is currently a major cause of concern for Financial institutions on account of AML (Anti Money Laundering) and KYC (Know Your Customer) requirements. Almost all banks have had to create new corporate structures to oversee implementation of processes that are compliant to AML/KYC regulatory requirements.

Going forward, I beleive costs of Compliance will reduce over a period of time, starting with outsourcing these services to 'niche' BPOs, and later with the advent of 'intelligent' technologies that can independently, with very less intervention, monitor the billions of banking transactions that occur each day in the world.

Compliance will become another cross-cutting concern, similar to network architecture reviews and performance standards; i.e., every new business system being developed/re-designed will need to incorporate 'compliance' related requirements. The 'Enterprise Architecture' organization will require a 'signoff' from Compliance perspective (simialr to signoff from a Performance perspective) for application development. So, while compliance-related resource drain might be high in the short term (i.e., retrofitting current apps with Compliance support), the impact of Compliance will continue to exist beyond 2008, except it will be hidden in application development budget.