|
|
|
Features
< Back
Sarbanes Oxley : Technology : Sarbanes Oxley
Use the Regulation Bandwagon to Drive Your Business Forward
By
Mark Opausky
|
|
Mark Opausky
CEO
Business Propulsion Systems
|
The continuing surge in compliance initiatives, with which organizations must contend, shows no signs of abating. In fact with increasing concerns about data privacy and security, the industry research firm Forrester states that more legislation will be proposed before the end of 2005.
To comply with the growing stack of rules what?s required is greater preparedness and more processes within organizations, especially public companies.
Sounds easy, but addressing and implementing new processes related to compliance is a real challenge, especially in light of a survey by Hudson Financial Solutions that revealed 80% of U.S. workers have never heard of Sarbanes Oxley (SOX) and only 9% say they have been asked to do something differently in their jobs as a result of SOX.
When you consider regulations such as NYSE 446 that require companies to develop, maintain, review, and update business continuity and contingency plans to establish procedures to be followed in the event of an emergency or significant business disruption, the compliance challenge becomes daunting and expensive. Gartner Research estimates that companies using a point solution approach to compliance will spend 10 times more than those who take a proactive approach to managing all their regulatory requirements. And AMR Research estimates that global spending on compliance initiatives will total $80billion between 2005 and 2009, and not necessarily all money well spent! Other legislative directives that impact compliance include The Patriot Act, Vital Interdiction of Criminal Terrorist Organizations Act, Health Insurance Portability and Accountability Act (HIPAA), and Graham, Leach, Bliley Act (GLBA).
There is also pending privacy regulations modeled after S1386, a California law requiring any firm that does business in California to disclose to its entire customer base if its customer database was breached without authorization. Following many data breaches, such as Choice Point last March, 14 other states have adopted privacy laws that are modeled after S1386.
The regulations all come with their various reporting requirements to document compliance. Sarbanes-Oxley by itself is certainly a significant piece of legislation that has some companies spending millions of dollars. And apparently there's no end in sight to the compliance drumbeat.
In fact, the pressures on CFOs and chief compliance or chief risk officers is great with 62% of senior finance executives admitting they are under "great" or "very great" pressure, and 68% say they're feeling more pressure than two years ago, according to a CFO magazine survey. And press reports recently stated that a CFO of Outback Steakhouse restaurant chain called it quits, citing an "increasingly negative regulatory environment.?
It is clear that SOX, HIPAA, GLBA, and the many other regulations are not one-time compliance events that will go away after a year or two. Submitting to these regulations is an ongoing effort, and company leaders have to find a way to manage compliance in a more efficient and automated way.
When you put the regulations in one stack, it becomes crystal clear that one magic bullet, no matter how strategically targeted into the organization, will not achieve the system-wide compliance. To achieve compliance on the scale that is required of companies of all sizes, it's not a matter of changing a system here, or there, but it's a process change.
Just what is compliance anyway?
Before looking into how to examine your processes, what about defining ?compliance? itself as related to business organizations.?
Compliance is mostly about establishing and formalizing best practices based on a set of formal regulations. Compliance is the process of adhering to a set of guidelines or rules established by government agencies, standards groups or internal corporate policies.
Adhering to compliance-related requirements can be challenging for some of the following reasons:
? The regulations are new, so no blueprint to follow
? Staff may not see the entire view of regulations and may only focus on one aspect, with the result of missing out on other regulations
? Regulations can overlap, or even conflict, so it?s difficult to decide what process to follow
? Different countries may have different rules that may create conflicts
? Regulations can change over time and systems to meet new code will need to be updated as well
Based on a review of the above, compliance becomes a continuous process that will need to not only meet the wide variety of regulations, but also help make the business more efficient as a result.
The bottom line is from now on, a significant part of a company?s budget and resources will be spent on ongoing compliance initiatives. The trick is how to turn compliance into a system that can drive the business forward AND meet with regulations.
Has system-wide compliance on a huge scale ever happened before?
Complying with standards and regulations is not a new phenomenon. One such parallel where an entire industry made systemic change from within to comply with new standards, government regulations AND deliver more efficiency is the automotive industry.
The parallel that the moves the automotive industry made in the late 1980s and what companies need to do today to comply with the many regulations is remarkable. In a nutshell, what happened is the automotive makers came together and formed a set of standards that would globally support their business goals and compliance needs. They needed to create a compliance framework based on two premises. One, if you designed something you must guarantee the part will fit and not fall apart, or catch fire and second, everyone had to complete the tasks within a defined deadline. The process they embraced was an adaptation of ISO 9000 called QS 9000.
The process was then driven down to thousand of suppliers, they either had to adopt the standards, or no longer be a supplier to the automotive industry. Automotive companies could not afford to have anything interrupt their lean manufacturing process. Delays in production, or recalls of parts cost millions.
At first there was plenty of resistance, then eventually everyone achieved the standards, and once achieved, they created a central repository of best practices to further drive continuous improvement throughout the industry. In all, this fundamental change to how they conducted their business took about five years to really catch on.
The essence of Sarbanes, for example, is quite simple: compliance with applicable laws and regulations. But how does one know what compliance is or what it ought to be? What about such international precedents as Basel II or the ISO standards? The gap between "is" and "ought" is not accidental but systematic, and it is a gap that may leave us permanently torn. Needless to say, all these new regulations, with their vague but nonetheless demanding language, present a challenge to today's business leaders as they strive for compliance.
The COSO Study
Another valuable lesson in compliance can be gained from reviewing the COSO Study, COSO stands for The Committee of Sponsoring Organizations. The Study was introduced in 1992 and it concluded that internal controls consist of five interrelated components 'Internal Control - Integrated Framework?, Committee of Sponsoring Organizations of the Treadway Commission, September 1992.
Following the recommendations of the COSO Study will help in managing risk throughout the organization. These key findings as stated in the report are as applicable today as they were when they were first introduced:
1. Control Environment - The control environment sets the tone of an organization and influences the control consciousness of its members. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, and competence of the entity's people; management's philosophy and operating style; the way management assigns authority and responsibility and organizes and develops its people.
2. Risk Assessment - Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is the establishment of operating objectives. Risk assessment is the identification and analysis of risks relevant to the achievement of objectives. This forms a basis for determining how the risks should be managed. Because of ongoing changes in economic, regulatory, and operating conditions, mechanisms are needed to identify and deal with the special risks associated with change.
3. Control Activities - Control activities are the policies and procedures that help ensure that management directives are carried out and that necessary actions are taken to address risks to achieving the entity's objectives. Control activities operate throughout the organization, at all levels, and in all functions. They include a range of activities as diverse as authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties.
4. Information and Communication - Pertinent information must be identified, captured, and communicated in both a form and a timeframe that enable people to carry out their responsibilities. Information systems produce reports, containing operations, financial, and compliance-related information that make it possible to run and control an operation. Such systems deal with both internally generated data, as well as information about external events, activities, and conditions.
5. Monitoring - Internal control systems need to be monitored. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring includes regular management and supervisory activities, and other actions personnel take in performing their duties. The scope and frequency of separate evaluations depends primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported to the upper operational hierarchy.
Use the regulation environment to support business goals
Making profit from the current regulatory environment shouldn?t be the privilege of IT firms only, in fact, the systematic processes that compliance requires, when executed across the organization should in fact help to drive efficiencies and increase profits.
The first step is to unify the company structure in terms of risk as it relates to compliance and then to prioritize what needs to be addressed first and when. Then from this, all of the other compliance issues should be listed and mapped out based on how they impact the different facets of the business.
Internal audit has been around for a long time, and the internal auditors have developed a hierarchy of risk scores that is understood. Using this system might be the right approach for some companies, but the hierarchy of risk needs to be scored according to the priorities of the business and not only one department.
Departments within the company need to agree on what standards they will use to assess risk and to identify priorities for process improvement. For instance Internal Audit may view SOX compliance from one set of lenses, while the CFO might look at it from still another set.
The second thing that will need to be achieved is to build a recurring process around the compliance processes, to institutionalize them and drive change throughout the organization. Large institutions that embrace compliance need to do a good job at it in such a way so as to have it work for them.
By starting out on a unified approach and not letting only one set of regulations to drive the program and anointing the person or department that is the most qualified, a system of processes and deadlines can be established.
By not letting the SOX people, or the HIPAA team lead, you can create a system whereby introducing a new regulation doesn?t require re-inventing the wheel just to comply with a new set of regulations. The best executive to sponsor this program is usually the CFO, or some form of CIO responsible for creating enterprise structure to break down walls.
The key thing to set out to do then is develop a set of processes and timelines which allow people to deploy compliance systems that they want to deploy to not only support regulatory reporting, but also improve business performance. A compliance system that presumes change and that is flexible enough to be refined in its approach will be far more useful in driving a business forward, than a point software solution targeted at one type of compliance issue.
So now when the government comes out with a new standard, it is much easier to inject that new one into a very strong environment of compliance. It is important to see compliance as an ongoing reality, it doesn?t end, and you have to get better and better at it to succeed.
Compliance must be viewed as a process that will repeat year over year. Many people seek to achieve the main hurdle and then stop, but unfortunately you can?t stop and instead, you will need to constantly improve. Ultimately building a continuously improving compliance process will only come about by changing people?s attitudes and refocusing them on protecting the value of the business.
Mark Opausky
CEO
Business Propulsion Systems
Mark Opausky is the CEO and founder of BPS.
In 2000, Mr. Opausky was the originator of the Convergence Process Model, a lean-process, conceptual approach to working with risk in dynamic business environments. Previously, Mr. Opausky directed global client and program management for large scale engineering companies, including Dana Corporation and Echlin Incorporated.
Mr. Opausky managed product portfolios in excess of $200 million on behalf of DaimlerChrysler, Ford, General Motors, and others. He currently writes and speaks about effective process and project execution and the role of technology in governance, risk, and compliance. He was nominated 2003 Entrepreneur of the Year by Ernst and Young.
Mr. Opausky was educated at McMaster University in Canada where he graduated with distinction with a bachelor of engineering majoring in biomedical and device material processing.
|
|
|
|
|
