Leading companies are focusing resources on how they can better integrate compliance enterprise-wide as a part of everyday business operations and decision-making.
Companies that once were more likely to have invested in compliance programs because they had to are beginning to invest because they want to, seeing the value proposition in technology-enabled compliance measures that also improve business processes and performance. One of the drivers of this new mindset, in fact its primary enabler – is IT.
This is according to Marius van den Berg, director: technology & security risk services at Ernst & Young, who says that as the visibility of compliance continues to rise, there is a concurrent increase in the importance placed on IT.
IT now has the responsibility for making the business better. Ironically enough, one of the most ‘siloed’ of functions has become one of the most well-positioned to do just that.
“Like other parts of the enterprise responsible for risk and compliance, IT’s mandate has expanded in the post Sarbanes-Oxley (SOX) environment. With compliance emerging as one of today’s most prevalent business issues, multiple corporate functions are beginning to converge in a federated approach to addressing quality, risk, and overall compliance management."
He says that understanding how IT’s role is evolving comes best with an understanding of the compliance landscape.
“Every company operates with rules and regulations. These may vary by industry. As the regulatory environment continues to change with marked frequency and measurable complexity, so do the requirements for automated, repeatable controls and processes around the classic information compliance drivers – internal controls over financial reporting, controls to protect and govern the use of personal information and protection of intellectual property.”
Against the backdrop of this ever-expanding compliance environment, van den Berg says there are also growing expectations from stakeholders. “They want not only effective compliance risk management and transparency in their strategies, but also a reasonable return on the significant investments made in IT, plus measurable means for improving the business overall.”
He suggests that a proactive organisation can leverage IT capabilities to help achieve sustainable compliance by designing and implementing an effective, integrated program “with built-in components to align and coordinate compliance functions, processes, and activities as well provide adequate oversight and appropriate risk coverage.”
Although information security remains isolated from executive management and the strategic decision making process, meeting business objectives is a growing focus for information security and it is now more integrated into overall risk management. Organisations continue to improve their information security, but remain challenged to find the right balance between risk mitigation efforts and performance based incentives.
These were some of the key findings of the 10th Annual Ernst & Young Global Information Security Survey launched in 2007, whose results were collected through interviews conducted with executives from approximately 1 300 organisations in about 50 countries worldwide.
“Organisations globally are focusing on the integration between the information security function and overall risk management. The survey showed that 53 % of the respondents were partially integrated, while 29% were fully integrated and 18% had no integration. It is clear that organisations are realising the criticality of incorporating information security within there business plans,” he says.
Convergence, he advises, can reduce compliance gaps overall and risk management fatigue in the business units. He says it can facilitate a risk and control model that is more efficient and effective in supporting business needs, responding to regulatory change, and addressing demands for more granular risk-related disclosure.
“Both internal and external stakeholders will have greater confidence in the quality of the risk management, compliance and assurance model, with reduced remediation activities and positive external reinforcing its value.”
He concludes: “With IT at its best, risk convergence, although challenging, is possible. Choosing this path will reward the organisation with a flexible, efficient, sustainable risk management framework that supports today’s business requirements and those of the future.”