In-Depth
Get Ready for Compliance 2.0
Many say that newer, tougher compliance is inevitable. What's at issue is just how demanding it will be.
If you think that the current economic crisis is going to result in new, stringent regulatory requirements, you're not alone. Many observers with a vested interest in such things -- market watchers, ERP and business intelligence (BI) software vendors, security firms, and others -- say tighter compliance is inevitable. What's at issue is how strict the compliance regulations are going to be.
Marc Camm, senior vice president and general manager, governance, risk, and compliance (GRC) products at CA, Inc, is one industry principal who doesn't believe that new compliance or regulatory requirements have to be onerous. The salient point, says Camm, is that regulation isn't new: organizations have been grappling with it for decades.
He concedes that Sarbanes-Oxley (SOX) upped the ante, but it -- and similar regulatory requirements, such as tighter SEC regulations, the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, and others -- encouraged ERP and BI vendors to build GRC features into their application software. Camm says that the SOX-driven wave of compliance also helped drive the development of GRC tooling, from CA, IBM Corp., and other vendors.
"In the last 10 years, certainly since SOX came out, there has been more attention [paid] to compliance, specifically on SOX, so there's a maturity established through SOX exercises," he says. "From the IT point of view, there was an effort to deal with those controls and to start getting them under control and create standard operating procedure to deal with that type of compliance."
Since then, GRC has emerged as a central IT-related issue, and with new, more stringent compliance -- Compliance 2.0, if you will -- in the offing, Camm believes IT will have an even bigger role to play. "There are orders of magnitude more complexity coming. IT has the role … to help streamline that. The issue of enumerating the appropriate controls against different regulations, putting those controls in place and ensuring that they're working, and, of course, establishing some centralized system of record that's going to help automate these things -- that's IT's role."
A SaaS-y Approach to GRC
CA is already a big player in the GRC space -- it announced its seminal GRC Manager in October of 2007 -- and, at its most recent user conference, CA unveiled a new, software-as-a-service (SaaS) version, the aptly-titled GRC Manager On Demand, which the company positions as an enterprise platform for compliance and risk governance, which is said to enable more rapid deployment. In other words, Camm indicates, just the ticket for the era of Compliance 2.0.
"We're offering that in a software-as-a-service model. That'll let people get up and running in a more timely fashion. It will allow the business ownership in the enterprise to move forward in their compliance efforts and not have to depend on the timeline of IT to set that up," he explains.
The rub, Camm continues, is that in spite of the fact that GRC is, at bottom, an IT issue, it's also a practice that touches upon a host of business domains. As a result, it involves multiple stakeholders, at multiple levels of the enterprise.
"The stakeholders are often not IT people; they might be legal, they might be HR. They might be from several [different domains]. For them to buy a solution -- getting involved in the infrastructure area is sometimes difficult for them. What we heard [from our customers] was that both the IT department and the customer constituents would be quite happy to use [GRC Manager] as a service," he says.
Risk to the Fore
Things are probably going to get a lot tougher on the compliance front, Camm maintains: in spite of the hullaballoo raised by Congress and harried business leaders concerning SOX, HIPAA, and other measures, the origins of the current economic crisis suggest that, if anything, there's been too little regulation. More to the point, Camm argues, in many cases businesses have been able to skirt -- or exploit the loopholes of -- regulations. He says that situation will change, and drastically at that, over the next half-decade.
"I think that the outcome of all of this is going to obviously be more regulation. Many companies that are undertaking compliance efforts for certain regulations will step that up to be even more compliant," he says. "There are certain regulations that can be open to interpretation, certain loopholes, and I think all of those holes will be tightening up and people will be taking their compliance efforts much more seriously as more and more regulations come out."
Compliance 2.0 will probably also prescribe additional regulations for risk management, which Camm describes as "the poor child" of many GRC practices. "Depending on your business, risk management may or may not have been part of your operations, but now you have Standard & Poor’s asking [companies] for a risk management program to be able to set their credit ratings. From the IT point of view, when you have risk management, you have to do assessments of the risk and you've got to do assessments of the controls," he says.
"The more regulations you have, the more important it is to have some kind of a framework. With the framework, you're hopefully going to map the regulations to the framework. Of course, there's the tricky part -- when you have multiple regulations, what framework do you pick to help you deal with all of these requirements that are being pushed at you?"
Regardless of what the next five years bring on the regulatory front, Camm argues that Global 2000 companies can no longer afford to play it from-the-hip where GRC is concerned. There's the likelihood of multiple, overlapping regulations, for one thing.
"Five or 10 or even 15 years ago, you might have had a couple of regulations that were being mandated and a couple more that you were trying to follow internally, so you did that sort of on your own, informally," he concludes. "That was fine 10 years ago, because you had few regulations and maybe not a need to share information across them.
“As the level of complexity increases for understanding risk and compliance, you need to have a centralized system that takes it out of these silos -- where you have people running information on spreadsheets and not sharing information across the enterprise -- so that you have a single source of truth, a single source of record, the ability to visualize with reporting, the ability to structure workflow, and so on."