Compliance to Standards

Standards are of two main types: management/ process and regulatory.

Regulatory standards are mandated by law. Management or process standards are

not mandatory and the organization is usually free to choose the ones it wants

to or needs to follow. However, there could be circumstances that make it

necessary for an organization to toe the line of such standards-like being

associated with another organization or a government that mandates its partners

to follow a certain standard. While the importance of adhering to standards,

both to be within the bounds of the law as well as to maintain a minimum level

of competency cannot be denied, their implementation and enforcement can be

assisted with IT.

Management/process standards



These are a set of guidelines or principles set forth by reputed management
institutions or experts. The four most common standards are as follows.

Six Sigma



A quality of process standard that measures perfection of that process or

deliverable. It can be applied to any process to measure how much quality is
delivered. It measures how many opportunities existed to deliver a unit of
perfect quality and how many of them had at least one defined defect. Depending

on how critical the process is, the specification can be relaxed.

For example, one can define that a manufactured car chassis is completely

defective if there exists even one deviation from the exact technical

specifications for that chassis (even though the car may still work fine with

that defect). To be considered a Six Sigma compliant process, the calculation

must not yield more than 3.4 defects per million opportunities. The

implementation requires the assistance of experienced Six Sigma leaders called

'green belts' who are themselves overseen by a master called a 'black belt.'

ITIL



Information Technology Information Library (ITIL) is a set of management best
practices that lead the enterprise toward the achievement of value for money, as

well as maintain quality in their IT services. ITIL is vendor independent and is

published as a series of books by the OGC (Office of Government Commerce), a UK

treasury office. Different international standards like ISO 20000 have come out

of ITIL practices. It standardizes IT practices of all organizations, along a

set of guidelines, amongst different organizations. Although IT services are

covered under the original/existing ITIL specifications, the OGC has issued a

new specification of the ITIL to specifically deal with various aspects of IT

services. These include the design, introduction, operation, improvement and

strategies of IT services. ITIL v3 is expected to become available in Q2 of

2007.

Just-in-time (JIT)



This is an inventory strategy that improves cost management by reducing
in-process inventory. JIT is the standard that gave us the well known 're-order

level' for stocks, which is nothing but a pre-defined limit based on historical

demand patterns for stocks of different products or components. Visual signals

known as 'kanban,' govern the re-order rate, by calling for fresh supplies when

stocks disappear from the shelves.

However, when demand increases suddenly in an unpredicted manner, JIT can

actually hinder the process and increase costs. JIT recommends that to smoothen

the ride over such unstable periods, two standard deviations of stock be

maintained. The right balance is achieved when reorder levels are reduced to

very low quantities and refreshed frequently instead of keeping surplus stocks.

CMMI



The SEI (Carnegie-Mellon Software Engineering Institute) developed the original
CMM as a process assessment model that helps refine processes in an

organization. The original CMM dealt only with software development. The model

evaluates the maturity of a process (benchmark) in an organization based on the

project and its client.

The SEI upgraded CMM to CMMI (CMM Integration) in 2002. CMMI helps you

integrate different organizational processes. The latest version of CMMI

(version 1.2 released in a few months ago) supersedes the CMM and this has three

main areas for development, services and acquisition. The CMM identifies five

key areas to evaluate the maturity for: goals, commitment, ability, measurement

and verification and sets up five levels of maturity for each: initial,

repeatable, defined, managed and optimizing.

CMM and CMMI are not off-the-shelf models, they need to be customized on a

per organization basis. For this reason, no organization can be 'certified' as

being CMMI compliant. They can only be benchmarked/appraised and the results of

that appraisal released.

Regulatory standards



Devised by various regulatory bodies and governments of different nations, these
are rules that organizations must follow to continue functioning within the

framework of law.

Sarbanes-Oxley & Clause 49



The actual name of Sarbanes-Oxley is Public Company Accounting Reform and
Investor Protection Act of 2002. The Act, among several other provisions it

contains, mandates financial disclosure. In order to make the reporting as

effective, transparent and trustworthy as possible, two kinds of certifications

are required under the Sarb-Ox.

One is from the authorized signatories of the organization, certifying that

they are responsible for establishing and maintaining internal controls and that

they have designed such controls to provide information about the company and

its subsidiaries to the internal officers for the period that these reports are

about.

These signatories must also certify that they have verified the effectiveness

of these controls. Similarly, the management must prepare and present an

internal controls report as a part of each report as per the US Annual Exchange

Act.

This report must certify that the management is responsible for establishing

and maintaining accurate financial reporting processes and that they have been

assessed and found effective.

Companies listed with the Indian Stock Exchanges must adhere to the Listing

Agreement. Clause 49 of this agreement is currently in the limelight because of

changes inculcated into it based on the recommendations of the Committee on

Corporate Governance chaired by Narayana Murthy.

This clause sets out guidelines for companies regarding their disclosure

policies with specific steps that key decision makers in the organization must

take. The key requirement of Clause 49 is the CEO/CFO certification that proper

controls are in place for financial and non-financial processes and that no

transactions have been entered into that are fraudulent, illegal or violate the

code of conduct of



the company.

COBIT



The Control Objectives of Information and Related Technology is an
internationally accepted IT governance framework. COBIT allows for effective

policy development and IT control practices throughout the enterprise. The

current version of COBIT is 4.0. The framework identifies four domains of

planning and organization, acquisition and implementation, delivery and support,

and monitoring of 34 IT processes. For each domain, the framework defines

criteria like effectiveness, efficiency, confidentiality, integrity,

availability, compliance and reliability.

COBIT is a learning process that prompts the top management of an enterprise

to ask of each IT process, questions pertaining to the relevancy of a particular

domain to their business, its performance, accountability for the process; and

how or whether the process and its control is formalized. As a framework, COBIT

is useful for the management, users and auditors.

Basel II and RBI



This is a banking standard that looks at risk improvement in the measurement of
capital requirements, regulatory compliance to risk management and market-

facing disclosures by the bank. Basel I adopted in 1988 did not take risk

management into account and arbitration by regulators can easily circumvent the

provisions of Basel I. Therefore in 2001, the 'three pillar' Basel II was

adopted by the BCBS (Basel Committee on Banking Supervision). The first 'pillar'

of Basel II takes care of credit, operational and market risk management. The

second pillar arms regulators with tools to assess and govern risk of various

types including legal and liquidation. The final pillar gives the market a

better picture of the risk position of the bank.



The RBI in February 2005 decreed that stipulations of the Basel II regulation
would apply only to scheduled commercial banks. Further, it had allowed banks in

India only to use supervisory haircuts (extent of marginal capital for a

particular asset) and no internal haircuts.

The regulation does not take into account factors of double default

(obligator and guarantor defaulting) before a loss is recorded as incurred.

Neither does it take portfolio diversification (which is a standard practice

today) into account. Post-Basel II, the onus for assessing and maintaining

capital requirements (including implementation of required processes for doing

them) is put squarely on banks.

HIPAA



This is a standard for the medical health insurance industry that was voted into
effect by the US Congress in 1996. The act governs individual and group health

insurance and how they can be accessed, transferred, renewed, protected against

misuse (fraud). Basically, group health plans are placed out of reach for

individuals with the exclusion of private health plans. The regulation also

specifies how to deal with misuse of health insurance plans and claims and sets

out penalties for this. A privacy rule was added in 2003, which governs how

certain types of health related information can be disclosed or protected-this

is called PHI (Protected Health Information). The specified types were: status

of health, how health care was being provided for/availed of and payments made

as applicable to an individual within certain types of entities. Such

individuals can also safeguard contact information. They must then maintain

records of all disclosures made, appoint a privacy official and give training

about PHI.