There is a lot of noise out there about compliance, enough to make it sound
like something new. Recently, one storage vendor released a product claiming it
was in line with regulatory requirements and a noted lawyer penned a whitepaper
around that product and how it helps. But somewhere in the background of all
that noise, there is a tune that insists that all these regulations, statutes
and laws only serve to make the organization you are running and its business
more transparent, credible and trustworthy. This is the tune you should listen
to. Block out the rest of the sound-bands, including warnings of dire
consequences and media stories and hype about this or that organization
suffering huge penalties for non-compliance.
Concentration must be focused around building a set of uniform, documented and
repeatable processes across the enterprise, where every employee, user or an
external entity knows the flow of request, response and arbitrator. Once that is
done, true compliance will naturally follow.
|
Recognize the need
Ask yourself: why do I need compliance? Other than the answer we gave above, is
there a need to adhere to some regulation or standard that initiates the
compliance drive in the organization? For instance, if you were in the medical
industry, you need to be HIPAA compliant. If you have an IT department (as you
obviously do), then consider COBIT and ISO 17799-2005. Other reasons to strive
towards compliance are external requirement (are you a BPO?) or better user
perception (marketing strategy).
The drive towards compliance is an asymptotic exercise, but so mainly because
it is a continual recursive activity. First you evaluate where you stand and
where you want to get to. Then you implement some policies and protocols.
Evaluate if there are any problems with that, are there any non-complying
entities and so on and attempt to rectify these. As long as your organization
grows, extends markets, sees turnover of manpower and updates its vision and
mission, compliance will never be completely achieved. You will get
infinitesimally close to it, but never actually stand on a point and say, “Today
we are fully compliant, we need not do anything further from here”. That's
Utopia.
You should be willing and able to create the resources and marshal them till
a reasonable point of compliance is achieved, to start off. For instance,
enterprises frequently appoint a dedicated wing of audit personnel headed by a
'Chief Compliance Officer' to monitor compliance related activities in the
organization. They would need assistance from a legal wing (or expert
consultant) from time to time to help interpret new laws and regulations and
their relevance to your specific organization and business needs. Can your
organization provision such a department for this exercise?
Workout your plan
Now decide what particular requirements you need to address. Even if the agenda
in question is regulatory in nature, are there parts of it that are optional?
For some standards, you may find an international version, a local-national (say
Indian) version and a version that's specific to the entities you do business
with or the regions you have markets in. For instance, as an Indian organization
with business interests in the UK, what would you follow ISO 17799 or BS7799?
Some of these standards also let you pick and choose specific points that you
can comply with. This lets you fine-tune your level of compliance to exactly
what you require.
There would be documents to be maintained, resources to be organized and
responsibilities affixed. Many processes that earlier could go on without fixed
authorities at their heads now must follow a prescribed workflow. If it is a
legal requirement, certifications would be necessary from key personnel (like
you) stating that all the information in a published report are accurate and
verifiable.
Now, in order to achieve such a guarantee-able level of trust, your processes
must be foolproof. And beyond a certain point, your IT cannot safeguard
information that has been rendered to the offline world. For instance, if a
confidential business deal was being worked on and your personal assistant saw
the mail, even though he may not be able to print it up or forward it to someone
in your competition, he can still photograph it with a camera or write down the
salient points on a piece of paper and take that out. And how would you track if
your purchase officer was actually getting a kick-back from stores inventory
orders whatever kind of sophisticated system you implement? Even the Indian IT
Act 2000 says you cannot be held guilty about something you did not know (not
knowing the law is still not an excuse) and if you can prove you did everything
possible to remove the problem.
What are the risks of not complying? If the weight of such risk calculates to
zero, then you need not spend time, money and other resources trying to achieve
a particular compliance. Some forms of compliance are good for safeguarding the
interests of the enterprise and the risk of not implementing them are too great
to ignore. Other forms of regulatory compliance are necessary from the legal
standpoint and would invite legal action if not complied with.
Dos and don'ts of compliance |
|
Implement and audit
Unlike IT implementations, implementing compliance is not about deploying
software. Of course, IT can help you with compliance (even with specific
standards or regulations) by providing you with appropriate reports or
checklists. For instance, a tool that says it can help you with Sarbanes-Oxley
will generate the required financial reports, make sure that the level of
required data integrity is maintained and give your CFO the mechanism that the
information is accurate to his information. Within such a system, every change
to the data, every addition and deletion will be recorded with stamps of who did
it and when. This helps trace back and verify what happened, and affix
responsibility for action or inaction on a specific individual in the
organization.
Like all implementations, the compliance drive too needs a periodic audit
cycle. This can be as simple as health check to find out if everything is
working as planned and implemented, and if there are problems, remedial measures
are taken. Remedies can be as simple as re-assignment of tasks or reworking
entire workflows. Experts suggest that for the implementation, audit and
remedial cycles, different sets of consultants be called in. They warn that
otherwise, consultants may pad their bills with spurious requirements or
measures.