Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec

Is Compliance an Overhead or Business Benefit?

InfoSecurity Europe : 10 March, 2008  (Technical Article)
Clifford May suggests that the very word 'Compliance' strikes dread in many senior management forums whether it is viewed most often as a pain, necessary evil, or at best a burden on the business, Compliance has become a word most often associated with a sigh of despair.
The very reason many senior managers have to be dragged kicking and screaming into the Compliance arena is often the complexity of the subject and fear of the unknown.

At the end of the day most senior managers are focused on making money for the business, controlling costs and generating value for the shareholders so they view compliance issues as a distraction. Now that is interesting in itself, particularly the latter two points. Surely controlling costs and generating value for the shareholders should be really good drivers to understand what Compliance can mean to the business?

Part of the problem, and the perception, is the plethora of different compliance issues that appear when the surface of the topic is scratched. For example, Human Rights, Privacy, Data Protection, Freedom of Information, Taxation, Corporate Governance, Intellectual Property/Copyright, Health and Safety, Fraud and Corruption, Competitive Practice, Anti-trust, Money Laundering, Standards (ISO/IEC27001, COBIT, SAS70) and much more.

Is it any wonder why senior management would rather avoid getting embroiled in this as much as possible? The problem is - it is their responsibility, and they are accountable for Compliance so, in time, many will become to realise that they have no choice and even that Compliance can provide real benefits to the business.

How does this ever happen? Surely the whole Compliance effort costs a fortune and bogs the business down in unnecessary procedure? All many managers see is increasing red-tape, extra costs for controls, new or increasing compliance teams, personal liability and spiraling overheads. But, is this a fair view? Sure there are additional costs to be carried for the compliance efforts, but it could be argued that these are more than balanced by factors such as:

* Increased Customer/Shareholder/Partner confidence and trust (avoidance of embarrassing incidents);

* Improved analysis, documentation and efficiency of business processes;
* Better business resilience;

* Greater buy-in from management and staff;

* The de-duplication of control efforts;

* Faster audits with less hold points;

* Reduced audit costs;

* Reduced crisis/incident management and remedial action costs;

* Avoidance of legal or regulatory sanctions or fines
and more.

It is surprising how the very attempt to ensure Compliance can often become a catalyst for change. As a business grows often the development and documentation of sound business processes falls by the wayside and greater reliance is placed upon staff knowledge and expertise. This can work for a while but we live in an ever-changing world where the pace of life is increasing daily and a lack of sound business practice will mean trouble in the future. It only takes a key member of staff to leave, or say a disgruntled member of staff to 'throw a spanner in the works' and serious repercussions can ripple throughout the business.

Yes - we all know we should write procedures so that someone can take over if the worst should happen; but the 'instant' nature of the working environment today (the Internet, email, instant messaging, mobile connectivity) makes that very unlikely - we just do what we do.

This is where Compliance brings back some sanity to the workplace. An auditor is not satisfied by 'hearsay' evidence that a key business process is operating in line with legal or regulatory requirements - they want cold, hard documentary evidence! The Compliance drive has a tendency therefore to underline the need for key controls, procedures and evidence, and to ensure that adequate funding is committed to their maintenance.

What is often missed is the opportunity to develop one management system to control all aspects of compliance, regardless of law, regulation or standard. Many organisation still approach Compliance from a piecemeal angle - HR do their bit, IT do their bit, Legal do their bit. It is also common to see organisations creating separate teams, tasked with compliance to a particular piece of legislation. This is, at best, unwieldy, inefficient and expensive; a practice to be avoided. This can be due to the 'siloed' nature of many organisations, internal politics, expertise issues, or just plain stubbornness to get involved.

The problem is Compliance issues usually cut right across the business and a very strong lead is needed for any team that is going to co-ordinate all issues company wide. A competent Compliance team can build one management system that will provide co-ordination of the compliance effort, one repository and source of information for audit trails and associated evidence. This avoids the 'empire building' that often happens when say a new piece of legislation comes along, containing and potentially reducing costs.

So is Compliance an Overhead or Business Benefit? Much depends on your viewpoint and the type of organisation you work for. Finance, Banking and Insurance is heavily regulated, and accepts Compliance as just part of daily business, whereas for, say a manufacturing business, this is all just a cost they would prefer not to have. Hopefully this will change in time, legislation may become simpler and easier to understand, business practices and management systems will improve, and many will see how the Compliance effort can bring real dividends.

Clifford May is Manager - Business Consultancy Practice, Integralis

Integralis is exhibiting at Infosecurity Europe 2008, Europe's number one dedicated Information security event. Now in its 13th year, the show continues to provide an unrivalled education programme, new products and services, over 300 exhibitors and 11,700 visitors from every segment of the industry. Held on the 22nd - 24th April 2008 in the Grand Hall, Olympia, this is a must attend event for all professionals involved in Information Security.
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   Â© 2012
Netgains Logo