Governance Best Practices and Approaches
Accountability and effectively managing risk are top of mind for most organizations today. Accountability is key for companies in their efforts to ensure that they meet the wide variety of mandates specific to their industry (examples include Basel II focused on improved risk management in banks or the Healthcare Insurance Portability and
Accounting Act [HIPAA] for the healthcare industry) as well as cross-industry regulations like Sarbanes-Oxley (SOX) or the International Accounting Standards (IAS) in Europe. One common theme among many of these regulations (regardless of industry) is the need to manage information content and retention through the application of effective business controls, also known as records management.
While managing content and adhering to compliance regulations is key, a critical success factor in deploying the architecture lies in ensuring that employees’ adoption of new processes doesn’t require extensive training or throw in a significant learning curve. Since productivity is key, the architecture itself must comply with ease of use throughout the organization.
However, effectively managing this information requires a strategy that encompasses business acumen, strong technology underpinnings and intellectual capital.
A Business Strategy
As we have all learned, the exponential growth of data comes with its own set of management challenges. Adding to these challenges are many of the new legal requirements associated with a company’s ability to identify, assess and effectively manage risk. Harnessing the compliance-related information and managing it for better decision-making is the foundation of enterprise risk management. In its broadest sense, an
enterprise risk management strategy allows organizations to help manage the variety of strategic, market, credit, operational and financial risks that they confront. Additionally, it should not further burden IT staff or business managers whose jobs have been extended to ensure organization-wide compliance.
Today, many companies are managing regulatory compliance and risk together, which has led to the creation of a new role in the organization—the Chief “Governance” Officer (CGO). Governance can have many different definitions. In one sense, it means to better govern their companies, enhancing both corporate accountability and the
creation of wealth. In another, it talks to “the exercise of authority, management and control.” In the context of risk and compliance and the role of the CGO, it means to govern or manage both regulatory mandates as well as effective risk management.
It should come as no surprise that this focus on governance is leading to an increased focus on improving and managing business assets and processes within companies today. In addition to improving financial management and reporting, creation of content, operational risk or privacy management, information must also be archived and retained effectively. The bottom line is that as companies look to expand their competitive advantage and transform business processes into the on-demand world, risk and compliance is a constant that must be managed and considered. Companies need to build a technology foundation that includes an effective risk and compliance strategy.
The challenges facing customers today with regard to risk and compliance are primarily based on the integration of business and IT requirements.
Governance Challenges
As companies look to effectively manage governance, some of the business and IT challenges they face may include:
1. Business/Operational Challenges:
- Business Silos and Solution Silos. Many business solutions around governance have been implemented to solve a single problem, by a single group or division within a company such as a trading desk, banking region, financial or healthcare group, etc. This silo-based approach makes it very difficult for firms today to implement enterprise level risk and compliance solutions;
- Evolving Regulations. As a regulation changes or a new one is created, the same requirement must be implemented in each silo, resulting in significant costs to the corporation. For example, if individual trading departments have implemented their own SEC 17a-4 solutions, each silo would need to be updated as additional archival requirements are defined. There is an additional cost in terms of staffing for organizations to keep up with and understand all of the various regulations that may impact their business. This is extremely challenging in the U.S. alone, where more than 4,000 new regulations/rules are approved by agencies of the U.S. Federal Government every year; and
- Varying Enforcement Levels. Companies need the ability to think globally with a common and flexible infrastructure that
respects the regulations specific to a county, country or region.
2. IT Challenges:
- Componentized Systems and Architectures. The demand for componentized systems and architectures that share a common infrastructure, while enabling many applications, is key to many IT shops because it ensures the compliance information can easily “speak” to different parts of the organization;
- Standards-Based Architectures. Such as Java, Linux and Web Services can make implementing a common infrastructure, as well as re-use of existing systems, easier to achieve; and
- Reduce Total Cost of Ownership for risk and compliance through a common infrastructure that allows for integration of different applications, processes and information.
Governance—Driving IT Spending
It should also come as no surprise that along with the increased focus on risk management and expanded regulations comes a slew of vendors vying for compliance-related budget dollars. The Chief Financial Officer (CFO), CGO, regulatory compliance officers and IT staff are now faced with almost too many options without the luxury of time to evaluate which strategy and solution(s) best addresses their organization’s and clients’ needs.
While certain regulations such as OSHA and EEOC have been a long-standing requirement for many industries, the front-page headlines have ignited new regulations that have ushered in a wave of compliance-related IT spending.
To illustrate this point, recent findings by Forrester found that in 2003, 17 out of 20 CFOs indicated that the new SOX regulation had a minimal impact on spending plans. One year later, it’s clear that this regulation is a corporate priority as evidenced by the surge in SOX compliance-related spending. In this same report, “IT Execs Wake up To Sarbanes-Oxley Compliance,” Forrester surveyed 878 technology decision makers at North American companies regarding Sarbanes-Oxley and its affect on their IT budgets. 48 % of the companies surveyed had 1,000 to 4,999 employees and 52 % had 5,000+ employees. Highlights from the research to note:
- 52% of those surveyed are affected by SOX; and
- Of those affected, 77% plan to increase spending to support compliance.
As government regulations drive IT spending, companies need to ensure that their staffs are getting the most from their investments as compliance is critical to the overall health of the organization. With regulatory deadlines looming and requirements constantly changing, an organization should do its best to avoid an ad hoc tactical approach to compliance that is narrowly focused on dealing with individual regulations as they come along. Rather, business leaders should seize the strategic opportunity to improve overall business operations. Two key approaches include:
- Creating an effective team between the CFO, governance officers and IT; and
- Establishing a governance infrastructure to meet all of your critical needs.
Key Governance Components
A key component to a successful governance infrastructure is the ability to establish a common user experience around risk and compliance. The goal is to provide a single, secure, easy-to-use, enterprise-wide user interface for a CFO or CGO that delivers anytime, anywhere access to critical resources such as content, applications, governance processes and people—both within and outside the organization.
In addition, this interface should include a governance scorecard (performance management), where users can monitor governance metrics based on strategic objectives and better respond to critical governance situations. With this scorecard, a CFO or CGO would have the ability to increase operations effectiveness and efficiency, employee and customer satisfaction and subsequently drive additional revenue. Benefits include:
- Improved access to the right information at the right time—anywhere within the organization;
- Lower total governance TCO with integrated multiple collaborative capabilities, while maximizing people skills; and
- Extended value of existing IT investments through integration with IT governance systems.
In addition to a single user interface, a wide variety of other technologies play a role in establishing an e-business on demand compliance infrastructure:
- Business process management—including process modeling and monitoring along with workflow (includes the management and monitoring of governance business processes and IT events);
- Controls framework—to help understand what risks are inherent in the business, controls that are in place and what gaps exist;
- Strong security—to help control access, protect information and data disclosure, including strong audit trails and reports;
- Storage management—to protect and retain data as well as ensure business recovery;
- Simplified content/information management—to help search as well as retrieval of information to improve the discovery of information; control access to information; manage compliance reporting through a defined workflow including appropriate sign-offs; and records management and archiving to meet retention regulations; and
- Analytics and business intelligence—to help assess risk.
Many of these regulatory requirements often mandate formal, structured recordkeeping practices. For example, government agencies have to comply with numerous laws regarding freedom of information, privacy and the maintenance of historical and archival records. In the commercial world, businesses must adhere to statutes concerning taxation, occupational health and safety regulations, environmental protection laws and more.
Businesses today are seeking formal, structured recordkeeping for their electronic documents and content to help demonstrate compliance with regulations and laws. In addition, they need to establish strong, credible evidence of proper business conduct in order to avoid litigation.
Records management can also help with the glut of electronic information that exists in companies today. Too much recorded information is often worse than not saving enough. Businesses today need to know, with full legal confidence, what records they can delete and when.
Organizations need to manage their electronic content in a way that reduces their risk and enables them to demonstrate their regulatory, legal and fiscal compliance. Electronic recordkeeping provides a means by which a company can begin to demonstrate its recordkeeping accountability to shareholders, customers and regulators. One method that can be used is “e-records software,” which brings formal, structured recordkeeping practices to electronic information produced or managed by business software. Business software with this capability applies formal recordkeeping practices and methods to the electronic content, which helps to demonstrate compliance with regulations, preserves critical documents necessary for future decision making and deletes information at only the appropriate time, in accordance with applicable laws, regulations and/or policies. Businesses can now preserve the business records they’ve determined they must keep, while destroying those permitted by law, policy or regulations. Electronic recordkeeping forms a
key part of the infrastructure supporting a business’s overall accountability.
Creating an Effective Compliance Infrastructure
One of the most compelling outcomes for a CFO, CGO, Chief Compliance Office (CCO), Chief Risk Officer (CFO) or CIO with regard to compliance is the fact that governance needs are driving organizations to assess their current infrastructures, while presenting an opportunity to adjust their newly examined business capabilities. This includes implementing a variety of products and services that can be leveraged to help support companies in the execution of their business initiatives as well as helping them to adapt to the ever-increasing regulatory risk and compliance environment.
Thus, businesses have an opportunity to go beyond mere compliance with these new obligations. They can use this opportunity to improve their business operations by making them more efficient and predictable. Integrating the vital aspects of your corporate IT infrastructure with business processes to support compliance presents an opportunity to re-evaluate your current business methodologies and revise as required moving forward.
Certainly, the task can at first appear daunting. The sheer volume of information from the Web, e-mail and instant messaging have caused a tremendous increase in the amount of information an organization produces. In fact, up to 80% of business information is now stored in electronic formats.
And records management and regulatory compliance is only going to get more challenging, as the drive to e-business on demand gives way to an even more meteoric rise in the amount of information a company generates—and is responsible for managing within defined business processes and mandates. But consider the upside. An infrastructure that supports the myriad IT requirements to help support governance can help streamline complex regulation processes. What’s more, it can spur productivity, enhance customer service and boost return on technology investment—all while optimizing your business.
The tactical approach cannot and should not be the goal. The problem with implementing ad hoc solutions to address individual regulations is that they don’t fully utilize—or gain insight from—company information on demand. And while such an approach may be cheaper in the short run, it can be much more costly in the end because modern information technology can alert IT and business decision makers to threats and opportunities before they would otherwise be on broader corporate radar screens.
According to PriceWaterhouseCoopers, an integrated approach to governance, risk and compliance management can improve a company’s reputation value by 23%, employee retention by 10% and revenue by 8%.
By contrast, the strategic approach implements a technology framework that provides common value to all business solutions, including governance. The goal is to provide businesses with access to critical information in real time, bridge disparate teams through collaboration tools and seamless workflow and enable the viewing of vital corporate data on a single dashboard—all while implementing a seamless retention policy in an effort to improve time to deliver, time to value and reduced total cost of ownership.
Such a framework helps companies improve employee productivity by establishing a common user experience, maximizing security and control, shortening business cycles and improving customer satisfaction.
The goal of the infrastructure is to help companies adopt best-practice standards to transform their business operations and meet governance needs. The software should help increase business efficiencies so companies can gain deeper insight and predictability on the status of their compliance and business efforts, and help address the information requirements of regulations affecting their businesses.
What does this take? A single governance infrastructure should provide:
- Common value to all business solutions, not just risk and compliance;
- Integration among people, process, applications and information, with a common base for compliance processes and improved data quality and consistency; and
- Timely access to information and reports along with automated data archival and retention.
The bottom line is that companies need to improve their time to value, time to delivery and reduce their total cost of ownership.
Creating an Effective Team
In addition to potentially creating new roles, like the CGO, many companies are forming compliance committees or boards to help guarantee that standards and strategies are met. Members should include representatives from key areas throughout the organization who have a role in ensuring compliance. This may include representatives from risk management, internal and/or external audit, finance, IT, legal and safety departments, environmental teams, the board of directors and human resources.
Unfortunately, in many companies today there can be a disconnect between the CFO or CGO’s office and the IT department on their strategies to manage risk or mitigate risk. For example, in many cases IT departments may not understand auditing procedures and the appropriate implementation of internal controls for Sarbanes-Oxley Section 404—mainly because of the struggle of the IT department to understand audit-centric terms and how they apply to an IT infrastructure. Without a common understanding or translation of terms, it may appear that the IT organization is reluctant to help corporate auditors document IT controls in order to meet Sarbanes-Oxley requirements. This can also be the case for other regulatory mandates. It’s important to get to a common understanding of the CFO’s strategic objectives and how IT can work as a team to help achieve these needs.
Regardless of who’s in charge, the most effective team is one that that crosses boundaries throughout the organization.
In Summary
An integrated approach to governance built on a common infrastructure can result in many business benefits:
- Reduced total cost of ownership, and
reduced implementation cost by working on a common infrastructure for both risk management as well as regulatory compliance;
- Competitive advantage. If your company can respond quickly to new or changing regulations and leverage the infrastructure investment with performance management projects that improve overall business performance whileothers in your industry can't, the edge goes to you;
- Accurate information that is delivered
on-time to those who need it, so that they may understand current status at glance; respond quickly to critical situations; and enable better planning for new or updated mandates;
- Improved reputation, by helping reduce potential liabilities and fines—keeping the company out of the news; increased shareholder value; improved confidence for investors and customers; and maintaining credit rating;
- Increased customer knowledge; and