If Compliance be the food of corporate security: Munch on

Enterprises today are confronted with complicated and, at times, conflicting governance and compliance requirements on national, international and local levels. Executives, board members and audit committees have become growingly aware of enterprise security being an integral component of each of these requirements. Risk management and security governance, compliance and risk management are inextricably linked, with security as the foundational requirement in each.

Compliance proviso:

Assembling and recording information from the different business domains such as sales, marketing, finance, accounts and HR. Preserving information integrity to guarantee that information has not been tampered with during storage or transfer. Preserving information security to guarantee that information will not be lost or pilfered. Accessibility to information and retrievable of the same at all times so that reports can be generated and audit trails logged are all the pre-requisites for compliance.

Data-compliance kinship:

Shoddy data can enfeeble even the most well - drafted privacy, security and accountability controls. An effective conglomeration of data and various compliance practices keep risks at bay and adds value to business. Bad information is a grave and insidious problem. Risk management and control standards such as COSO, COBIT and ISO 17799 are more or less silent on data quality. In fact, Compliance itself seldom puts data quality on a company’s radar, despite it being a potential compliance risk. The completeness, validity and consistency of underlying data impacts every data- dependent compliance activity such as Sarbanes – Oxley, HIPAA, Basel II, IFS, ISO and a herd of other regulations that validate information privacy, security and accountability. Poor quality of data hides in records, fields and individual’s data elements: it’s as permeative as data itself. Global information and diverse data formats and contents aggravate the problem. The consequence being, fragmented view of enterprise entities (products, customers, etc.) leading to multifarious views of truth. When it comes to compliance, little data aberration can lead to huge expenses. It is a fact that every source of data entry is also a source of data pollution. Building error prevention into data entry applications and publishing data standards make it easier for end users to improve the data quality of input. To support compliance, data quality management must leverage both human and mechanical processes and one’s data quality solution should be scalable, flexible and architecture agnostic. Most importantly, compliance managers should strive to win the hearts and minds of all data generators by sermonizing the role of good data quality in compliance.

Compliance exegesis:

Be it a bank, a manufacturing concern, a pharmaceutical company or a service provider – all must comply with the rules of conduct that the government, corporate governance, internal company policy and third party standards organizations have laid out. Compliance also implies proof in the form of reports, logs and audit trails that have to be transparent to its core. Governance and Compliance involve the establishment and management of corporate policies and controls that serve to mitigate regulatory, legal and business risks, to help prevent and detect breaches and fraudulent or negligent behaviour that could affect the fidelity of corporate information or assets. Manish Bapat, Business Manager for NAS and CAS, EMC India and SAARC says, “ The only thing worse than not having a compliance program is not following through on one. Practices that conduct a compliance review but fail to take corrective action will exacerbate a regulatory problem.”

Modus Operandi:

Compliance efforts can only succeed if all departments work harmoniously. Most regulations affect multiple areas of business – accounts, finance, materials and purchasing. Within each area, these regulations cover micro-aspects. Consolidation is the first step to Compliance. For most regulations, establishing and implementing policies regarding compliance is necessary. The policies and the procedures that are used to carry these out must be comprehensively documented. Such documents are a required deliverable during regulatory audits. Moreover, most companies prefer to farm out compliance work to an external consultant because third party intervention is useful in laying out strategies, plans and building roadmaps. Periodic audits let CIO identify strengths and weaknesses in systems and processes and provide scope for development.

Hail to thee, Compliance:

Regulations such as HIPAA, SOX, GLBA – all have requirements that touch upon ‘security’. Failure to comply will open companies up to fines, civil lawsuits and in extreme cases, criminal charges. Regulatory compliance acts as an ad hoc security standard. Compliance offers a strong incentive to pro-actively assess and improve data truth and share the benefits across organizational systems. In fact, the threat of impending legal action is encouraging companies to purse out thousands of dollars on security software that will ensure they are compliant with the new legislation.

A Motley of Compliance Acts:

Sarbanes – Oxley Act, is a legislation drafted and sponsored by senator Paul S. Sarbanes and the US Congress representative Michael G. Oxley. This legislation was approved unanimously by the US Congress on January 23rd, 2002 and established as a law, 6 months later, by the President of United States, George Bush on July 30th. SOX came into existence following a plethora of high-profile corporate financial scandals, such as Enron, WorldCom or Tyco, which took the markets by storm. SOX brings in stringent regulations and requirements for corporations to meet, and newer, harsher penalties for the defaulters. The thrust of the act lies in the existence of internal controls over financial data. SOX, administered by US Securities and Exchange Commission (SEC), ensures better control over corporate governance, disclosure and financial reporting. Onus falls on CIO to play pivotal role in seeing that the company complies to SOX. It also aims to make corporate accounting more visible and transparent.

The Health Insurance Portability and Accountability Act(HIPAA) provides for severe penalties for organizations that do not effectively protect the privacy of patient’s health records. Basel II accounting standard and Gramm- Leach- Bliley Act, set standards for protecting consumer’s personal information.

Six Sigma, pioneered by Bill Smith at Motorola in 1986, is a methodology for eliminating defects in any process from manufacturing to transactional and from product to service. To achieve Six Sigma, a process must not produce more than 3.4 defects per million opportunities. The fundamental objective of the Six Sigma methodology is process improvement and variation reduction This is accomplished through the use of two Six Sigma sub-methodologies: DMAIC and DMADV. DMAIC is used to improve an existing business process. DMADV is used to create new product designs or process designs in such a way that it results in a more predictable, mature and defect free performance. Both Six Sigma processes are executed by Six Sigma Green Belts and Six Sigma Black Belts, and are overseen by Six Sigma Master Black Belts. GE, which became one of the early adopters of Six Sigma in 1995, is said to have estimated benefits on the order of $10 billion during the first 5 years of implementation.

ISO is a network of the national standards institute of 156 countries. They agree on specifications and criteria to be applied consistently in the classification of materials, in the manufacture and supply of products, in testing and analysis, in terminology and in the provision of services. ISO 9001-2000 is the third revision to ISO 9001 since its inception in 1987. The revision emphasized the need to monitor customer satisfaction, meeting the need for more user-friendly documents, assuring consistency between quality management system requirements and guidelines, and promoting the use of generic quality management principles by organizations.

India: The new mooring place

The largest set of consolidated regulations that sanction integrity of data in India are the IT Act and SEBI’s clause 49 for listed companies. In global economy no company is an island and India Inc. is adopting US and European compliance procedures and certifications such as Sarbanes Oxley, BS and ISO to keep pace with the global trends and carve a niche for itself. Companies that deal with sensitive information, financial services and BPOs, banks, MNC subsidiaries or those with plans to expand beyond Indian shores are all affected. In fact in terms of global certifications and standards, Indian BPOs are at par with the rest of the world. Most Indian BPO companies are BS 7799 and ISO 17799 certified. On the quality accreditation front, an Ernst and Young – IACC Survey found that ISO 9000 is the most popular quality standard followed by COPC and Six Sigma. Needless to state that thereby these will continue to make strides towards compliance.

By Ashmita Bose

P.S. Please feel free to express your views.

Email this article | Respond to this article