At an average cost of more than $80 million per compliance failure, large companies are realizing that the proper engagement of IT is critical for their risk management and corporate compliance efforts. The days of relying solely on the finance function to provide direction and guidance for huge compliance
exposures like the Sarbanes-Oxley Act (SOX) are quickly fading in favor of a more responsible approach that involves collaborating fully with IT and having the CIO partner with the rest of executive management on a total compliance solution.
The intelligent organization will defer decisions on compliance execution until adequate representation from the CIO has been incorporated, and the savvy CIO will be prepared when other members of the executive staff look to him for answers. When that time comes, my advice to CIOs and other top IT officials is to focus their attention on an area they've already developed -- their business intelligence resources.
Here's my key advice when architecting for compliance:
Don't reinvent the wheel
Classical business intelligence architecture contains three fundamental components: an enterprise data warehouse, an operational data store, and any number of data marts. These are the salient pieces of what data warehousing expert Bill Inmon calls a corporate information factory. If your organization doesn't already have these pieces in place, it certainly should have the talent that understands these concepts and can construct them.
You need to leverage this corporate intellectual property instead of trying to design a new set of architectural frameworks. Think of compliance as a strategic function, and view the current data in your organization as vital input to this strategy that will be properly transformed to support your strategic goals of compliance.
In the same way your operational data store unifies your data into entities that represent the "single source of the truth," a compliance operational data store can unify your compliance data for operational compliance intelligence. On any given day, a compliance operational data store can tell you the state of compliance for any area of the company's concern.
Also, a compliance enterprise data warehouse can be built to serve the needs of the compliance function of the company, and compliance data marts can be built to target specific compliance areas such as SOX, Payment Card Industry standards or the Foreign Corrupt Practices Act. Regulatory compliance isn't the only concern. The company can also leverage these architectures for high-risk contract compliance, such as government contracts or contracts that involve royalty payments.
You still need another wheel
Although re-inventing the wheel isn't required, you still need to build another one. Do not make the mistake of trying to dual-purpose your existing business intelligence resources to serve the needs of compliance. This is like trying to use
 |
|
|
|
|
A compliance operational
data store can unify your compliance data for operational compliance intelligence.
|
|
|
|
|
|
|
|
|
|
a screwdriver to hammer in a nail. It might seem like it's working, but in the end you'll only end up with bruised hands and a halfway hammered nail.
When you originally built your current business intelligence infrastructure, it was to support the needs of executive management for strategic reporting. That's fine for strategic insight, but it works poorly for compliance. The reason is very simple -- it was never built for that purpose.
Using the same concepts, you need to architect a compliance-specific business intelligence solution. This is what I call a compliance data system. The compliance data system serves the needs of the internal audit team, not the strategy arm of the company. The chief audit officer (or whoever is responsible to the board's audit committee) will drive the requirements, and the key users will be internal and external auditors.
Organize a proper team
Without a proper team structure, the effort will fail. Your team should be compact, talented and agile. It should consist of a competent project manager who understands how to lead through successive and sometimes dramatic changes. It should be composed of developers who can rapidly deploy solutions and build a data warehouse architecture that's resilient to changing requirements.
Your team must include tight integration with the internal auditors, as they will drive the requirements. Compliance requirements can be complex and difficult to understand and implement, so proper engagement of experts in all subject matters is a must.
In summary, compliance is not to be taken lightly and companies cannot afford to make mistakes in this area anymore. In the wake of the recent egregious and elaborate scandals, there will be no tolerance going forward for compliance mishaps. CIOs and other top IT officials have an increasing responsibility to partner with their organizations for efficient corporate compliance solutions, and therefore must be prepared when the organization looks to them for advice. Leveraging your business intelligence resources to construct a compliance data system with a properly organized team of professionals is the key to getting it right. Start today by inventorying your current business intelligence architecture, and assessing how it could be leveraged to construct a compliance data system.
John Weathington is president and CEO of Excellent Management Systems Inc., a San Francisco-based management consultancy that helps companies dramatically improve efficiency and avoid penalties and fines. His clients include Fortune 100 firms such as Sun Microsystems Inc., Cisco Systems Inc. and eBay Inc. In a recent effort, Weathington helped a large technology firm fortify a $100 million government contract. For more information, visit www.excellentmanagementsystems.com.
