If you want to know how important regulatory compliance has become for financial services companies in the United States in recent years -- how ingrained in the day-to-day operations of banks, brokerages, and mortgage companies -- consider SunTrust bank, the nation's seventh largest financial institution, where auditors have their own room on the upper floors of the company's Atlanta headquarters. Permanent network connections? Got 'em. Perpetually refreshed buffet? You bet. Floor-to-ceiling windows with striking views of downtown? Done.

"We like to keep our auditors happy," says David Rowan, senior vice president and director of SunTrust's enterprise technology risk management group, at a recent address at Courion's Converge '06 user conference.

And for good reason. With more than $175 billion in assets, 5 million customers, and 33,000 employees, SunTrust gets audited around 48 times a year. That means auditors are an almost permanent fixture in the company's offices, and SunTrust is in an almost perpetual state of "audit readiness," with full-time staff dedicated to nothing other than facilitating audits against the legion of regulations that affect SunTrust's business: Sarbanes-Oxley, Gramm-Leach-Bliley, the Anti-Money Laundering Act, the Bank Protection Act, audits from the Federal Reserve and Securities and Exchange Commission, as well as internal and third-party audit teams.

The company's robust response to these challenges has made it a leader in enterprise risk management and a darling of the compliance community. SunTrust has reduced outstanding audit issues by 97 percent in the last five years by investing in areas such as user and access management and by consolidating risk functions such as physical and IT security. The cost? SunTrust will spend $55 million on enterprise risk management this year, around 5 cents per share of the company, Rowan says.

All the more frustrating, then, that SunTrust's investment didn't spare it the expense and embarrassment of having to reissue 65,000 debit cards to customers last year following a security breach at a merchant site that led to the theft of account information for hundreds of thousands of Visa card holders by an unnamed Russian hacking crew, Rowan says.

Click for larger view.

That dilemma is one that is vexing companies across the country, in the wake of reported data thefts at online retailer OfficeMax, the Veterans Administration, Fidelity Investments, not to mention ChoicePoint, LexisNexis, CardSystems, and countless others. Traditionally something that was managed within the company, enterprise risk management today involves an increasingly complex set of interdependencies that includes customers, business partners, and outsourced operations, along with consultants and other contractors. At the same time, risk officers are under intense pressure to reduce the cost and complexity of compliance.

That confluence of factors could set the stage for a big shift in the evolving practice of enterprise risk management, as companies look for ways to streamline and automate compliance functions, while broadening their understanding of enterprise risk to take into account threats that accompany customer and business partner integration through Web services and SOAs.

Risky Business

Developing an enterprise risk management strategy involves creating an integrated view of a company's exposure to risk that includes a company's business, ongoing operations, and finances. Enterprise risk management requires a sober assessment of internal risks such as theft by rogue employees or the unexpected loss of an indispensable senior executive, not to mention external hazards ranging from hackers to hurricanes (see "Best practices for managing IT risk").

"Basically, if it's bad, it's my responsibility," Rowan jokes.