The awful truth about compliance

Several years into an era of strict corporate-governance laws -- most notably Sarbanes-Oxley and HIPAA -- companies across a wide spectrum are still struggling to find their footing as they try to establish viable compliance frameworks.

Despite the billions of dollars spent on such efforts, the consensus among experts in the field is that 100 percent compliance is "fundamentally impossible," according to Gartner analyst Robert Handler. That reality is ratcheting up questions about risk and vulnerability, leaving some industry insiders aghast at the head-in-the-sand mentality that persists within the IT sector. It's also leading those who are tasked with bringing their organizations into compliance to ask: If we can only do so much, what should that "so much" be?

Anne Bonaparte, president and CEO of MailFrontier, says that in recent months she's had several jaw-dropping conversations "over many conferences and many drinks." One IT director recently told her, "Our compliance policy is to pray." Incredulous, Bonaparte pressed the issue and was told, "We have written policies, and we hope users do the right thing, but we live in fear that they won't."

A high-ranking communications director at a global financial services company recently said that because of the growing deluge of regulations, the Netherlands-based bank for which he works has begun to re-evaluate the merits of doing business in the United States. A lawyer himself, he cited the astronomical costs of hiring staff to meet requirements associated with separation of duties and of hiring an army of lawyers to assist with auditing and personnel matters. "At what point do you say, 'Screw it, we can't do all this,' and look elsewhere?" he asks.

Click for larger view.

"These are not isolated comments," Bonaparte says. She adds that as companies bear the cost of bringing their organizations into compliance, they are increasingly forced to conduct a "risk-assessment calculus" and adopt resource-constrained risk-mitigation strategies to determine what they must accomplish to go on to fight another day should the feds come knocking -- and what they can let slide while still being able get some shut-eye.

"No one really believes there's a silver bullet -- a way to be 100 percent compliant all of the time," Bonaparte says. "So, often what you encounter is, 'Let's wait to see who gets nailed, and maybe it won't be me.' "

Bark vs. bite

And just who is getting nailed? So far, very few. In 2003, roughly a year after Sarbanes-Oxley became law, Weston Smith, former CFO of HealthSouth, pleaded guilty to charges that he conspired to inflate the health-care company's earnings artificially and that he falsely certified that the company's financial records were accurate. In doing so, he became one of the few individuals convicted under the provisions of the new legislation. He is currently appealing a 27-month prison sentence, according to the Associated Press.

In October 2005, The Wall Street Journal reported that Computer Associates was required, as part of a deferred-prosecution agreement reached with federal prosecutors, "to work with an independent examiner, hire a compliance officer and improve its record-management program, among other things."