December 08, 2005

The awful truth about compliance

Corporate America is doing its best to understand and meet regulatory demands, but many companies are losing their way

Several years into an era of strict corporate-governance laws -- most notably Sarbanes-Oxley and HIPAA -- companies across a wide spectrum are still struggling to find their footing as they try to establish viable compliance frameworks.

Despite the billions of dollars spent on such efforts, the consensus among experts in the field is that 100 percent compliance is "fundamentally impossible," according to Gartner analyst Robert Handler. That reality is ratcheting up questions about risk and vulnerability, leaving some industry insiders aghast at the head-in-the-sand mentality that persists within the IT sector. It's also leading those who are tasked with bringing their organizations into compliance to ask: If we can only do so much, what should that "so much" be?

Anne Bonaparte, president and CEO of MailFrontier, says that in recent months she's had several jaw-dropping conversations "over many conferences and many drinks." One IT director recently told her, "Our compliance policy is to pray." Incredulous, Bonaparte pressed the issue and was told, "We have written policies, and we hope users do the right thing, but we live in fear that they won't."

A high-ranking communications director at a global financial services company recently said that because of the growing deluge of regulations, the Netherlands-based bank for which he works has begun to re-evaluate the merits of doing business in the United States. A lawyer himself, he cited the astronomical costs of hiring staff to meet requirements associated with separation of duties and of hiring an army of lawyers to assist with auditing and personnel matters. "At what point do you say, 'Screw it, we can't do all this,' and look elsewhere?" he asks.


Click for larger view.


"These are not isolated comments," Bonaparte says. She adds that as companies bear the cost of bringing their organizations into compliance, they are increasingly forced to conduct a "risk-assessment calculus" and adopt resource-constrained risk-mitigation strategies to determine what they must accomplish to go on to fight another day should the feds come knocking -- and what they can let slide while still being able get some shut-eye.

"No one really believes there's a silver bullet -- a way to be 100 percent compliant all of the time," Bonaparte says. "So, often what you encounter is, 'Let's wait to see who gets nailed, and maybe it won't be me.' "

Bark vs. bite

And just who is getting nailed? So far, very few. In 2003, roughly a year after Sarbanes-Oxley became law, Weston Smith, former CFO of HealthSouth, pleaded guilty to charges that he conspired to inflate the health-care company's earnings artificially and that he falsely certified that the company's financial records were accurate. In doing so, he became one of the few individuals convicted under the provisions of the new legislation. He is currently appealing a 27-month prison sentence, according to the Associated Press.

In October 2005, The Wall Street Journal reported that Computer Associates was required, as part of a deferred-prosecution agreement reached with federal prosecutors, "to work with an independent examiner, hire a compliance officer and improve its record-management program, among other things."

Sign up to receive Security Resource Alerts

Subscribe to the Security Central Newsletter

The one-stop resource center for IT professionals.

White Paper

CA Security Management Solutions

A comprehensive security management solution can help you streamline, as well as grow, your current or evolving business. In this way, a strategic security approach can help you increase your competitiveness in these challenging market conditions.

Download now! »

White paper

Beyond Compliance: The Significant Benefits of Log Management

Find out how you can effectively collect, normalize and archive enterprise-wide, security-related data that is invaluable for security investigation and compliance reporting.

Download now! »

Webcast

Integrated Identity Compliance: Enabling Cost-Effective Role-Based Compliance

This session focuses on the intersection of role management and identity compliance, and addresses the importance of identity compliance in enterprise governance and the challenges that organizations may face in achieving it.

View now! »
©1994-2009 Infoworld, Inc.