|
The overall costs associated with initial compliance, along with the results of the risk assessment process, have inspired a variety of points of view about the benefits of meeting Sarbanes Oxley (SOX) requirements. While the general attitude of SOX is biased towards the negative, a few companies are beginning to realize that the steps needed to achieve SOX compliance provide business benefits beyond the obvious -- staying within the letter of the law. Could these companies be on to something? Is SOX compliance the vanguard of a new phase of positive business practices? Surprisingly, it appears as if that might be the case. And, if it is, companies who view SOX in a positive light may find themselves in enhanced competitive positions.
When SOX first arrived on the scene, it was all but impossible for businesses to take a long-term view of compliance. The rush was on. CEOs and boards of directors took this new law seriously and personally. Public companies were scrambling to sort through the myriad of requirements, affecting almost every aspect of their business. This was all-consuming work and non-compliance penalties went right to the top. You might say that the SEC knew how to inspire a large enterprise into action -- threaten the top executives with jail. But now that the smoke has cleared, at least for some, and companies are able to step back and assess what the real effect of the SOX commotion has been, the results may surprise them.
The most noticeable effect of SOX has been the billions of dollars spent on compliance initiatives, but the real question is what exactly, besides a get out of jail free card for C-level executives, did these companies invest in? For the answer to that, it is helpful to take a take a look at the bigger picture and examine the core issues and changing business environment that brought us to the legislation that could, in many respects, change the way we do business.
Even though it might be hard to admit, many of us have been dragged kicking and screaming into the realization that virtually all of our critical assets are now electronic -- from detailed consumer and sensitive customer information to product design plans, financial records and the fundamental business processes and procedures that keep our businesses humming along on a day-to-day basis. Companies that saw the machines on the manufacturing floor as their core critical assets, are now waking up to the reality that the real value lies in the computer models that drive these systems. The very nature of critical assets has changed, and business has been altered along with it. The way we view business assets affects how we and how others outside of our organizations define our value, our risks and our responsibilities.
This gradual change to a new form of fungible currency, electronic information, has not gone unnoticed by society. The myriad of new laws requiring that personal information be protected and that the integrity of critical data be assured are simply indications of this recognition. Viewed in this light, SOX can be seen as another signal that information, as the old saw goes, is power and electronic information represents even greater power. And, with that power comes both responsibility and opportunity.
Now that assets have fundamentally changed in nature, every incident in society where information is valued is being regulated. This is forcing companies to pay close attention to information assets -- including where they are and what is happening to them. Companies that do not have a firm handle on the disposition of electronic assets, including optimizing them for the benefit of all fiduciaries, will hurt their businesses. SOX may be a big hammer in terms of penalties, but in reality all data compliance requirements call for organizations to manage and protect information to the best of their abilities. Regulators are demanding that you have enough visibility into your data assets to know what’s going on so that you can identify when something goes wrong and have enough information to right it. Visibility, in fact, is the underlying requirement of every information protection law, whether we are talking about SOX, Gramm Leach Bliley, HIPAA or the European Privacy Directive. But what does this mean?
Simply put, visibility is knowledge. The legislated requirements center on knowing what has happened to the data that is of interest to consumers, banking regulators, the SEC, etc. In order to have that knowledge, a company must first know something about the regulated information. They must identify which information is relevant to the regulations and demonstrate that they know who is doing what to that information and why. In doing so, the company will discover things that it did not know about this critical information. Savvy companies will learn how to turn this new knowledge to their advantage.
To be clear: This is not about SOX. SOX is just the motivator. It’s about data governance as a new discipline -- one that will allow for quick, cost effective compliance with virtually any new regulation and help the companies that practice it reap significant internal benefits. But how do you accomplish this goal? For starters, COBIT and ISO 17799/2005 provide guidelines that are very useful in helping companies determine how to think about the root requirements of compliance regulations and data risks. These are frameworks specifically developed to help large organizations protect and harness information assets. For anyone with responsibility for husbanding information resources, familiarity is requisite www.isaca.org/cobit
and
http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=39612&ICS1=35&ICS2=40&ICS3=.
There are also major networks of corporations working to understand and promulgate best practice models for managing and optimizing information assets. One group, formed by IBM, is the Data Governance Council. These groups are on a mission to help establish methodologies to make critical information more accessible, while ensuring its security and integrity. The processes, and even the attitude toward data assets that these groups promote, when built into the DNA of organizations, can serve as the backbone for the critical transformation all organizations must face sooner or later: realizing and taking advantage of the value and competitive importance inherent in their growing information assets.
So what about SOX? If you don’t want your company to be left behind in a world increasingly driven not by the accumulation of data, but of an understanding of its value, then don’t view SOX as a nuisance, a hindrance or an unrecoverable cost. View it for what it is: the clarion bell that can be used to wake up your organization so that you can begin the transformation beyond being a trustworthy fiduciary of information to an organization that’s a major beneficiary of it.
About the Author:
Marv Goldschmitt is the Vice President of Business Development at Tizor.
Go Back
|
