The Word is--Compliance

A Real Opportunity

But to those still resisting: Get with the program. Compliance isn't Y2K all over again. Y2K was a one-off remediation effort. It fixed a clearly defined date-field problem in computer systems and applications. Once we proved that the fixes worked, we moved on.

To prove compliance with SOX, HIPAA and other regulations, we must show how everything works and why the way it works is the correct way. And because compliance efforts cut across multiple organizational processes, from data collection to financial reporting, and because they're meant to change behavior rather than just clean up a technical glitch, they present a more compelling reason to align business and IT processes than Y2K remediation ever did.

Compliance is an opportunity to finally embrace IT governance--methodologies like ITIL (IT service management), CMM (software development) and COBIT (security and project management). "We talk smack all the time in IT about best practices," one IT executive told me recently, "but COBIT and other methodologies actually force you to measure your maturity level in many IT areas."

Compliance is also different from Y2K in that it's an ongoing effort subject to ongoing tests, audits and adjustments. It ain't going away. For instance, the first deadline for public companies to comply with the SOX financial reporting regulations is their first 10-K report after Nov. 15, 2004, but regular audits of their compliance will follow. As such, most organizations will incur ongoing compliance costs--eating as much as 10 percent of IT budgets for the foreseeable future, according to one estimate, as they improve storage, content and data management, security, business-process management, business intelligence, disaster recovery and other disciplines.If you're going to spend that kind of money on an ongoing basis, you had better figure out how to do it in a way that delivers ongoing benefits to your business. Otherwise, compliance is just another 10 percent maintenance tax on legacy IT systems and operations.

Think Big Picture

Whether HIPAA, SOX and other regulations ultimately make a difference to day-to-day operations, or make the business world more ethical or transparent, is unknown. Every HR manager isn't going to turn on her screensaver every time she gets up to go to the printer. The typical staff accountant isn't going to refuse to make a journal entry given to him by his boss. Likewise, expect to see a lot of "pretend" regulatory compliance, especially from small companies. About half the CIOs surveyed by Gartner earlier this year said their companies will do the bare minimum to achieve compliance.

But if you're just going through the motions to skirt fines or lawsuits, you're missing the big picture. Compliance needn't mean that other "real" IT work is put aside for now. It should be the foundation for re-engineering how real IT work is accomplished from this point forward.

Rob Preston is editor in chief of Network Computing. Write to him at [email protected].0