5 November 2009

It has been far too easy to point the finger of blame at the finance sector as a whole for the current economic situation. With both government and public calling for tighter controls, it is inevitable that stricter compliance measures will be introduced and enforced. Regardless of where the fault lies, regulation has become the latest watchword in the UK finance industry.

Many of the current auditing and compliance standards in the UK finance sector are largely voluntary and sector lead, unlike in America where strict standards (such as Sarbanes Oxley) were introduced in the wake of Enron and other past problems. However, with such large government involvement at the commercial ownership level, combined with recent proposals to shake up the regulatory overview structure, it is only a matter of time before stricter, compulsory standards will be introduced in the UK.

In the UK, the Financial Services Authority (FSA) has traditionally engaged with business in an advisory capacity, promoting the organisational benefits of compliance, and highlighting how high achieving companies are reaping the rewards of implementing and driving best practice across the finance industry. Through round table discussions with input from the industry, the FSA has been attempting to lead business towards the benefits of best practice. Historically, the financial services industry was built on trust. In many parts of the industry, trust might soon be supplemented by government regulation aimed at protecting customers, investors and the economy.

Whether it is voluntary or compulsory, the reality is that finance companies will not gain benefit from compliance until they regard it in a different light – many companies see compliance as a set of tick boxes that must be filled in by certain dates. Yet, failure in basic security and data retention systems within some of the UK’s largest banks and the FSA’s combined fines of £3 million show that continuous compliance is not just needed; it makes good financial sense.

Thanks to the shift in responsibility of directors and managers of finance organisations to provide greater transparency for regulators, the ability to report on customer, investor and employee data has never been more important.

Increasingly, finance companies are instigating separate compliance departments to ensure that records are kept, that issues are identified before a customer’s interests are damaged (or the regulator takes action) and that internal controls and regulatory processes are closely adhered to. But at the core, the financial industry must focus on security best practices as its primary goal. Do that right, and compliance will follow by default.

So what is your primary goal? Compliance, security, or both? The best way to understand the difference is to clearly define the two terms: security is a set of practices; compliance is the process to gauge the effectiveness of those practices. It is the understanding of the difference between these that brings about the concept of continuous compliance.

Organisations need to move away from a model where they throw large amounts of money and resources at deadlines, to one that reduces the cost of compliance and delivers lasting value. Businesses that closely and regularly monitor IT security, risk management and data security practices are not only able to achieve compliance by default, they also achieve improved operational efficiency and organisational agility with IT staff spending less time fighting fires and more time on projects of direct benefit to the bottom line.

In fact, more and more businesses are now citing best practice activities to differentiate themselves as a company and improve their position against their competitors. The goal is to achieve a culture of real-time transparency, continuous risk management and compliance and security. As companies progress along this continuum, they move to a state where they are beyond the static ‘check in the box’ IT risk management strategy and they can begin to see the cost savings and tangible benefits that this model brings.

The necessity of moving towards a dynamic continuous compliance model is underscored by the way in which compliance is generally introduced. Whether it is a law, a regulation or a published industry standard, it can take up to a year for that mandate to be written. Businesses need to create a continuous compliance environment that will ensure they remain one step ahead of real-time threat environments.

As an IT director or CFO, you have three main options in your approach to security and compliance: do nothing and wait for regulatory requirements to force action; do the bare minimum necessary to pass regular audits; or take a combined approach to security and best practice to lead the industry and achieve compliance as a default output.

Newspaper headlines show that the first option is no longer viable with the FSA enforcing and fining millions of pounds for lapses in security and compliance. So no matter the projected cost for compliance, it is surely cheaper than a £3 million fine.

Many companies will view the second option as the easy solution, but with more (not less) compliance and reporting requirements looming, this option will become increasingly expensive as the costs and effort of preparing for each audit begin to affect the day-to-day business processes.

The only viable approach is to implement leading edge security processes and solutions. Not only will your business and reputation be secure, but you will also be prepared for any compliance requirements that emerge from the current political storm.

Tim Eichmann, CIO, Parative

This article first appeared in the Autumn 2009 edition of Finance on Windows.

Add a comment