Today's business owner must confront tens of thousands of legislation points to stay on the right side of the law. Is it possible to comply with them all while remaining agile and responsive to changing conditions? What should companies be doing?
Present at a roundtable to discuss these questions were Allen Smith, CEO of Continuity SA; Patrick Evans, regional director of Symantec; Paul Wootten, CEO of Sandbox; Jan Roux, technical director of Integr8 IT; Haydn Pinnell, MD of EOH Gallium; Eugene Pfister, director of KPMG client advisory division; Derek Street, product manager at SecureData; David Naude, product manager for authentication services at SecureData; Ina de Vry, IT business practice at IQ Business Group; Andre February, head of business consulting at Fujitsu Services; Andre Zitzke, solutions specialist at SAS; Adrian van der Merwe, MD of 8th Man Consulting; and Amir Lubashevsky, marketing and new technology director at Magix Integration.
Hasn't Sarbanes-Oxley been a waste of time given that investment banks seem to have run up trillions in debt using off-balance sheet vehicles?
Allen Smith, Continuity SA: The UK view would agree with you. You can't legislate good business practice. Just producing legislation doesn't mean that people will run their businesses properly. If you talk to people like judge Mervyn King, the author of the King and King II reports, he will agree that you can't legislate things like this and that Sarbanes-Oxley (SOX) is completely over the top. The same applies to the PFMA Act [Public Finance Management Act of 1999] in this country for public service. Every public servant is a criminal right now and that is obviously silly but true because no one is complying with every single piece of legislation.
Ina de Vry, IQ Business Group: I agree that even though there is legislation, you can't force a risk culture within a company. That being said, if business is not responding to good governance, it will be forced upon them - and SOX is just one way of doing that. It's happening in other industries too: insurance, health, banking and so on.
Andre Zitzke, SAS: A lot of these things are to do with operational risk. There are not enough controls in place, and no checks and balances to ensure the controls are working. There's also the issue of a risk-aware culture in organisations, especially one that filters down to the bottom. The guys at the top know about it; the guy who executes it is not risk-aware.
Paul Wootten, Sandbox: I think it's important to identify the difference between risk and compliance because they're two different things. Sarbanes-Oxley helps you identify your top 20 risks and if management doesn't identify them, then you can't really quarter and slaughter them. If you're looking at it from a compliance point of view, then in South Africa, there are about 750 pieces of legislation; a bank has to comply with 150 of those. There are 500 compliance points in each of those pieces, which means that a bank has something like 75 000 compliance points to obey the law. It's a huge task. Most of this can be justified by cost and you can make money from being compliant, but it takes time to put in 75 000 compliance point controls.
If you look at the fines that are in place, some banking legislation attracts billion-rand fines for non-compliance, while something like not paying your taxes is a 1% fine. With respect, they are going to make sure that the compliance is in place first for legislation that attracts the most fines rather than the ones that just cost them money.
Zitzke: There have been a lot of studies over the past few years to show that there is a correlation between having proper controls in place and financial performance. The better they manage their operational side, the better the profits.
Patrick Evans, Symantec: We are one of the sponsors of the IT Policy Compliance Group and it has created a benchmark for what's happening from a compliance point of view. Within any industry there is a maturity among organisations that are bound by these various acts. One can see that the laggards are susceptible to higher degrees of risk compared with the leaders. The returns on compliance are huge. At the high end, we're seeing 1 000% returns on compliance. I see benefits where if people want to do something and there is a culture around compliance in place, then you can quantify risk and have the right checks and balances.
Adrian van der Merwe, 8th Man Consulting: The one thing we've found with Sarbanes-Oxley, as it applies to the finance department, is that it's got teeth and is driving change within companies. Finance directors are budgeting money to drive change because if they didn't, change wouldn't happen. They are using SOX as an opportunity to drive the change through the finance part.
How far down the line are we with compliance to international legislation in SA?
Wootten: Sarbanes-Oxley happens to be one piece of legislation - there are others. The mining houses, for instance, would be compliant to it, but others are better suited. The Cadbury's Committee in the UK is better suited for that market. If you're not listed on Nasdaq, then looking at Sarbanes-Oxley is moot because of what the local conditions require.
The danger of compliance is that people give it to the compliance department.
Ina de Vry, IT business practice, IQ Business Group
Smith: In our case, we provide disaster recovery and business continuity to a lot of American banks. We have US auditors flying over to look at our processes and procedures. That puts a huge burden on us to comply, but there are big benefits with it because we've become more process-oriented. But it's a great deal of work.
Amir Lubashevsky, Magix Integration: The fact that a company is compliant with SOX doesn't mean that the controls are in place to identify risk quickly enough. SOX doesn't tell you how to do something; it tells you what you need to do but not how to do it. The broker [Jerome Kerviel] who [nearly] brought down Societe Generale was quite happily acting as a group of investors, but there were no red flags raised about what he was doing until it was too late.
De Vry: The danger of compliance is that people give it to the compliance department. Unfortunately, it has to happen in the business. As much as we would like the compliance department to take care of it, the danger is you do the exercise once and you don't take cognisance of any changes in your business. The business doesn't buy that legislation is going to give them an advantage. As long as we treat compliance as just a management exercise, it will never deliver business value or be integrated.
Another danger is you've taken risk management out of the business and into a silo with models. The results are used but never embedded. Unless it's embedded in the business, it's not going to help much.
What about local legislation? How much of an impact does that have?
Wootten: To put things in perspective, the average small business in this country has about 80 pieces of legislation with 40 000 points. If they allocated a compliance officer who spent just two minutes per item, they would never get any work done. It's not possible in small business to adhere to the volume of the law in South Africa.
Haydn Pinnell, EOH Gallium: In our experience with the customers we speak to, they're always asking how much compliance is enough. They ask how much do we need to do? How much is enough? Where will the teeth come out? More customers are asking these questions because, as everyone rightly says, it's impossible to adhere to every single piece of legislation.
Evans: What we've found in IT is that if you take all the various acts at a macro level and look at them, there's a lot of similarity. If you look at where they overlap and work within a framework such as Cobit, you can reduce the total number of points. We've also found that the really good practitioners have reduced the number of points. They also run the process every two weeks. The guys who run it badly run it once a year. It's a mindset that starts up front. If you embrace what you have to do and apply yourself, you can make it work.
David Naude, SecureData: I was going to make exactly the same point. Having a strategy to comply with legislation should be about taking a full view rather than micro-managing each point. You can reduce the amount of cost to get compliant. In identity management, for example, there are hundreds of pieces of legislation with which to comply, but that can be reduced to 30% to 40% of expenditure.
There is no one-size-fits-all when it comes to legislation and business. In some ways, you can argue that organisations not taking an approach to compliance are falling behind and exposing themselves to more risk. On the other hand, they're not wasting money trying to get something done and then jumping on the next bandwagon before coming back to amend what they did. You need to have very smart people with the ability to take a much broader view than right now.
Zitzke: If you do your risk management well, compliance becomes a tick box. If you understand your own environment and manage it well, you'll be able to see what the gaps are and if there's anything that doesn't comply yet. When the National Credit Act came into play, one of our customers was happy to look at it. Within a month, they were compliant because they knew their business exceptionally well.
One of the components of governance is the attitude that you start with.
Patrick Evans, regional director, Symantec
Wootten: We talk about compliance as if everything is accurate, but unfortunately - and with the greatest respect to politicians - the people who put this legislation together tend to make mistakes. You, therefore, need lawyers to tell you what different pieces mean because they overlap and conflict. So, you now need a lawyer to tell you what to adhere to, what is meant by adherence and what sort of control you're going to put in to check that adherence.
Derek Street, SecureData: In big companies, governance and compliance are definitely front of mind, but to be honest, it's something they see as a grudge - something that they have to comply with, not that they necessarily want to. In my experience, it's all about what they have to do to avoid being hit with a fine. I don't think they see the benefit of it, just that it has to be done.
Andre February, Fujitsu Services: I have a similar experience. What we see in government is a reactionary approach. If they need to comply with the National Archives Act, then suddenly they need to buy a document management solution. So, they will invest in a piece of technology to solve all the problems.
You need to take an enterprise architecture view of governance, compliance and risk so that you look at your portfolio of investments that will deliver compliance, improved risk and increased governance. There has been some leadership coming from the IT governance space with initiatives such as Cobit and ITIL.
Yes, there is action in government, but it tends to be silver-bullet thinking. It says: there's a solution we can buy to solve all the problems.
Evans: One thing the government does have which is very active - apart from the Scorpions - is the Auditor General. Those reports are taken very seriously. One of the components of governance is the attitude that you start with.
Eugene Pfister, KPMG: Buy-in depends on the maturity of the organisation. But at the executive level, they take it very seriously to the point where it's even built into the performance metrics they have. But, as you go lower and lower down through the organisation, you start finding the view that says: "Well, I guess I have to do this."
There are a lot of guys who have no view of enterprise-wide risk. It's more than just culture; it's how you train your employees. The lower down you go in an organisation, the more people see just a small part of the process. The IT guys might see the importance of changing someone's password, but won't necessarily understand the importance of taking away someone's back-office rights if they move. They can introduce risk unknowingly.
How much of an educator do vendors have to be? Are there funds available to help companies comply with these tens of thousands points of law?
There is no one-size-fits-all when it comes to legislation and business.
David Naude, product manager, SecureData
Wootten: If you want to do business, you pay.
Jan Roux, Intergr8 IT: In our case, it's part of the ongoing support course, and the client absorbs the cost there. But we are the guys who must educate the clients and that means right down to the coalface. When we've done the education, it solves a lot of problems for the clients. IT has been run by a bunch of cowboys for a long time and it helps to have some structure on that side. On the other hand, where the CIOs and execs have bought in, it's a safety net for them and as long as they comply, they are doing their jobs. It gives structure where it has been needed for a long time.
Legislating behaviour?
Is it possible to force companies and their employees to behave? The cases of Enron and WorldCom, and the caution that followed, would suggest it is, even if after the fact.
The future problem for authors of governance guidelines and compliance legislation is the increasing liquidity of the virtual world.
The commerce of cyberspace is raw and unregulated, and is becoming an attractive avenue for laundered money.
Today's traditional controls over financial behaviour might one day seem as antiquated as the bankbook.
Share