Waiting for SA-Oxley?
A mishmash of regulations and toothless guidelines keeps governance and compliance low on the local agenda.
Listed US companies and their international subsidiaries may have the rules and penalties of Sarbanes-Oxley to guide them, but what about local companies? Is there effective governance in place in SA? And how does IT help or hinder corporate governance?
At an ITWeb roundtable discussion to give their expert opinion on these topics were: Haydn Pinnell, MD of Gallium Technology; Sagaran Naidoo, senior solution strategist at CA Africa; Karel Rode, solution strategist for security, also of CA Africa; Theo Potgieter of IT project management in corporate transactional banking at FNB; Bryce Thorrold, principal consultant for security and risk at Symantec; Paul Mullon, information governance executive at Metrofile; Eugene Pfister, director of IT advisory at KPMG; Barry Gill, technical director at Mimecast; Mark Penberthy, consultant at Continuity SA; Hugo Winterbach, CIO of Business Connexion; Amir Lubashevsky, director of Magix Integration; and Paul Platen, risk and compliance manager at Condyn. What follows is an edited version of the discussion.
ITWeb: How seriously are local companies taking governance?
Many companies just accept the risk of non-compliance and pay the fines later.Barry Gill, technical director, Mimecast
Barry Gill, technical director at Mimecast: International companies tend to have a lot more of the direction driven from parent companies overseas; there's very little drive for local requirements. With customers that don't have international directives, they then do risk analysis: what will happen if they're found lacking versus the cost of deploying systems and solutions. They tend to do those exercises to see if they want to pay for the solution or just pay the fine. It depends on the organisation and what it perceives its risk to be. In electronic document storage especially, many companies just accept the risk of non-compliance and pay the fines later.
Sagaran Naidoo, senior solution strategist at CA Africa: I've also seen that those companies that do have international ties have initiatives in place to be compliant. But until we have headline news, such as there's been in the US, there will still be a lack of urgency.
Haydn Pinnell, MD of Gallium Technology: Outside of legislation, we've seen that there are a lot of customers looking at increased auditability and accountability purely for their own internal processes. There's more drive to make those processes accountable. Companies say: 'Are we doing things for the right reasons at the right time?'
Theo Potgieter, of IT project management in corporate transactional banking at FNB: In the financial industry, there is definite compliance. We have to answer to the Registrar and the FSB. Quite apart from that, we cannot give advice to customers without being compliant [ourselves]. The risks can run into millions. The industry is very driven by compliance and risk mitigation because there are serious penalties and serious risks involved.
Paul Mullon, information governance executive at Metrofile: One of the big challenges is that if you look to any one industry, there's no single governance or compliance framework or risk management driver. So, while there's Fica, the National Credit Act and a whole host of other things that apply, King II doesn't have any teeth: it's a nice set of principles. Until we get an overarching act like Sarbanes-Oxley, it won't change. There will be fragmented approaches and, unless there is some more formalised approach at a high level, companies will just do what they want.
Eugene Pfister, director of IT advisory at KPMG: We did a global survey and one of the results for this continent showed there is this level of apathy, particularly towards IT governance. It also depends on the industry that you're talking about. Many industries have their own self-regulating bodies: mining, for instance, follows rules on occupational health and safety. But the connection between corporate requirements and IT governance isn't really seen; it's not one of the top 10 or 20 risks in the organisation. The auditors are driving things and guys are doing the bare minimum to stay off the radar screen.
Karel Rode, solution strategist for security at CA Africa: The landscape is divided into government-mandated legislation and industry standards. King II, although it has this quasi-government feel to it, has no teeth, as mentioned earlier. Sarbanes-Oxley has teeth; and why I focus on the teeth bit is that, unless we have teeth in whatever is coming down, we will be doing the bare minimum. A government organisation can fail an audit, for example - ghost accounts on the system, for instance - and all it has to do is initiate a project that it will investigate this area and the next audit will pass.
Hugo Winterbach, CIO of Business Connexion: I look at governance and compliance from three aspects. Clients make demands on you to which you must comply. Then there are laws to which we must comply: the ECT Act, the Films and Publications Act and so on. Finally, there are your own rules: the strategy alignment and delegation of authority that the board places on you. Each of these has its own risks. When we talk governance and compliance, it's just about doing good business and what is right; we don't need to hunt something down and try to comply with it.
Mark Penberthy, consultant at Continuity SA: One of the problems we come across most often is that management doesn't understand IT governance and there's delegation to the point of abdication. Management realises that something needs to be done, but that it's an operational issue or an IT issue so it just gets farmed out and forgotten about. The most successful governance projects are always driven from the top down.
Paul Platen, risk and compliance manager at Condyn: There's a distinct lack of awareness in the space and that is driving the abdication. Where there are opportunities for vendors to educate the market, they don't. Instead, they chase revenue and targets. CEOs see vendors approaching and fear that they are going to be ripped off. In the next three years, compliance will have its way, everyone will become compliant, and something new will come up. As vendors, we have a responsibility to educate executives as to what's going on now.
Pinnell: There is dual responsibility. I agree from the vendors' side, but there also needs to be responsibility from the organisation's side. It's about putting down the KPIs and measuring how top positions are working - and that's missing from organisations as well.
ITWeb: Which industries should be concerned about governance? The financial industry seems to be very advanced.
Potgieter: Yes. In ours, it goes down to the employee level. All employees have to write exams and sign declarations, saying on what they can and can't advise. If you are a registered provider with the FSB, then the advisers within your employ have to be registered themselves. If not, then they are not allowed to give advice to any customer. Otherwise the Ombudsman or FSB will come down heavily.
Platen: Industry-driven regulation and compliance is better than having one overarching document that must try to cope with every technology and every eventuality. If each industry looked at its standards, then at some point those regulations would touch. And that's where an umbrella body should be as opposed to trying to develop touch points without first looking at individual needs.
Mullon: We need to separate governance and compliance. Governance suggests good business across all industries, delivering benefits and value to organisations. Compliance is a grudge purchase. You need to achieve it while delivering good business.
King II doesn't have any teeth.Paul Mullon, information governance executive, Metrofile
Naidoo: Compliance, risk management and governance should be seen as a package. Governance is about setting the right objectives and ensuring they are met. Risk management is about ensuring that you identify the risks that you might encounter on the way, and compliance is the execution. They should not be seen in isolation.
Penberthy: What have we heard about King III? I believe that certain aspects of King II will migrate into the Companies Act, in which case we will have certain corporate governance principles being legislated.
Platen: At this stage, it's just rumour and conjecture.
Penberthy: What seems to be driving it is ethics, as a driver to compliance and governance.
Mullon: I wish it were so. We did some research for Unesco in records management in government departments. What we found was that records management wasn't on their agenda; they had other things to do. Until compliance is in the KPI of the chief executive, it's not going to happen.
ITWeb: What role can technology play for companies to achieve compliance?
Amir Lubashevsky, director of Magix Integration: I think you can achieve two very important things with technology. The first is to measure where you are: the problems, issues and any gaps you may have. The second is to put the controls in place. The major problem with risk management is, instead of managing risk, you try to do prevention of risk. It's cultural. Until you commoditise and accept technology and how it can help you, then living between audits is going to be a problem.
Potgieter: Technology does enable business to innovate. Voice recording, for instance, has become the standard way of record keeping. We've started recording cellphone calls and distributing those calls to centralised servers. We can thus prove the customer instructed us to do something.
Rode: I believe there are two things that technology can do. It takes business processes and automates them. The other thing is that it makes auditing and reporting an automated act. Right now, if I have only paper, I have to allocate resources and do it manually.
Pfister: Technology can automate things to the point where the business can manage by exception. It takes away the grudge of managing compliance through automation. What is important is that any technology implementation is always about people and processes, as well as the technology.
Naidoo: One of the reasons many local companies don't comply with regulations or have internal controls is that they don't have the technology. Without the technology, all of this becomes, at best cumbersome, or impossible. To give you an example: some companies recognise and validate transactions via e-mail and those e-mails then become records of business. But they don't have mechanisms for retaining or managing these thereafter as records. And because they don't have the mechanisms, they just won't do it.
Mullon: There are also a number of companies that do have the technology but don't understand the processes around it: what they're going to do, how they will capture them and so on. So they have it but implement it badly.
Gill: Technology as an enabler is only ever as good as the people who are using it. You see a lot of organisations where the people managing the systems don't really know what the implications are. The people doing the low-level drone work don't understand what it means to be at risk. Individual users need to know what the regulatory implications are of, say, capturing a name incorrectly.
Rode: Who is responsible for doing the education? Are we accountable? We aren't education specialists. Who owns that accountability for training end-users?
Technology takes away the grudge of managing compliance.Eugene Pfister, director of IT advisory, KPMG
Pinnell: The biggest challenges are the culture and the change. Training means a mind shift around accepting the change and the new culture. You can't force change as a vendor when you're seen as someone who is just selling something.
Platen: Technology, no doubt, has a place; otherwise we wouldn't all have mobile phones. But it is a supporting actor, an enabler. The individual industry has to regulate and improve awareness and education of the users.
Until further details of King III emerge, it's unclear how much governance in SA will be driven by legislation and how much by management wanting to do the right thing.
But all attendees agreed that end-user education needs to improve. This would be an opportunity for training vendors - as long as the management at their customers view their offerings with a little less suspicion.