Regulatory compliance has become an increasingly costly burden. For example, SIFMA has estimated that the U.S. securities industry in 2004 spent $23.2 billion on compliance-related activities(1). In addition, regulatory mandates have become more intrusive in their application to how business is conducted. In response to corporate scandals such as Enron, the mandates have shifted from regulating the final work product to be produced for regulatory review, such as the enterprise’s financial statements, to also regulating the process by which the final work product is produced. This principle is clearly evident in Section 404 of the Sarbanes-Oxley Act (“SOX”)(2). Section 404 requires corporate management to prepare a report on their internal controls and disclosure and their analysis as to the effectiveness of the internal controls in producing reliable financial statements for the corporation. As part of the Section 404 requirement, management must identify the internal controls framework on which the internal controls are based (e.g., the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework). Management also must obtain an attestation from an independent auditor as to the sufficiency of their internal controls.
Additional requirements in the areas of compliance training and oversight stretching from the worker’s desktop to the boardroom have led to the realization that an effective compliance program must be enterprise-wide. For example, Section 301 of SOX requires the Audit Committee of the board to oversee the “Internal Control Report” prepared by management pursuant to Section 404, and establish procedures to accept complaints regarding internal controls and auditing issues from employees on an anonymous basis. In an attempt to institutionalize a more rigorous and open approach to financial documentation disclosure, reporting and compliance, Section 406 of SOX requires issuers to adopt a “Code of Ethics” for its senior financial officers.
Increasing the regulatory pressure, the frequency with which important mandates are being issued has grown over the past few years. Further, reporting deadlines also have been shortened. For example, under Section 409 of SOX, issuers must publicly disclose “on a rapid and current basis” any “additional information concerning material changes in the financial condition or operations” of the company. In order to implement this SOX provision, the U.S. Securities and Exchange Commission shortened the period within which a Form 8-K “Current Report” must be filed to four business days. Four day reporting periods can pose a serious problem for companies with data contained in a multitude of repositories supported by multiple IT platforms. This environment can result in the time-consuming need to conform data before consolidation into one master data set for reporting purposes.
One consulting study estimated that a likely allocation of industry compliance budgets is as follows: (a) 55% for staffing, (b) 15% for IT, (c) 12% for training, (d) 10% for external counsel, and (e) 8% for auditing and monitoring. The study’s formula makes it clear that the majority of compliance cost (67%) results from training and staffing, rather than from IT and other costs. This suggests that enterprise-wide standardization on multipurpose, reusable IT solutions requiring less training and smaller staffs to implement and maintain could help to improve compliance personnel collaboration and reduce total compliance costs. It could also help companies more effectively accomplish the goal of establishing an enterprise-wide compliance program that can (a) identify and apply controls to the business processes resulting in regulated work output and (b) meet shortened reporting deadlines.
Technology alone, however, cannot accomplish these goals. Success will depend also on compliance attorneys becoming more IT-savvy and less dependent on compliance “point solutions”. Compliance traditionally has been of concern to attorneys who tended to be specialists in fields of law, such as healthcare, banking and securities law. Accordingly, the compliance teams formed on a law-by-law basis would have healthcare lawyers on the HIPAA team, banking lawyers on the Basel II team and securities lawyers on the SEC Rule 17a-4 team. Since the healthcare lawyers on the HIPAA compliance team would not consider themselves to be experts on banking or securities laws, they typically would not communicate with the Basel II and SEC Rule 17a-4 teams. This law-by-law approach naturally leads to a “silo” approach to compliance, where each team would work with its own budget and team members to identify their own unique compliance solutions. They also would maintain their own compliance documents, produce their own unique compliance reports and would report separately to top management and the board on their individual compliance efforts.
This legal compliance regime will need to change in order for large corporate enterprises to move toward a more nimble, “holistic” approach to compliance utilizing multi-purpose IT compliance solutions. In the classic science fiction novel The Voyage of the Space Beagle(3), the author A.E. Van Vogt described a scientist called a “Nexialist”. The Nexialist was trained to understand all of the fields of science – chemistry, physics, biology, etc., and to find solutions to problems based on connections between scientific fields. The common definition of a “Nexialist” is “one skilled in the science of joining together in an orderly fashion the knowledge of one field of learning with that of other fields”. Compliance attorneys need to become legal “Nexialists” in order to help develop multi-purpose IT solutions, by recognizing the commonalities that run through seemingly disparate legal mandates. For example, instead of developing or buying twenty different encryption tools for a variety of privacy and security mandates applicable to the enterprise’s banking, healthcare, securities and insurance businesses, the “Nexialist” compliance attorney could help identify a smaller set of encryption tools that can be multi-purpose and reusable across multiple regulatory mandates.
(2) See http://www.sec.gov/about/laws/soa2002.pdf
(3) See, e.g., http://www.amazon.com/VOYAGE-SPACE-BEAGLE-Vogt-vogt/dp/0020259905
Jeff Jinnett is Governance, Risk Management & Compliance Industry Market Development Manager, US Financial Services Group, for Microsoft Corporation. Mr. Jinnett is a former partner of the international law firm of LeBoeuf, Lamb, Greene & MacRae, LLP (now Dewey & LeBoeuf) and has experience in advising Fortune 500 companieis in the financial services industry on the use of technology to support corporate governance, risk management and compliance programs. Mr. Jinnett has testified as an expert before committees of the US Senate on issues relating to the intersectiion of law and technology. He is a member of ARMA (a records and information management professional association) and the Society of Corporate Compliance & Ethics (SSCE).