Companies Are Learning To Deal With Compliance Issues

Speakers at <i>InformationWeek</i>'s Compliance Challenges and Governance Strategies Forum described how they're achieving compliance without disrupting their businesses.

Steven Marlin, Contributor

May 20, 2004

3 Min Read

Businesses are starting to get their arms around the challenges of complying with government mandates for guarding the integrity of their core information assets, IT and risk-management executives said during InformationWeek's Compliance Challenges and Governance Strategies Forum in New York.

The audience, which included numerous senior-level IT managers, on Wednesday heard speakers from Regions Financial Corp., Guardian Life Insurance Co., and others tell how they overcame budgetary, technical, and organizational obstacles to not only achieve compliance but to do so in a way that didn't disrupt their businesses.

Regions Financial, a super-regional bank in the Southeast with $49 billion in assets, got hit with a double whammy in 2001. Besides coping with a slew of industry-specific regulations such as the Home Mortgage Disclosure Act, which requires banks to document that mortgage decisions aren't made based on race or other biases, its chief regulator changed from the FDIC to the Federal Reserve. That proved awkward: The Fed promptly deemed Regions' risk systems inadequate and demanded swift action, CIO John Dick said.

But the action by the Fed proved to be a blessing in disguise, because it forced the company to remediate its shortfalls just in time for the arrival later that year of the Patriot Act, followed the next year by Sarbanes-Oxley. The bank has appointed teams of experts from its operations, technology, compliance, auditing, and regulatory staffs to document and test key financial controls as required by Sarbanes-Oxley. To date, it has validated half of them using Paisley Consulting's Risk Navigator business-process software. Regions used Risk Navigator to identify areas of significant risk across the entire company, create action plans and personnel responsible for mitigating those risks, and control effectiveness related to significant financial statement accounts and processes. It's on target to meet all of Sarbanes-Oxley's certification requirements by early next year, says Loring Muir, the bank's director of compliance.

One secret to compliance management lies in embracing rather than simply tolerating the need for compliance, said Marc Sokol, chief information security officer at Guardian Life. For example, even though the company probably won't be subject to the Sarbanes-Oxley Act until 2006, it plans next year to thoroughly document and test its business processes and controls as stipulated by the act.

Another tip: View compliance as a business process to be managed over the long term instead of one to be dealt with on a one-shot basis and then forgotten. "It's about addressing a need rather than solving a problem," said Sokol. Anticipating the need to protect information assets beyond levels mandated by the Securities and Exchange Commission and the National Association of Securities Dealers, Sokol's team designed a system using Centera storage-management software from EMC Corp. and Assentor software from iLumin Software Services Inc. for filtering electronic communications.

Since information security policy is at the core of most compliance efforts, the role of information security chief must be clearly defined. "I don't own the information assets, I help to protect them," Sokol said.

Despite its being inundated by a "tidal wave" of recent legislation--including the Gramm-Leach-Bliley Act (which governs the use of customer information), the USA Patriot Act (which requires financial institutions to monitor and report suspicious transactions and to ID customers), and Sarbanes-Oxley, plus numerous federal and state insurance regulations--Guardian Life has maintained a "holistic" balance between its compliance and business needs, Sokol said. CIO Dennis Callahan sits on the company's compliance board together with other senior execs such as the chief legal counsel.

About the Author(s)

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights