Online Security, a global provider of computer forensics and information technology risk mitigation since 1997

Go back

  Market Driven Compliance  


   
  Market Driven Compliance
Posted: Jun 16 2003
Glen Hastings, Director of Business Development – OnlineSecurity

Twelve months ago, compliance was barely on corporate America’s radar, but now companies, big and small, are scrambling to ensure their compliance with a myriad of overlapping, sometimes contradictory, and incredibly complex Federal and State regulations. The names of the laws, (Sarbanes Oxley, Graham Leach Bliley, HIPAA, FERPA, Patriot Act, and now SB 1386) have entered the lexicon of Corporate America, and there is a burgeoning industry in providing regulatory compliance solutions. Regulatory compliance, however, is only the tip of the iceberg. In general, the government moves very slowly, and the final legal interpretation of any law may not be known for years. On the other hand, economic markets and their underlying competitive forces are significantly faster and more nimble. Thus, while regulatory compliance will remain important, market driven compliance will become a more dominant factor in the ultimate shape of corporate compliance.

So, what exactly is corporate compliance? One could, of course, define compliance strictly as meeting the legal requirements of a set of laws and regulations, i.e. regulatory compliance, but this is, relatively speaking, a limited and limiting definition. If a company ties their compliance program to this interpretation, the program becomes a form of a check list. Have we met the privacy requirements of Graham Leach Bliley? Check. Have we met the disclosure requirements for SB1386? Check. With this interpretation, a company is always at risk of some new law or regulation forcing them to reinvent their compliance program, e.g. how do we protect the privacy of our clients (Graham Leach Bliley) while ensuring we fulfill our duty to track suspicious financial behavior (Patriot Act)?

A more holistic definition of corporate compliance would go beyond the specific details of each law to the underlying principals. At their core, all of these laws are about the management of information. How does your company acquire, use, store, and transmit information? Compliance with any of these laws requires that a company truly understand how it manages information. Corporate compliance can, therefore, be defined as accurately knowing how the company collects, processes, retains, and disseminates information. Regulatory compliance is ensured and maintained though the artful application of that knowledge. Defining compliance in this way requires that companies approach compliance as more than just a check list, but rather as a comprehensive system of information management processes that maintain and ensure compliance.

Being in regulatory compliance will enable companies to avoid fines, penalties, and potential lawsuits which justifies the costs associated with a simple check list type compliance program. This benefit, in of itself, however, is probably not sufficient to justify a sweeping set of information management processes to ensure compliance. There must be additional benefits (or avoided penalties) to justify the costs, and the market has and will continue to provide that additional benefit to justify the costs.

Sarbanes Oxley provides a particularly illuminating example of this. Sarbanes Oxley was passed in the wake of the Enron collapse, and among its many goals is to ensure that auditors can be trusted to provide independent assessments of the companies they audit. These provisions of Sarbanes Oxley are presently reshaping the accounting and consulting industries, but one of the biggest changes was wrought primarily through the market: the demise of Andersen. In the Enron collapse, Andersen appeared to have been negligent in their duties as an independent auditor, and it was likely the firm would have been subject to regulatory, criminal, and civil sanctions. Nevertheless, this prospect did not destroy the firm; rather, the firm was destroyed as its clients left. The clients left, not because of the pending legal challenges for Andersen, but because they, the clients, did not wish to face the increased scrutiny by the market (read decreased share price) for having their books audited by Andersen. It is uncertain whether Andersen would have ultimately survived their legal battles, but without the confidence of the market there was no chance at all as the events of 2001 demonstrated.

If the market operated that efficiently all the time, there would be no need for the compliance laws that have been passed around the nation. As California State Assemblyman Joe Simitian, co-sponsor of SB-1386, said at a recent Electronic Crimes Task Force Meeting, “it is in the enlightened self-interest of companies,” to effectively manage their information. Unfortunately, there is a fair amount of inertia in the market that can protect companies from their mismanagement of their information. Compliance regulation, however, is now acting as a catalyst to unleash the powerful market forces that can compel companies to develop enlightened self interest in the matter of information management.

Sarbanes Oxley provides another powerful example of the catalytic effect of regulation. Another provision of Sarbanes Oxley requires that the CEO and CFO bear witness to the validity of their company’s financial statements. The law provides a number of enforcement tools to the SEC, including civil and criminal penalties against firms and individuals who either do not follow or break these rules. At the present time due to the relative youth of the law, there have been no successful actions against corporations under these provisions, nor should we expect there to be anytime soon. The investigation at Enron is ongoing, and it is highly unlikely that the matter will be settled immediately. Nevertheless, the market is not waiting. Enron was driven to bankruptcy by a collapse in it stock price well before regulatory action. Companies whose CEOs and/or CFOs can or will not certify their financial statements are having their share prices pummeled.

Thus, even before the final shape of Sarbanes Oxley is determined, the market is finding value in its underlying principal, i.e. do you manage your financial information well enough to provide accurate and reliable financial statements to the market? A company cannot answer this question simply by checking off a list of Sarbanes Oxley rules; it must have a set of processes in place that enables its business leaders to understand the information they report. The better these processes, the greater the understanding of the information by the business leaders which enables them to more effectively and reliably communicate their financial information to the market. The market values consistency and reliability in financial statements and will reward companies, with a higher multiple and thus a higher stock price, for consistency and reliability. Consequently, a good financial information management process can lead to a higher stock price which creates capital for growth and expansion.

Compliance regulation is not the only catalyst for market driven corporate compliance. Public outcry can lead to market based solutions. Over the past 18 months, identity theft has become a major concern for Americans. In 2002, the FTC received more than 160,000 reports of identity theft, and there has been tremendous press coverage of this growing threat. A news search on Google pulls more than 1500 news articles focused on identity theft with most of the articles from the past three months. At both Federal and State levels, legislators are considering new laws to mitigate identity theft risk.

Rather than waiting for legislators to act, Visa and MasterCard are both independently acting to use their market power to force their processors, issuers and vendors to improve their information management procedures. MasterCard is requiring that all processors and issuers meet certain information security and management standards and to agree to certain policies and procedures. Of course, any company can choose not to participate, but MasterCard can also choose not to allow that company to use the MasterCard brand. MasterCard is also working to develop a relationship with every company in the world that accepts MasterCard and to require that they too meet certain information management standards. The reward for compliance is the continued access to the MasterCard brand. The penalty for non compliance could include disassociation from MasterCard (which could hurt many merchants) or fines which may include a re-issuance charge of up to $30 per card (a processing facility in Omaha recently lost 7,000,000 card numbers which could, under this new program, result in a $210 million fine from MasterCard.)

Companies today are focused on making sure they comply with the myriad requirements of the compliance laws. These laws, however, are unleashing powerful market based compliance requirements which will compel companies to go beyond the check list letter-of-the-law compliance approach. Companies must understand that these laws are focused on information management and that it is essential to understand how information is collected, used, secured, and communicated. Companies that master this information management process will be better positioned to compete and win in the information economy of Corporate America in the 21st century.


Email Glen at Glen@onlinesecurity.com

For a full Bio of Glen Hastings, Click Here

Go Top