In the last month alone Shell has blown a 20 per cent hole in its oil reserves and is now under investigation by regulators in both the UK and America. Amazon is under investigation in France over its DVD sales. Staying in France, a former Elf executive has just been released from prison after being convicted of serious corruption offences. And back in the City, the FSA recently fined two merchant banks a total of £440,000 for what amount to procedural errors.

The continuing stream of stories exposing fraud, or lies, at one end of the spectrum and scant regard for regulation, or plain stupidity, at the other has created an atmosphere where regulation, corporate governance, corporate social responsibility and risk management get wrapped up as ‘compliance’ as item number one or two on the board room agenda.

Although legislation like Sarbanes-Oxley and regulations bound up in Basel II, IAS and the FSA are mostly concerned with financial issues they are important for two reasons. First, regulators have real teeth. Senior executives do go to prison and companies are fined swingeing amounts. Second, business is viewed as a global activity. For instance, the Irish government has indicated that it will more or less rubber stamp requests to hand over executives who are suspected of cooking the books for a company required to report in the US under Sarbanes-Oxley. The US is currently looking at the IFRS (international financial reporting standards) accounting report framework with a view to considering how its own reporting system and IFRS might converge. And everyone involved in institutional finance is worried about how Basel II will impact risk management processes.

But why should IT care?
It is a fact of life that “compliance” is a complex subject where different regulations require different types of often disparate, interlocking information. Large organisations rely on IT to provide that information. In some quarters there appears to be an implied assumption that IT provides many of the answers that would ensure companies can sleep soundly in an honest, responsible business environment.

For instance, a recent Butler Opinion Wire claimed that: “Good businesses require good information and processes. This puts the Information function right at the centre of the organisation, where it becomes something that the board cannot ignore.”
In considering regulation, Butler suggests that compliance is straightforward because it is about a: “Symbiotic relationship between information and processes.” In making these statements, Butler is assuming that information and business processes of one kind or another are in a kind of lock step. The reality is very different.

First, the business processes that underpin information are at best a reflection of the policies handed down from on high. And if those policies are flawed in some way – say, a failure to document policy change in the light of a new regulation – then no amount of IT will help.

Second, we are only just starting to understand business process management as a discipline. In other words, we’re at the beginning of understanding how business processes work from inception to completion and the impact those processes have on information.

Third, IT organisations frequently represent a microcosm of institutionalised corporate hierarchies. In the applications space, this means the competing demands of ERP, CRM and SCM are usually reflected in the way teams of specialists are both assembled and operate. But in a world where compliance is the name of the game, this method of operating doesn’t cut it. IT is now in the unenviable position of having to crawl out of its operational silos and tread into unfamiliar territory as it seeks to understand the inter-related subtleties of sales, customer relationship management, service, finance, logistics, manufacture and so on. Whenever that happens, people become uncomfortable. While it is perfectly reasonable to develop functional expertise, it is another matter altogether to try and step into the shoes of another specialist.

Finally, it is far from clear whether the vendor community as a whole has truly grasped the enormity of the problems and the extent to which it needs to partner to come up with credible solutions. At a basic level, no single vendor in the business intelligence community, has come up with a credible, fully integrated planning, forecasting, budgeting, analysis and reporting suite capable of straddling the enterprise.

Having a standard architecture to manage all data and processes is fine and dandy – though most companies are a long way off achieving that. But what do you do when you need to aggregate information from many parts of the business and you only have limited physical data warehouse resources? Where does the processing power come from to accurately report important events as they arise? What additional complexity do I have to build in to meet new regulatory requirements that weren’t coded into the ERP/CRM/SCM systems. Or just how do you physically figure out where a business process has broken down on the network? Solving these problems is expensive and difficult. What’s more, individual solutions are determined by many factors, including the maturity of the technical architecture and the applications that it supports, the available solutions and the degree of retro-fitting and/or business re-engineering required.

Some argue that having people who specialise in building business process as a kind of IT glue between departments is the key to making compliance, in all its forms, a reality. But that only works if those personnel understand the needs of different and often competing operational managers. In turn, this requires that IT communicates as an equal with those who analyse and understand business processes from the business perspective.

CIO role
What’s needed is a board level bridge between IT and the business. Since much of the current focus is on issues that arrive at the CFO’s door, there is now a clear role for CIOs who can work with both finance chiefs and IT heads at the board level. More important, the CIO’s role needs to be seen as pivotal to turning compliance into something a company does as a matter of course and not on the basis of exceptions or as a result of some catastrophe. This may sound unfashionable but it is logical.

A good CIO doesn’t need a 100 percent grip on all the issues at play or the technologies that underpin information, but just enough to see the whole picture. In this scenario, CIOs guide CTOs so that they in turn can re-interpret business requirements into IT-speak. And since finance is the current focus for compliance attention, then having the finance chief’s ear represents plain common sense.

Of course, this is nowhere near the whole answer. We should not forget that attention is now being focused on IT governance or the measurement of IT’s ability to deliver what it says. That’s a topic in its own right. But if companies realise that IT has a contribution in managing compliance and is prepared to grant it the same status as any other operational unit, then we’re part way there. None of this will stop the determined crook of course. But it’s a start.