Why we will shortly launch ComplianceMgt.org

The State of Regulatory Compliance 2007

Since the 1970s, national governments have taken an increasingly assertive role in defining the ways in which business organizations must handle their electronic records. With the dawn of the business Internet, the legal and regulatory mandate around information management, information integrity, and information protection has increased in scope and impact.

Burgeoning Mandate

Estimated spending by companies worldwide to comply with new laws, regulations and directives has exceeded $70 Billion, with about half of this spending attributed to US firms. In some companies, between 10 and 15 percent of corporate IT budgets are earmarked for compliance-related technologies, including:

  • Long Term Data Retention/Deletion including Email, Fixed Content, and Database Archiving
  • Content Indexing, Data Classification, Search and e-Discovery
  • Security and Encryption
  • Data Protection, Backup and Mirroring
  • Compliance Management and Audit
  • Electronic Content Management Systems

Meanwhile, in Europe, compliance-related expenditures are at the beginning of an ascending curve, driven by a spectrum of EC Financial Directives that will be kicking in over the next three to five years. In 2007, broker-dealers trading on their own accounts will need to spend at least $22 million each to comply with the European Union’s Markets in Financial Instruments Directive (MiFID), according to research from TowerGroup, representing a total spend of about $1 billion this year.

In April 2008, the Japanese government will implement its regulatory requirements related to corporate financial controls, dubbed “J-SOX,” which will drive further spending on compliance-related technologies.

In short, the operationalization of legal and regulatory requirements is resulting in the largest expenditure of corporate funds on business technology that the world has ever witnessed – greater even than the expenditures made in preparation for Y2K. Interestingly, this spending is occurring against a backdrop of

  • an extraordinarily limited understanding of what legal and regulatory compliance actually entails, and
  • a mind-numbing dirge of marketing hype from the business consulting and information technology industries and the sale of “compliance solutions” that too often fall short of the mark.

While dozens of on-line and print publications cover various aspects of regulatory compliance, their guidance is often contradictory. In part, this is because the regulations and laws often stop short of specifying compliance requirements with sufficient granularity to facilitate the formulation of effective strategies and implementation plans.

In the US, the problem is exacerbated further by a proliferation of state and local laws that modify and extend the provisions of federal law and regulation. The result is a patchwork quilt of requirements that change based, literally, on the zip code of a corporate HQ or branch office.

Even federal rules of evidence, which were modified at the end of 2006, are not clearly represented in the press and have led to confusion among both the legal and the technology communities. The fact that amended discovery rules do not pertain to courts outside of the federal district court system, and that other state and civil courts vary from one jurisdiction to another vary widely in terms of their e-discovery requirements, is a significant, but rarely mentioned, compliance challenge.

In short, in the absence of consistent and qualified information, companies may well be spending more than they need to in order to implement information management controls that either exceed or fall short of the actual requirements imposed by the legal and regulatory milieu in their locale.

Adding to the limitations on actionable information about compliance, companies also confront an aggressive community of vendors and service providers who are anxious to sell “compliance technologies” and related services. Some vendors have gone so far as to represent their products as “compliance certified” despite the fact that there are no entities established in the government that are authorized (or competent) to evaluate or certify any vendor products.

The loop-hole leveraged by vendor marketing is simple: the vendor sends a letter to the SEC or HHS or other regulatory body explaining how its product works and asking for some sort of certification. No response is received from the regulator because such correspondence falls outside the scope of the tasks and responsibilities of the regulator. The vendor assumes, as a point of law, that silence is consent and proceeds to represent its product as “compliance certified” – because no one in authority has specifically said that it isn’t.

Meanwhile, very little publicly-available performance or validation testing has been undertaken to establish that the products proffered by vendors are delivering a solution to regulatory or legal compliance requirements even a minimally-acceptable levels. In place of such tangible evidence, products have been marketed on the basis of fear, uncertainty and doubt (FUD) and sold primarily to senior managers in the business front office who understand virtually nothing about technology.

This is the situation that Compliance Management.org seeks to address. By establishing a web-based community of business managers, IT practitioners, records managers, legal experts, technology vendors and service providers, the goal of CMO is to aggregate information from public sources and to provide a meaningful and clear context for those laboring to bring their corporate governance and information management strategies into compliance with the legal and regulatory mandate.

CMO logo

 (Stay tuned.)

Leave a Reply

You must be logged in to post a comment.