How Compliant is your Organization?

Applying for and maintaining standards and complying with regulations is not just a formality or a style statement any more. Any organization that wants to compete in the global marketplace has to adhere to certain norms. Today, organizations are obtaining certifications for making their internal processes more effective, reducing paperwork, and even becoming more environmental friendly. That's not all, global compliances have also assumed a whole new meaning recently. They are now aimed at reducing the clutter created in the IT infrastructure, mainly caused by having to coordinate between multiple vendors, managing so many software versions, contracts and their validity dates, and of course the hardware. Companies have begun to realize that managing the IT infrastructure is not as easy as it used to be and therefore a certain level of standardization is imperative.

At the end of the day, organizations want to increase their business, reduce failure rates and simplify the monitoring of different processes. All this can be made possible through compliance. In this story, we'll focus on the latest compliance trends, the need for complying, and much more.

Need and benefits of compliance

There are many valid reasons to go for compliance, which could be different for different industries. For some industries like banking and finance, it's required because govt. regulations demand for it. Likewise, those catering to clients abroad might have to abide by the laws of the foreign countries. Then of course, there are reasons that would be applicable to any industry. One of them is to ensure business continuity. If your IT infrastructure is very vast with lots of equipment, and is growing complex by the day, then you need to ensure that this complexity is managed properly so that you know what's located where. Otherwise you're just sitting on a time bomb waiting to explode. The only way to deactivate this bomb is by making your IT infrastructure become more compliant.

The question therefore arises, what all should be done to become more compliant? For one, there are some internationally accepted standards for IT infrastructure, which can be followed. Two, look for non-IT standards specific to your industry. Three, have an objective that you want to achieve with both. So for IT infrastructure, one objective could be business continuity, and another could be data security. While for non-IT standards, the objective could be to increase Increasing performance and profit, or have the ability to fine tune your products so that they suit specific customer needs.

Who's responsible for compliance?

Like an ISO certification, should the administrative department be responsible for maintaining standardization, and will the compliance bodies 'visit' your facility every quarter to boss over you? No. IT compliance should ideally be handled by a manager (anybody in a managerial position), since it will involve understanding of relatively complex processes-both organizational processes and processes exclusive to the certification agency. Alternatively, a key IT user (which refers to the head of the information department) or a senior auditor should plan, execute and monitor the compliance.

Global compliance standards

Currently, there are two big standards that the world is following, along with a few smaller, industry-specific ones. These are COBIT and ITIL. Let's understand what they're about briefly.

COBIT

Information Systems Audit and Control Association (ISACA) formulated COBIT in 1996 with an aim to “research, develop, publicize and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors.' In simpler words, this only meant reiterating the concept of organizational structure and behavior, to strike the right balance between the nature of business, the goals of the organization, and the various technical and non-technical processes involved. COBIT edition 4.1 was released in May 2007. Among the major add-ons with the new offering are a company's Maturity model support, simplified goal descriptions, and cascading the relationship between business, goals and processes.

At a basic level, COBIT features processes across 34 levels, in turn covering 210 control objectives that are part of one of the four domains: Planning and Organization; Acquisition and Implementation; Delivery and Support; and Monitoring. And who are these processes targeting? Managers, IT users and auditors. COBIT aims to provide managers with a foundation upon which IT related decisions and investments can be based. This in turn is aimed at more effective and precise decision making, leading ultimately to a strategic IT plan, or in other words, a roadmap defining the information architecture, acquiring the necessary IT hardware and software to execute an IT strategy, ensuring continuous service, and monitoring the performance of the IT system. IT users, on the other hand, use COBIT's 'defined controls', security, and process governance, or monitoring. Finally, it helps auditors identify IT control issues within a company's technology infrastructure (www.isaca.org/COBIT.htm).

ITIL-going local

Along similar lines is the Information Technology Infrastructure Library (ITIL), which positions itself as a 'customizable framework of best practices designed to promote quality computing services in the Information Technology sector. Interestingly, the ITIL has been around as the default international standard for IT Service Management.

Currently in its version 3, ITIL has recently adopted an integrated service lifestyle approach to IT Service management. Another interesting fact is that like its predecessors, ITIL v3 is formulated as chapters of a book, with specific volumes on service strategy, design, transition and operation. In addition, the entire content is available also in Hindi and Urdu, besides Arabic, Dutch and other languages. The availability in Hindi is being slated by experts to be a major propellant for companies working in domestic, local language markets, and SMBs to be encouraged to adopt international standards.

ITIL has an interesting system of qualifying and appraisal. There are four levels -The foundation level, intermediate level, the ITIL diploma and finally the advanced service management professional diploma. Each of these stages comes with a 'syllabus' where the 'candidate' has to apply, earn credits and graduate from one stage to another. More information can be found on www.itil-officialsite.com/home/

Rest of the gang Besides this, there are specific international standards catering to specific components of business. An ideal example is the BS 7799-an international security standard, which allows an organization to understand and measure threats, understand the nature of potential threats, vulnerabilities and how it would impact the business it performs. Its aim also is to safeguard the information security assets and to ensure that 'controls' are in place to manage any subsequent risk. Third party certification bodies such as BSI, DNV, BVQI, STQC, KPMG offer this certification on demand. In its latest edition, the BS 7799 follows a PDCA model, which stands for Plan, Do, Check, Act. Plan refers to creating the basic blue print, Do corresponds to implementing the standard, Check means monitoring and reviewing the Plan and Act refers to maintaining and more importantly improving the structure of the standard, according to the unique needs of the business that is getting 'standardized'.

Looking ahead

Compliance experts believe that for the next few months, standardization and ensuring compliance will happen voluntarily from companies, and will not really be forced down by the government. Nilesh Kumar, a compliance analyst says, “More than anything, COBIT, BS 7799 and the rest are aimed at structuring the business for an enterprise, irrespective of size and nature of operation. It is like the CFC-free refrigerators. Half of us have already switched over to the new-generation refrigerators before the government has banned the old ones. Compliances at the IT offices can be expected to fall into place more as a voluntary effort to streamline processes. True, governments sooner or later will pass the buck of maintaining security and safeguarding IP etc on to the companies, but the current trend does not indicate that too many companies-at least not the big ones-will wait for a rule to be thumped down on them.”

Currently, the US and the UK have various laws and regulations in place, pertaining to intellectual property, privacy and copyright, such as Health Insurance Portability and Accountability Act (HIPAA), GrammLeachBliley Act (GLBA), and many more. Companies based here have to comply with these laws, depending upon the industry they serve. Some countries have extended these standards even to offshore vendors, who compulsorily have to meet the standards of the companies they are representing. Non-compliance with these laws attracts both civil and criminal penalties.

Scene in India

Specifically on the Indian scenario, compliance standards are expected to be generalized for a while to come. This means that there will be a broad need and conscious effort to conform to a particular set of rules, they will be independent of particular segments of business. Nilesh explains, “Unlike other aspects of business that start small and expand over a period of time, compliance is something that starts at a very broad level, and fine-tunes itself as per the requirements of a particular industry. Furthermore, if it is an industry like retail or banking, where big money is involved, the governments and financial bodies like the Reserve Bank of India will look to have a grip on the cash flow, unless a compliance level is met. In other words, a day will soon come when the RBI in all probability ill refuse me a loan if I have not met an international standard within my business model.”

And what does the government gain in return? A high level of simplicity and easy monitoring of the businesses, ease in trade with other countries since 'them' and 'us' will be following the same process model, an unavoidable transparency in finance operations, besides a huge reduction in data management risks. The world has started conforming to these laws, and there is nothing really that is preventing your company from doing the same. Visit any of the sites mentioned in this article and join the game in a global business playground.