Holistic Approach To Compliance Can Help Reap Business Benefits

In a globalised economy, Indian enterprises have to meet an increasing number of global compliance norms like SOX, Basel II and HIPAA, in addition to Indian regulations like SEBI Clause 49 etc. In such a scenario, IT governance is an integral part of an enterprise’s overall risk management and governance framework and is vital for meeting compliance goals.

Unfortunately, a lot of organisations still view compliance as a burden and grant it low business value rather than treating it as a business enabler. “Organisations tend to meet compliance norms first and then make it part of the business process. Reversing this process will allow compliance to be viewed as a business enabler rather than as a challenge,” says Vishal Salvi, SVP and CISO, HDFC Bank.

A constantly evolving regulatory environment is another factor that adds to the complexity of meeting compliance norms. “Meeting evolving compliance norms requires constantly changing business processes, which in turn makes them reactive rather than proactive. This is one reason why compliance is seen as a burden,” says Basant Shroff, associate director, E&Y.

Designing an effective internal IT Control Framework

One method to effectively resolve the compliance tangle is the implementation of a framework like ITIL, COBIT or ISO 27001 within the organisation. What most CIOs agree upon is that a holistic approach is necessary with regards to selection of the right framework for the organisation.

HDFC Bank has implemented an integrated governance and compliance framework that incorporates practices from all three major frameworks, i.e. ITIL, COBIT and ISO 27001. “The advantage of an integrated framework using common denominators from all the three frameworks is that it allows you to meet multiple regulatory requirements in one go. Additionally, you ensure that nothing falls through the cracks,” says Salvi. Thus, what CIOs and analysts unanimously recommend is the extraction of guidelines from all frameworks to build one that is customised to meet the organisation’s needs.

Shroff recommends following both a bottom-up and top-down approach while building a framework. From a top-down perspective, the framework needs to be dove-tailed keeping in mind the business requirements of the organisation. From the bottom-up, business processes need to be modified to include the requirements of the framework. “Once you’ve put the processes in place, employees are not really worried about what they need to comply with; all they need to ensure is that they are following the processes. While doing this, compliance norms are automatically met,” he says.

Building an effective Monitoring Mechanism

Once a control framework is established, an effective monitoring mechanism is required to ensure that an organisation complies year round and to demonstrate the compliance during an audit.

“The challenge is to have the right matrices, quality records and key-control standards,” says Salvi. Once these standards are set, they need to be instituted in order to assess the effectiveness of the established control framework. In addition to defining standards, dashboarding can help determine the status of the processes and identify additional risk areas that need to be addressed.

An alternative to the above is to build the monitoring mechanism into the framework itself. “Automating this process with the use of dashboards and performance scorecards is a viable solution that organisations can implement,” says Shroff. These techniques will ensure that the organisation knows whether it is complying with the necessary norms and will highlight ways to improve regular compliance and the framework itself.

Top-Down or Bottom-Up Approach: What works better?

Does the fact that compliance breaches are often caused by leaf-level employees imply that a bottom-up approach to compliance works better? There is no single answer to this. CIOs have varied views about what works best for them with an equal number supporting both the approaches to compliance viz. bottom-up and top-down. Analysts go one step further and recommend that in order to reap the complete benefits of a compliance initiative, the implementation approach that an organisation adopts should encompass both techniques.

“The top-down perspective allows you to look at the holistic picture and get an enterprise-wide view, whereas the bottom-up approach will help you ensure that the micro components of the system work in sync,” says Shroff.

Japjit Sandhu, CISO, YES Bank, firmly believes in the top-down approach. “A compliance initiative needs to be driven from the top management down to every single corner of the organisation. Employees help you achieve your compliance goals, but from a governance and delivery perspective, the initiative needs to be driven from the top,” he says.

Holistic Approach constitutes Compliance Best Practice

CIOs can adopt various practices to ensure ‘smart compliance’. “Best practices start with a holistic approach,” says Salvi. He further says that the compliance initiative should align with the business objectives of the organisation. Adequate measurement tools and a method for adapting the organisation’s strategy to overcome the shortfalls derived from those measurements also rank high on Salvi’s list. “Integration of the framework into the organisation’s business processes and then focusing on the process rather than the technology or compliance norms is a strategy that can work well for CIOs,” he says.

Compliance RoI comprises Intangible Benefits

As with most security related investments, defining the RoI of a compliance initiative is not a straightforward process. The tangible component of the RoI, in an Indian context, can be defined as the avoidance of fines that regulators could impose for non-compliance to set norms.

The larger portion of the RoI pie, however, remains intangible. “Maintaining a positive relationship with the regulator is a large intangible benefit,” says Salvi. Additionally, organisations need to approach compliance as an integration and realignment of their business processes and not just as something that the regulatory environment demands. “This approach will ensure RoI by virtue of the restructuring of business processes for increased efficiency. Compliance will then be viewed as a byproduct,” he concludes.