The Business Controls Caddy

Permalink Lotusphere 2005: Compliance Is Not A One Time Event




I am attending Lotus Workplace Forum Session 501, Leveraging Compliance to Drive Greater Business Improvements, and the theme is very similar to what I will be discussing in my Best Practices session tomorrow and tonite at the "Sarbanes-Oxley and other compliance issues" Birds-of-a feather session tonite: Compliance is not a one-time event.


What impresses me about this session, which is part of the Lotus Workplace Forum conference within a conference at Lotusphere 2005, is that Nancy Thomas,  Partner in the FM Global and Americas practice of IBM Business Consulting Services, is not pushing technology. Instead she is emphasizing overall conceptual and policy issues. For example, their is still a great deal of uncertainty in what auditors will be accepting for attestation under Section 409 of the Sarbanes-Oxley Act of 2002. The challenges facing organizations here include limited insight and visibility, unpredictability, lack of communication vehicles, lack of scalable infrastructure solutions, and the culture of fear that dominates many workplaces.

And just what are the CFO priorities for 2005? In a analysis conducted by IBM Business Consulting Services (the old PricewaterhouseCoopers Global Consulting),Number 1 is supporting the CEO in creating shareholder value. Number 3 is Managing governance/controls/risk (54%). According to Forrester Research, security and storage are the big spending priorities for the next year. Spending on dashboards from financial application budgets is only targeted as a budget priority by 40% of CIOs surveyed by Forrester.

She also address the following "Guiding Principles in defining requirements"

  • Approach risk and compliance holistically
  • express requirements as a set of services
  • leverage existing technology
  • create CIO-CFO-Business Partnership
  • develop continuous risk and compliance mindset


    What about business silos? You have to bring the information together, much as advocated by Redmonk in their compliance-oriented architecture white paper.

    And what about collaboration? I have been harping on this essential element to be successful in compliance efforts and Nancy has just said the exact same thing. I cannot say this enough: Compliance efforts that do not embrace and implement collaboration as part of any framework implementation are doomed to failure.

    So what does Nancy see as technology requirements for compliance?
  • Documentation/Reporting
  • Security/Privacy
  • Records Management
  • Communications Management
  • Sophisticated Analytical Capabilities
  • Rules and Policies
  • Monitoring

    And on I go to my next session. You can download the     full presentation here. (609K)



free html hit counter