Author's Note: This article is the first in a four-part series. This series will serve as an IT leader's guide to leveraging compliance as an opportunity to lead. This approach blends lean Six Sigma and project management guidelines to build your compliance plan in 90-180 days.

Even the battle-hardened CIOs and CTOs will be startled when the blast of new regulations that has already stunned executives hits IT. Regulatory compliance has redefined data warehousing, business intelligence and IT scope and mission. The dynamic of evolution always presents opportunities to excel. This time, the high cost of noncompliance for CEOs and CFOs has catapulted CIOs and IT professionals out of the marginalized "tech guy" role to center stage to serve as generals executing compliance requirements while executives formulate business strategy.

The IT role to implement regulatory compliance can be daunting. Violation of new rules carries higher penalties for CEOs and CFOs than ever before. These penalties include jail sentences of 25 years and fines of $25 million dollars, or both - and even bigger fines may be levied if appropriate.

Top executives cannot deliver compliance without IT support. The CEO and CFO must certify specific reports for completeness and accuracy. Additionally, particular records must be retained and confidentiality secured for predetermined periods. Executives must certify and auditors attest that reports contain no material omissions or fraudulent information. The IT leaders are squarely in the limelight to deliver complete, accurate and timely reporting, as well as secure confidential records and retain documents.

While compliance is causing the champions and wizards of technology to morph into leaders of cross-functional integrated teams, their traditional mission of technical stewardship has intensified even more. Hardware makes quantum leaps in speed, scalability and performance twice a year. Software functionality analyzes deeper and grows sharper every quarter. The holy grail is to enable analysis-based instant decisions such as: offering discounts to potential defectors, replenishing inventory of popular merchandise before sales are lost, readying more rental cars to meet a sudden increase in reservations thus shortening patron waiting, and beaming flight delays to wireless passengers' PDAs to enable them to reschedule. Technology still remains a critical component for IT. Executives' need for IT today is more intertwined with achieving business goals, and the critical need is regulatory compliance.

IT will do well to co-lead. Regulatory compliance, competitive business practices and technical advances have prepared the stage for IT leadership in the enterprise.

This series of articles is designed to serve as your companion implementation guide. Every 30 days, we will set clear execution goals. These guidelines integrate Six Sigma and project management methodologies. Progress will be gauged by your implementation velocity.

Five Realities and Actions to Build Your Compliance Plan

Reality #1: The top executives of your corporation are on the hook.

While all rules require compliance, the Sarbanes-Oxley Act of 2002 has cast a wide net and placed a noose around the neck of the top executives. Noncompliance is not an option. The act impacts: CEOs, CFOs, audit committees (of the Board of Directors), registered public accounting firms, investment bankers, law firms and other representatives fulfilling these roles. Penalties for noncompliance include: jail terms, financial penalties, loss of ability to practice before the SEC or loss of privileges to practice law.

Value to IT: Here's a prime CIO/CTO opportunity to build or strengthen bridges at the highest echelons of the executive corridors. Showcase your organization's discipline, excellence and collaborative skills. Build bridges to educate, collaborate, share and shine - collectively - by solving the compliance puzzle. Demonstrate that you can use the company-sanctioned total quality/quality management process to integrate the complex business and IT cross-functional team mission. It is IT's time to shine; create stars across the whole organization!

Deliverable in 90-180 Days

A Compliance Plan Correlated to the Strategic Business Plan:

Buy-in from Co-Suppliers (internal and external partners)

Skills and Resources Plan (IT and dependencies)

Risks and Mitigation Process (IT and dependencies)

Schedule and Costs

Action 1

  1. At the next executive team meeting, schedule 10 minutes to discuss compliance requirements. The meeting agenda should include data gathering on what department VPs and regulatory compliance requirements managers anticipate over the next three years and the scheduling of an update to this body within 60 days.
  2. Compile a list of which executives are on the hook for what, starting with the COO, finance and HR.
  3. Schedule a 30-minute meeting with each executive to gather the following data: compliance deliverables, proof of compliance, who is driving the process, the progress-monitoring process, the reporting process, the team/sub-team/task force (if applicable) and how IT is participating.
  4. Your offer: How can IT help/improve collaboration? Can we schedule a 10-minute update in 30 days?

Reality #2: Regulatory agencies have cast a wide net for process and professional conduct.

Compliance dictates specific reporting requirements; control processes; assurance from executives and audit firms; competence from executives, accountants, attorneys or their representatives; confidentiality standards; and documentation retention timelines. IT is inextricably integrated into delivering compliance through documents and reports generated by use of the computing infrastructure.

Value to IT: Recognize that for executives, the consequences of noncompliance are severe. Not meeting requirements is not an option. Let IT take the charge to be a positive force.

Action 2

  1. Assign compliance team leader responsibility to a tenured team-builder (ambassador and task-master) project manager.
  2. He/she needs to summarize the following in the next three weeks (this leaves you a week to prepare for your 30-minute validation with each of the key executives):
    • All compliance activities underway or anticipated over the next three years listed by department with key deadlines and impact on the business.
    • Current status of compliance efforts, including: who's leading each departmental team for each initiative; status of deliverables definitions; status of risks and contingencies; IT's role and resources aligned to meet requirements; recommendation of role IT should play to facilitate progress; customers, objectives, cost, cost of delay, impact to the business; and list of resources needed to deliver current projects.
  3. At every data-gathering meeting, the IT compliance project manager offers: How can IT help/improve collaboration? Can we schedule a 10-minute update in 30 days?

Reality #3: Few departments built incremental budgets for compliance activity.

Departments are waiting for IT to catch up on delivery of key projects delayed by tight budgets, including: server upgrades and SAN/NAS improvements to speed the network, Web portals for CRM, new analytical functionality, executive dashboards and real-time decision making to improve enterprise competitiveness.

Value to IT: Keep a positive, upbeat, cooperative posture. Doing more with the same resources requires reprioritizing. You are a key enabler. All VPs' staffs are stretched thin. Be the best team player by implementing company priorities. Developing priorities, however, is not the IT mission; helping refine priorities is. In fact, your success depends on implementing them.

At end of the 30 days, where should you be?

Completed preliminary data gathering (Actions 1-4)

  1. 10 minutes to initiate calibration of regulatory compliance plans.
  2. 30-minute meeting with functional executives (one-on-one) on regulatory requirements for three years.
  3. Appointed a tenured, team-oriented compliance project manager on the IT team.
  4. Received project manager's summary of departmental compliance needs and status.
  5. Assimilated first view of regulatory compliance project overview for three years.
  6. Estimated how compliance requirements may impact IT deliverables.
  7. Validated findings with departmental VPs.
  8. Secured 20 minutes to update the executive team on compliance activities.

Action 3

  1. While collecting compliance requirements, scrutinize deadlines and penalties.
  2. During data gathering, you don't have the clarity to determine schedules. Make no commitments, yet.
  3. Set the expectations that IT will implement priorities determined by executives.

Reality #4: Organizations have not translated what business deliverables are required by new regulations; therefore, business functions cannot map requirements to IT specifications.

Even with deadlines only quarters away, functional managers may not be able to describe precise requirements to IT because many aspects of regulations require expert interpretation. For instance, accountants need to translate accounting rules, and business teams and IT need to collaborate on key documents and IT controls and monitoring, confidentiality of documents, retention policies and practices, and others.

Value to IT: Anticipate that interpretation of rules may require experts and processing time. Be proactive in seeking the credible resources to help translate requirements. Although business teams need to deliver specific requirements, stay close to ensure the progress so you have the time to implement.

Action 4

Determine status of your company's internalization of regulatory guidelines to internal procedures and policies.

  1. For every regulatory compliance requirement by department, create a list. Determine whether or not an external expert is required/is already engaged. If an expert is required, what credentials must he/she have? How mature is the requirements list? Validate that there are test/validation criteria to meet requirement. What are the test/validation criteria? What time and resources are required for the test? What is the probability of success the first time? Determine corrective actions and resources.

Reality #5: Deadlines?

Generally, compliance is phased in gradually. Still, depending on your company's current state of systems infrastructure capacity, skills available to support, scope of policy, process, hardware, software and integration activities, some regulatory timelines may appear very aggressive. Some minor end-user requirements may mean significant impact on the systems environment.

Value to IT: Regulatory requirements typically hit IT after business departments translate requirements. New rules have raised the bar by imposing stiff penalties on senior executives. Adhering to timelines is critical this time around.

Action 5

Stay positive, proactive and visible in completing activities listed in Actions 1-4.

In lean Six Sigma and project management terms, you have now initiated data gathering for definition and measurement stages. These steps have identified sponsors, listed team members, compiled team goals and summarized status. Next month, our 30-day action plan will initiate communications to IT and business teams as we enter the analysis stage while we continue further data gathering.

As an IT leader, you have now stepped forward to build an integrated compliance plan for IT that supports your company's strategic business plan. You are improving the company's competitive advantage, and the executives are comforted that you are in the lead.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access