Learning to Like Compliance

Speakers at InformationWeek Media Network's compliance forum are achieving compliance without disrupting their businesses.

Businesses are starting to get their arms around the challenges of complying with government mandates for guarding the integrity of their core information assets, IT and risk-management executives said during the InformationWeek Media Network's Compliance Challenges and Governance Strategies Forum in New York. Speakers from Regions Financial Corp., Guardian Life Insurance Co. and other financial-services firms explained how they overcame budgetary, technical and organizational obstacles not only to achieve compliance, but to do so in a way that didn't disrupt their businesses.

Regions Financial, a super-regional bank in the Southeast with $49 billion in assets, was hit with a double whammy in 2001. Besides coping with a slew of industry-specific regulations - such as the Home Mortgage Disclosure Act, which requires banks to document that mortgage decisions aren't made based on race or other biases - its chief regulator changed from the FDIC to the Federal Reserve. That proved awkward: The Fed promptly deemed Regions' risk systems inadequate and demanded swift action, CIO John Dick told the audience.

But the action by the Fed proved to be a blessing in disguise, he said, because it forced the company to remediate its shortfalls just in time for the arrival later that year of the USA PATRIOT Act, followed the next year by Sarbanes-Oxley. The bank has appointed teams of experts from its operations, technology, compliance, auditing and regulatory staffs to document and test key financial controls as required by Sarbanes-Oxley.

To date, Regions Financial has validated half of its controls using Paisley Consulting's Risk Navigator business-process software. Regions used Risk Navigator to identify areas of significant risk across the entire company, create action plans and personnel responsible for mitigating those risks, and control effectiveness related to significant financial statement accounts and processes. The bank is on target to meet all of Sarbanes-Oxley's certification requirements by early next year, according to Loring Muir, the financial institution's director of compliance.

One secret to compliance management lies in embracing, rather than simply tolerating, the need for compliance, said Marc Sokol, chief information security officer at Guardian Life. Even though the company probably won't be subject to the Sarbanes-Oxley Act until 2006, it plans next year to thoroughly document and test its business processes and controls as stipulated by the act.

Another tip from Sokol: view compliance as a business process to be managed over the long term instead of one to be dealt with on a one-shot basis and then forgotten. "It's about addressing a need rather than solving a problem," Sokol said. Anticipating the need to protect information beyond levels mandated by the SEC and the NASD, Sokol's team designed a system using Centera storage-management software from EMC Corp. and Assentor software from iLumin Software Services for filtering electronic communications.

Since information security policy is at the core of most compliance efforts, the role of the information security chief must be clearly defined. "I don't own the information assets - I help to protect them," Sokol said.

Despite being inundated by a "tidal wave" of recent legislation - including the USA PATRIOT Act, Sarbanes-Oxley, the Gramm-Leach-Bliley Act (which governs the use of customer information) and numerous federal and state insurance regulations - Guardian Life has maintained a holistic balance between its compliance and business needs, Sokol said. CIO Dennis Callahan sits on the company's compliance board, together with other senior executives, such as the chief legal counsel.