Tying Down the Corporate Dollar

As companies fight to align IT with business and compliance goals, many firms are discovering that taking a service management approach delivers a knockout punch. Neil Davey reports…

The swathe of regulations that has swept through the corporate landscape in the last five years has proven particularly claustrophobic for IT departments. Because most businesses rely on IT systems to aid businesses processes associated with financial accounts, IT departments are placed at the very core of compliance – and an expensive and challenging place this has proven to be. Selected laws such as Sarbanes-Oxley, HIPAA, HSPD-12 and FISMA require private and public sector organisations to meet standards for protection and security in IT, audit trails, access logs and archived business records. It is a time-consuming process and the Yankee Group estimates that IT staff spend up to 40 percent of their time for 3-6 months per year responding to audits.

This also amounts to significant IT spending on compliance. The cost of compliance for large organizations has been estimated to hit as much as US$3.5 million for first and second year audits, whilst Yankee approximates that a quarter of the US$4 million average IT budget is spent on compliance-related activities such as security, storage and archiving. Nevertheless, the price for failing to meet compliance regulations can be significantly more expensive. Although it can be difficult to quantify specific figures, the financial repercussions that organizations such as Time Warner, LexisNexis and CardSystems have experienced as a result of their failure to protect personal data – and the resulting bad publicity – are a testament to the importance of solid compliance, for both the operational benefit of the enterprise and the welfare of investors.

“The consequences of non-compliance to recent legislation can have devastating effects,” emphasizes Ian Bevan, Head of Afiniti’s Service Management Practice. “IT departments have woken up to the fact that it is no longer viable for them to ignore industry best practice advice with regards to having clearly defined processes and process owners. Recent events concerning the Enron, WorldCom, Tyco and Arthur Anderson financial scandals have also added pressure on IT organizations to ensure that not only are they delivering quality IT services and infrastructure to their business areas and units – ensuring business objectives are being met – but that they also have clear IT accounting and budgeting processes in place to show how they have been investing money. They should also have the ability to clearly show any ROI and ROCE.”

Are you being served?

But although compliance with a regulation as far-reaching as Sarbanes-Oxley may not be easy, there are ways to make the job easier and more manageable – with the adoption of IT service management (ITSM) rapidly emerging as the most effective. ITSM was developed to help organizations address the many challenges associated with effective IT service delivery, and such an approach provides an infrastructure upon which IT processes can be performed in a consistent and reliable manner to support the delivery of these services. It relies on proven best practices, such as those detailed in the Information Technology Infrastructure Library (ITIL) – an initiative of the UK’s Office of Government Commerce that provides a range of best practice guidelines for areas such as service support and service delivery frameworks – and the Control Objectives for Information and Related Technology (COBIT), which help to build a management infrastructure that delivers business-critical IT services.

Although ITSM wasn’t developed with Sarbanes-Oxley and compliance in mind, organizations have established that because the most pragmatic approach to address compliance is to define, assess and manage the most critical IT processes influencing business integrity, ITSM provides an ideal platform to define the consistent, repeatable, auditable and verifiable practices needed to access and track data that is vital for compliance. “IT service management is a recognized leading practice way of running an IT operation and it very much focuses on introducing effectiveness and efficiency into IT processes,” highlights Debbie Rosario, ITSM Consultant at Compass Management Consultancy. “Ultimately, if you have processes that are more effective and more efficient, that has got to be good for an organization. And if a process is mature, robust, effective and efficient then it is auditable and that has got to help the compliance cause.”

Indeed, IT service management solutions for the enterprise can help automate and control IT processes that auditors will review. Not only does automation formalize and document businesses’ internal processes, but it also generates an audit trail that demonstrates that these processes were followed. By automating IT processes, organizations can find that auditors, in general, are more confident of their processes and controls when they see that their applications are consistently being utilized. But there are a raft of other ways in which firms are finding ITSM is benefiting their compliance efforts.

“Financial management for IT services is one example,” adds Bevan. “This ITIL process has clear definitions on IT accounting, budgeting and charging – how these can aid IT organizations understand their cost elements, and build a cost model that will meet financial reporting and auditing standards and comply with requirements from legislation such as COBIT from the SOX Act. IT service continuity management is a further ITIL process that will ensure the business meets compliance by providing appropriate IT facilities in the event of a disaster. The organization can still operate and offer their customers business, albeit at a disaster/continuity site.”

Elsewhere, IT security will ensure that the confidentiality, integrity and availability of company data is protected with clearly defined processes in place to deal with any potential security risks or breaches that may occur. “By introducing integrated service management toolsets and infrastructure monitoring tools, IT organizations can now ensure that any customer complaints concerning accounts can be tracked through from the initial call or e-mail into the organization, how the complaint or transaction was handled and within what timescales,” continues Bevan. “This clearly demonstrates that the organisation takes governance and legislation seriously, as well as ensuring that acts such as Freedom Of Information Act and the Data Protection Act are being met.”

Beyond compliance

But the benefits of ITSM efforts reach far beyond compliance. Firms that deploy ITSM solutions to meet regulatory obligations are often pleasantly surprised to find that such tools can have significant impact on IT operational efficiency and demonstrate rewarding ROI. “Now that companies are implementing ITIL, they are starting to witness some value that is not even compliance-specific,” says Oren Kedem, Senior Marketing Manager at BMC Software. “Many of these benefits are actually more business-oriented, which of course was the main purpose of ITIL to begin with.

“For example, one of the uses of ITIL that was primarily a compliance requirement was the mapping of services. Typically, controls would state something along the lines of ‘the general ledger service needs to be backed up at specific intervals, and access to this service should be provided by a particular party’. This was something non-IT related. But when it was implemented, users saw that by implementing ITIL they could identify which services they actually had. Most people don’t really know which IT services support the business services, and this mapping actually helped them identify a lot of them. Some companies actually changed a number of their services as a result of this process, identifying defects or inefficiencies and reengineering business processes because of the identification that was carried out as part of ITIL and IT compliance.”

Other operational benefits being enjoyed by firms that have deployed ITSM include process optimization, increased resource efficiency and reduced costs, and improved alignment with business objectives. Furthermore, while a centralized, automated approach enables firms to effectively control information and rapidly make it available to meet audit requirements, it also facilitates enforcement that helps businesses protect the integrity of their entire IT infrastructure while enhancing their customer, partner and employee relationships.

The biggest benefit, however, is arguably the impact that ITSM has on productivity. “If you have an effective and efficient incident and problem management process you can reduce the number of IT problems that you experience and those that you do get can be resolved quicker,” highlights Rosario. “So it is not only the productivity of just the IT department that goes up, but the productivity of the business itself. And if you don’t have IT problems, hopefully you are not going to get hiccups in your revenue stream. So it is actually able to increase throughput, reduce costs and maximize revenues.”

According to Rosario, reduced TCO can also be enjoyed – most commonly in areas such as configuration management and release management. “If you have very robust configuration management, for example, you know exactly what kit you have got on the floor, you know exactly where that kit is and you know how many licenses you have got,” she continues. “So, if you have got better control over your software licenses, for instance, you probably won’t need as many of them because you have got a greater ability to reuse licenses. And if you combine this with effective capacity management, you can plan exactly when you are going to need to buy new hardware and get cost efficiencies that way. In either case, it means that you don’t have more hardware than you need, which obviously has a very positive effect on your TCO.”

The agile enterprise

But there is also a further benefit of ITSM that will prove to be a particular relief for IT departments that are only just coming to terms with the new regulatory environment. ITSM provides agility. And that agility is enough to ensure that while businesses are able to respond to the regulations that exist today, they are also in a better position for those that will be enforced in the future. As such, as Kedem emphasizes, ITSM not only keeps IT departments on top of compliance now – it also helps them prepare for the future.

“Two years ago, we were in a meeting with a bank that had three projects in place – a Sarbanes-Oxley project, a Basel II project and an internal banking regulation project,” he recalls. “Essentially they all covered the same areas and 80 percent was overlapping. Everybody understood it but nobody knew how to actually address it in an effective fashion. However, once you have best practices like COBIT and ITIL in place, you are able to respond to changing regulations much faster. If a new regulation is introduced and you do a gap analysis, you will probably see that you are already in compliance with it out of the box, or are missing very few components.

“Ultimately, if you implement ITIL-based service management in an automated fashion and you have processes in place and everything works correctly, there is virtually no type of compliancy issue that you might encounter in the future that will not be covered.” And that must be no small relief for those IT departments that have been wrestling with their new compliance responsibilities.

Regulations at large

• Sarbanes-Oxley Act – the US Securities and Exchange Commission requires integrity and confidentiality of financial reports for businesses seeking US listing or funding, or those that have more than 300 US shareholders
• Health Insurance Portability and Accountability Act (HIPAA) – the US federal government requires protection of personal health information
• Gramm-Leach-Bliley Act – the US federal government requires protection and disclosure of practices regarding the use of personally identifiable information
• Federal Information Security Management Act (FISMAA) – the US federal government requires standards of security in government agencies and practices regarding the use of personally identifiable information
• Homeland Security Presidential Directive 12 (HSPD-12) – the US federal government requires secure and reliable identification for federal employees and contractors
• California SB 1386, SB 1 and AB 1950 – California requires disclosure and consumer notification of security breaches involving consumers’ personal data
• Cardholder Information Security Program (CISP) – Visa mandates CISP for members, credit card merchants and service providers. CISP requires standards of security in protection and disclosure of credit transaction information

Spending on compliance

AMR Research estimates that companies spent nearly US$15.5 billion on compliance programs in 2005. The spending breaks down as follows:

• Sarbanes-Oxley programs topped the list for spending, accounting for 40 percent or US$6.2 billion of the US$15.5 billion
• Health Insurance Portability and Accountability Act is expected to exceed $3.7 billion, and account for 24 percent of total spending
• The Federal Drug Administration will swallow US$1 billion
• US Securities and Exchange Commission will take a further US$1 billion

Of 225 companies from around the globe surveyed by AMR Research, 48 percent said their budgets will stay the same with 44 percent reporting increased spending.