Bank Systems & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Compliance

10:06 AM
Bank Systems & Technology
Connect Directly
RSS
E-Mail
50%
50%

Creating the Compliance-Enabled Organization: CEO

By Steve Crutchley, Consult2Comply Successful businesses today are those that can be called "Compliance Enabled Organizations" or "CEOs." Having two CEOs-one a Chief Executive Officer, the other a Compliance-Enabled Organization-will help organizations manage their businesses more effectively. But what does "manage more effectively" actually mean?

By Steve Crutchley, Consult2Comply

Successful businesses today are those that can be called "Compliance Enabled Organizations" or "CEOs." Having two CEOs-one a Chief Executive Officer, the other a Compliance-Enabled Organization-will help organizations manage their businesses more effectively. But what does "manage more effectively" actually mean?A Compliance-Enabled Organization (CEO) is one that successfully applies a comprehensive Governance, Risk and Compliance (GRC) strategy with rules that ensure all aspects of GRC have been identified and implemented to secure business processes. An active CEO with an involved Chief Executive Officer will:

• Understand the GRC (compliance) landscape-applicable regulations, elective standards and best practices, and association relationships. • Have an overall risk methodology in place-from business to technology and at varying levels. • Undertake regular assessments-Chief Executive Officers are pushing responsibilities back to business process owners making sure they understand what they are ultimately responsible for. • Not allow management of compliance in silos, such as governance in one area, risk in another and conformance to standards in another; instead, have coordinated efforts across the organization so everyone has a common goal. • Have resource structures to support the business and compliance needs. • Delegate responsibility but not accountability. • Not rely on IT to lead GRC efforts. GRC is not and should not be technology driven; instead technology should be used effectively to support efforts

The flood of regulations, standards and best practices being thrust on business, particularly the financial services industry, has forced these organizations to get better organized. Business managers are taking a leading role to ensure business objectives are met and costs are contained. This has also put pressure on IT to support business objectives and business challenges. The business challenge is not simply to optimize costs (seen as a significant challenge in and of itself), but also to comply with regulations for privacy and data integrity, and to improve business, regulatory capability and capacity to deliver increasing value to the businesses it serves.

The banking industry has been struggling with these requirements for some time now. In the United States, most people have a bank account; most people have money in the bank; people view the banks as "trusted" organizations. The question financial institutions must ask themselves is, Are we really? Customer confidence is now waning due to 1) ongoing scandals, 2) continual losses of client information, 3) lack of transparency, disclosure of process or what they are doing that affects the client and 4) increases in fee structures.

These problems primarily stem from not following policy, from developing and running GRC requirements in silos, from a lack of communications across the organizations, and lack of due diligence internally. However, these issues are not confined to U.S. banks; many international banks are also suffering from the lack of GRC controls and internal due diligence.

Staying compliant today is becoming an arduous task. Recent events related to the banking industry have highlighted that many organizations are still out of control. Directors are no longer immune from being sued or fired by the stakeholders if GRC strategies are not implemented effectively and followed to the letter. For banks to become CEOs, they must develop a focus on business processes supported by an architecture, policies and practices, and technology that enables them to dynamically move forward to achieve effective compliance across the organization.

Responsibility for protecting organizational information assets has shifted to business-IT no longer can justify or take responsibility for asset and asset management. Business has been forced to identify asset owners with clearly defined responsibilities.

This movement to align IT governance to business governance is underway. The newly published ISO/IEC 38500:2008 Corporate Governance of Information Technology has been adapted from the Standards Australia AS8015:2005 and fast tracked into an ISO standard. ISO/IEC 38500:2008 is a high-level, principles-based advisory standard. In addition to providing broad guidance on the role of a governing body, it encourages organizations to use appropriate standards to underpin their governance of IT. Specifically IT governance must align with business governance and support business effectively. It is envisaged that this standard will also affect financial services organizations as they align IT to business objectives and incorporate IT governance with business governance.

Standards can help, but for a successful CEO, senior management must become increasingly involved in ensuring that the resources, technology, and processes are in place to enhance compliance to secure information, and protect and secure the assets of the organization. As part of the CEO, executive management has a responsibility to ensure that the organization provides all users with a secure information systems environment. Furthermore, organizations need to protect themselves against the risks inherent in the use of information systems while simultaneously recognizing the benefits that can accrue from having secure information systems. Thus, as dependence on information systems increases, so too does the criticality of GRC activities, bringing with it the need for effective IT and security governance.

A Compliance-Enabled Organization can help companies realize real benefits and leapfrog the competition because they can employ new ways of doing business that reap cost savings. This is a proactive way of doing business and being compliant, not a defensive posture. With the proper GRC infrastructure, financial institutions will be able to:

• Better understand their GRC landscape. • Lessen corporate risks. • Lessen duplication of policies and procedures. • Improve process relationships. • Prove compliance for a much wider audience of partners, suppliers, employees and customers. • Understand their due diligence requirements more easily. • Know to whom to assign responsibility and accountability.

Steve Crutchley is founder and CEO of Consult2Comply, a Herndon, Va.-based company that helps businesses meet their regulatory and risk needs.

Register for Bank Systems & Technology Newsletters
Slideshows
More Slideshows
Video
All Videos
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.
FULL SCHEDULE | ARCHIVED SHOWS