It quickly became apparent to me that a roundtable Microsoft was hosting on Tuesday about compliance was really another commercial for SharePoint. But that turned out to be the more minor exaggeration.
Although executives eventually admitted – after implying SharePoint was an all-in-one solution to meeting regulatory requirements – that its portal product was only one piece of the compliance puzzle, no one was willing to tone down the rhetoric about compliance risk. Time and again we heard about the need to create better systems for managing data, in order to “keep the CFO out of jail.” The reality check is very few CFOs have gone to jail, and it’s not the IT manager’s fault that they’re there.
One of the panellists, a Microsoft partner, said it’s very difficult to produce a business case based on risk. That’s because there’s no certainty about how risk will play itself out. You might get fined or brought before the courts. You might lose customers. You might irrevocably damage your reputation. Or you might not. You might, in fact, make error after error and still rank as one of the country’s leading financial institutions, or continue to draw in customers to your North America-wide chain of stores.
The Canadian Imperial Bank of Commerce (CIBC), for example, has twice gotten the attention of Canada’s Privacy Commissioner for faxes involving customer information and for losing acount informatin on close to half a million customers. But last time I checked, no one’s gone to jail for violating PIPEDA, and the CIBC has managed to do very little in the way of publicly accounting for its poor privacy record. It continues to flourish in the Canadian financial sector.
TJX, meanwhile, experienced the highest-profile breach of its IT security system and compromised the privacy and personal information of thousands of customers. And yet, I was in Winners (a TJX store brand) just the other day and waited in the usual endless lineup to buy my deeply-discounted clothing.
Laws like Sarbanes-Oxley and PIPEDA were put in place to prevent future incidents, but there’s an awareness that companies aren’t adjusting quick enough, or meeting the deadlines (which were imposed, probably, so that there would be at least some impetus to actually do something. No one strives for compliance without a gun to their head).
Even in the case of Enron, WorldCom and other compliance cautionary tales, better IT systems might not have prevented the criminal wrongdoings of those who were senior enough to have the kind of access and control over information that the rest of the organization didn’t. Even if they can prevent future crimes, compliance should simply be a component of responsible business practices.
We avoid hitting people with our cars and driving away not simply because we would break the law, but because as a society we value life and we know it would be the wrong thing to do. Similarly, IT departments need to see regulations as a way of double-checking their already transparent information management strategy. Yes, maybe IT managers can help keep their CFOs out of jail. But we should all be striving for better than that.