Risks, regulations and a reality check

dice-120.jpgIt quickly became apparent to me that a roundtable Microsoft was hosting on Tuesday about compliance was really another commercial for SharePoint. But that turned out to be the more minor exaggeration.

Although executives eventually admitted – after implying SharePoint was an all-in-one solution to meeting regulatory requirements – that its portal product was only one piece of the compliance puzzle, no one was willing to tone down the rhetoric about compliance risk. Time and again we heard about the need to create better systems for managing data, in order to “keep the CFO out of jail.” The reality check is very few CFOs have gone to jail, and it’s not the IT manager’s fault that they’re there.

One of the panellists, a Microsoft partner, said it’s very difficult to produce a business case based on risk. That’s because there’s no certainty about how risk will play itself out. You might get fined or brought before the courts. You might lose customers. You might irrevocably damage your reputation. Or you might not. You might, in fact, make error after error and still rank as one of the country’s leading financial institutions, or continue to draw in customers to your North America-wide chain of stores.

The Canadian Imperial Bank of Commerce (CIBC), for example, has twice gotten the attention of Canada’s Privacy Commissioner for faxes involving customer information and for losing acount informatin on close to half a million customers. But last time I checked, no one’s gone to jail for violating PIPEDA, and the CIBC has managed to do very little in the way of publicly accounting for its poor privacy record. It continues to flourish in the Canadian financial sector.

TJX, meanwhile, experienced the highest-profile breach of its IT security system and compromised the privacy and personal information of thousands of customers. And yet, I was in Winners (a TJX store brand) just the other day and waited in the usual endless lineup to buy my deeply-discounted clothing.

Laws like Sarbanes-Oxley and PIPEDA were put in place to prevent future incidents, but there’s an awareness that companies aren’t adjusting quick enough, or meeting the deadlines (which were imposed, probably, so that there would be at least some impetus to actually do something. No one strives for compliance without a gun to their head).

Even in the case of Enron, WorldCom and other compliance cautionary tales, better IT systems might not have prevented the criminal wrongdoings of those who were senior enough to have the kind of access and control over information that the rest of the organization didn’t. Even if they can prevent future crimes, compliance should simply be a component of responsible business practices.

We avoid hitting people with our cars and driving away not simply because we would break the law, but because as a society we value life and we know it would be the wrong thing to do. Similarly, IT departments need to see regulations as a way of double-checking their already transparent information management strategy. Yes, maybe IT managers can help keep their CFOs out of jail. But we should all be striving for better than that.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada
Shane Schick
Shane Schick
Your guide to the ongoing story of how technology is changing the world

Featured Download

IT World Canada in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Latest Blogs

Senior Contributor Spotlight