Professional Documents
Culture Documents
Lane Leskela
U.S. Symposium/ITxpo
Lane Leskela
Walt Disney World
Lake Buena Vista, Florida
17–22 October 2004
Client Issues
! How can enterprises build on established compliance
management processes and technologies?
! How does the IS organization support enterprise
compliance?
! What are the critical success factors for effective
compliance?
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information
contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such
information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes
Lane Leskela
sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. 01C, SYM14, 10/04, AE Page 1
Presentation Title
Recommendation: The Balanced Scorecard, Supply Chain Council, total quality management (TQM),
European Foundation for Quality Management (EFQM), Six Sigma and many other methodologies have helped
executives extend their focus beyond traditional accounting measures. The automation of business transactions
in software applications like enterprise resource planning (ERP) and customer relationship management (CRM)
has resulted in the availability of performance measures at all levels of management. Standardization of
nonaccounting performance measures will be driven by the need for collaboration between existing and potential
trading partners. Gartner believes that a business measurement framework consisting of a set of precisely defined
performance metrics that extend financial reporting measures, representing a complete and holistic view of an
enterprise’s business operations, will close the gaps in determining real business value for regulatory
compliance. Operational audits should include a review of the management decision process, as well as internal
controls.
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information
contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such
information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes
Lane Leskela
sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. 01C, SYM14, 10/04, AE Page 2
Presentation Title
Basel I (1988)
CAD 3 (2000) Basel II (1999)
FAS 133 (1986)
Gramm-Leach-
IAIS (1995) Bliley (1999) Large U.S. States—
Privacy Laws (2003)
FAS 144 (2001)
Herstatt (1984)
Compliance requirements evolve at different rates ...
Prediction: New legislation will continually challenge companies’ capabilities and will require a comprehensive
performance-plus-risk management framework to manage them effectively. Regulators abound:
U.S. banking regulators include federal, FDIC, comptroller of the currency, the office of thrift supervision, the
national credit union administration and 50 state banking regulators. U.S. insurance regulators are in each of the
50 states, coordinated by the NAIC. U.S. securities regulators include the SEC and numerous self-regulatory
organizations.
Companies face numerous issues, regulations and pending legislation that will affect business conduct in the
future. For example: pending revisions of consumer bankruptcy laws, new tax laws, disaster recovery rules,
expanded state-regulated privacy initiatives, consumer privacy, money laundering, information security, Basel II
and the pending Insurance Industry Modernization and Consumer Protection Act. Businesses must get ready to
leverage core technology and process competencies to master the intricacies of superior financial performance
and enterprise risk management in this new compliance-centered market environment.
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information
contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such
information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes
Lane Leskela
sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. 01C, SYM14, 10/04, AE Page 3
Presentation Title
Federal Oversight
SEC
Legal Audit Accounting
Enforcement Practices Standards
" 1,000 US Public Auditors have been registered in the first year of PCAOB operation.
" PCAOB is currently reviewing income tax advisory roles of public audit firms with
respect to their financial audit clients.
Viewpoint: The U.S. Securities and Exchange Commission (SEC) approved a new auditing standard on 21 June
2004 clarifying an auditor’s role in attesting to a company's internal fiscal controls. The Public Company
Accounting Oversight Board (PCAOB) submitted the standard for SEC approval in March. Both the PCAOB
and the SEC are responsible for implementing the new standard, addressing details like transition periods,
disclosure requirements relating to deficiencies in internal controls, and assessment of the internal control for
foreign subsidiaries. New audit requirements are not an excuse for a lack of corporate performance management
and sound enterprise risk management. Corporations that adopt these practices at a high level and bake them into
the corporate culture will have an easier time complying with Sarbanes-Oxley, PATRIOT Act anti-money-
laundering provisions, and privacy requirements under Graham-Leach-Bliley. The Basel accords that will govern
a financial institution’s charges to capital for credit, market and operational risk also represent an opportunity for
competitive advantage for well-run institutions. At the same time, sound high-level strategy for corporate
performance management and enterprise risk management will not guarantee compliance with regulations. The
corporate eye must continuously focus on the regulatory ball.
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information
contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such
information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes
Lane Leskela
sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. 01C, SYM14, 10/04, AE Page 4
Presentation Title
Situation: This Global 500 industrial manufacturing and engineering enterprise, based in the United States, has
130,000 full-time employees and 25 business units. The company has mandated direct oversight and ongoing
involvement of 5 percent of all legal, audit, corporate and IT staff in operational transparency, control and
disclosure requirements. 500 people in the United States and Europe have official attestation responsibilities for
audit, triggered by Sarbanes-Oxley. Regulators, including four primary federal agencies, have driven
comprehensive compliance management best practices for a generation, combined with TQM and Six Sigma
management capabilities. TQM and Six Sigma were broadly adopted in the 1980s and have been maintained in
global operations. EVA and CPM criteria were added in the 1990s. Official corporate operational risk
management frameworks and performance management criteria are aligned with corporate objectives. EVA
extends to compensation for compliance management targets. The U.S. Department of Defense drives primary
control framework and performance tolerances. IT standards and governance, BCP and security environment
evolved with responsiveness to EPA and OSHA regulations. Relevant standards pre-dated Sarbanes-Oxley. The
CFO is ultimately responsible for material financial disclosure with assistance provided by chief legal counsel
and support of IT. Enterprisewide ownership and understanding of challenges and solutions are embedded in the
corporate culture.
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information
contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such
information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes
Lane Leskela
sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. 01C, SYM14, 10/04, AE Page 5
Presentation Title
Source: FEI
Viewpoint: Because the processes and the internal controls are implemented principally in technology systems,
operational and financial audits involve a detailed assessment of these systems, and the IS organization needs to
document and implement any process changes to meet compliance. Most companies use technology for financial
reporting, and the CIO and the IT organization occupy a central role in auditing and compliance projects. Form
8-K and 8-KS filing updates in August 2004 now require the reporting of any one of 22 material financial impact
changes within four business days. This is the most specific indication of a regulatory definition for rapid and
timely disclosure of financially material changes. New enterprise resource planning (ERP) systems, or any
material impact changes to a structured data system, could require a new audit, attestation and report. Public
companies must disclose information on material changes to the financial condition or operations on a rapid and
current basis. The goal is to protect investors against the potential impact of delaying unreported losses. IT
systems that support business operations and financial management play a significant role in detecting and
managing material events. Proactive, policy-enforced use of systems allows the earliest detection and potential
for mitigation of material events.
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information
contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such
information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes
Lane Leskela
sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. 01C, SYM14, 10/04, AE Page 6
Presentation Title
IC viewed as a: Set of processes: policies, Standardized processes, Operational processes Financial processes
procedures, practices & procedures & best and risk practices & alignment with GAAP
organizational structures practices library
IC objectives Effective & efficient IT Effective & efficient Effective & efficient Reliable financial reporting
organizational process management IT operations management operations
Confidentiality, integrity & Reliable systems; Reliable reporting; Effective & efficient
availability of information; compliance with operating procedures financial operations;
reliable financial reporting; technology best practices alignment with risk reporting, disclosure and
compliance with laws & and industry standards for management and legal compliance with laws &
regulations security and continuity compliance regulations
Components or Domains: Planning & Components: Control Components: Control Components: Control
Domains organization; acquisition environment; environment; risk financial risk;
and implementation; manual & automated; management control; assessment control;
delivery and support system control activities information & activities information &
monitoring procedures communication communication
monitoring monitoring
Dynamic: Sarbanes-Oxley demands increased attention to internal control by auditors, managers, accountants
and legislators. Multiple control systems are the result of continuing efforts to define, assess, report on and
improve internal control. The most widely adopted are the Information Systems Audit and Control Foundation’s
CobiT, the IT reference library (ITIL), the Committee of Sponsoring Organizations of the Treadway
Commission's Internal Control — Integrated Framework (COSO) and the American Institute of Certified Public
Accountants' Consideration of the Internal Control Structure in a Financial Statement Audit (SAS 55), amended
by Consideration of Internal Control in a Financial Statement Audit (SAS 78). CobiT (1996) is a framework
providing a tool for business process owners to identify and manage IS control responsibilities efficiently and
effectively. ITIL offers the IT department assistance with internal and external security audits on the control and
audit of information systems and technology. COSO (1992) makes recommendations to management on how to
evaluate, report and improve control systems. SASs 55 (1988) and 78 (1995) provide guidance to external
auditors regarding the impact of internal control on planning and performing an audit of an organization’s
financial statements.
Action Item: Document and align the set of operational control measures that drive your organization’s
compliance performance, and link investment proposals to those measures.
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information
contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such
information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes
Lane Leskela
sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. 01C, SYM14, 10/04, AE Page 7
Presentation Title
Controls Repository
Corporate Controls
and Aggregated Close Instance
Content (MD&A Coincides
With Supporting Secure Web
(XML/XBRL) Publishing
Documentation)
Association of Structured
and Unstructured Data ICW
(Certification and
Financial Data Subcertification
(via ETL, links & imports) Forms Support) 10K
Archives: Storage,
10Q
Access and 302 &
8K
Annual
Retrieval Report
404:
2004 Q1’05
Subcert
2005 Subcert
2006
Source: IMA, September 2003
Source: IMA
Recommendation: The important criteria for accurate and timely disclosure are how well audit processes are
documented and how well-equipped the company is for continuous monitoring to solve future problems before
formal reporting deadlines. Companies with systems for integrated document, records, communication, financial
data and process management are focusing on collating all workflow processes and filling in the gaps to
determine future user requirements for applications.
Once in-process audit and final attestation are completed, it’s time to prepare for the future. Sarbanes-Oxley
includes compressed timing for reporting changes as well as quarterly and annual report filing deadlines.
Sarbanes-Oxley requires audits and attestations with every periodic report, and disclosures of material events as
they occur. IT projects that could materially affect the financial input and reconciliation process need to be
evaluated and reported quarterly. CIOs should document all changes to supporting systems that might change the
financial process or internal controls, and report these changes to the CFO, the CEO and the risk management or
compliance committee. CIOs and direct reports should develop compliance management architectures to account
for compliance needs, with an emphasis on business process management and records management.
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information
contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such
information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes
Lane Leskela
sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. 01C, SYM14, 10/04, AE Page 8
Presentation Title
! Rapid growth and large, unpublicized ! Basel II operational risk criteria were
operational losses exposed need to improve viewed as a good baseline, although the
operational risk management controls. institution does not fall directly under the
! Risk self-assessment and capital Accord.
modeling were put in place.
! Suitable data collection and management
! Company had outgrown core risk processes were in place before capital
systems and controls, and informal risk allocation analysis was conducted.
management practices were not sufficient.
! Business unit risk practices were
! A series of significant but undisclosed integrated with enterprise-level risk initiatives
operational losses exceeded levels desired and change management efforts.
by the company and raised red flags
internally. ! Business unit managers remain
accountable for managing risk levels.
! The company sought to improve risk
sensitivity, improve its market image and ! Operational risk self-assessment tools are
limit unfavorable regulatory attention. deployed, but as stand-alone applications.
Situation: In 2002, this U.S.-headquartered, $100 billion financial services firm instituted a new program for
corporate governance and control with the objective of creating an enterprisewide approach to risk management
and establishing associated roles and responsibilities within the organization. The program was formalized into
an enterprise risk management (ERM) department, and a chief risk officer (CRO) was appointed. Based on the
current position of U.S. banking regulators, this company is not compelled to comply with the Basel II Capital
Accord, and it has not decided if it will “opt in.” Nevertheless, the firm views the Basel II framework and its
advanced internal ratings based approach as “good criteria” for managing enterprise risk and decided to use the
Accord as guidance to align capital with risk-based performance. Operational risk management had, in fact,
become increasingly problematic in light of rapid growth, the entrepreneurial culture and the decentralized,
nonstandard approach to business operations.
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information
contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such
information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes
Lane Leskela
sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. 01C, SYM14, 10/04, AE Page 9
Presentation Title
" Comprehensive program for corporate " Established risk governance and reporting
governance and risk control. process.
" Board of directors created and " Standardized risk definitions across the
approved company’s risk policy entire organization.
framework. " Corporatewide methodology to assess
" Enterprisewide approach to risk and rate operational risk exposures based
management established roles and on likelihood and potential impact.
responsibilities across the " Created an internal database on
organization. operational risk events and near misses.
" Incorporated change management as " Minimum requirements established for
part of enterprise risk management business unit assessment and reporting
initiative. of operational risk exposures.
" Formalized into enterprise risk " Operational risk management user
management (ERM) department with a communities successfully shared best
chief risk officer (CRO). practices, developed reporting and tested
" Specialized risk departments for new technologies.
information technology, operational " Automated document classification
risk and compliance under the CRO. process implemented across the company
" Basel II framework’s advanced risk using a “spreadsheet registry”
approach voluntarily adopted.
Progress Results
Result:The CRO established an operational risk department to structure, aggregate and analyze operational risk
exposures, create management awareness and implement methodologies and tools to proactively understand and
manage these exposures. The operational risk department is now the focus of control-based compliance due
diligence, the objective being to move from an informal qualitative approach to understanding risk quantitatively
using objective criteria. Specialized risk departments including information technology, credit risk, operational
risk and compliance were formed under the CRO. The company does not maintain a separate department to
manage market risk.
While grouped under the CRO, there is little direct coordination of activities among the various risk management
areas. The operational risk department also addresses broader enterprise issues, such as reputation, strategic and
compliance risks, but essentially operates under a completely different framework from its peer groups. The only
formal connection with the operational risk department and other areas is as a standing agenda item at the
monthly Enterprise Risk Management Committee meeting. That group is co-chaired by the senior executive
responsible for governance and the CRO and includes representatives from major business lines and staff areas.
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information
contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such
information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes
Lane Leskela
sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. 01C, SYM14, 10/04, AE Page 10
Presentation Title
Corporate Rules
Higher levels take
precedence over
BU Rules BU Rules lower …
Viewpoint: Through the work of the measurement methodologies (balanced scorecard, TQM, EFQM, Six
Sigma), reference models are providing measures that, taken together, are effective leading indicators of
financial performance and are well-recognized and generally accepted. What is missing is a set of principles,
similar to generally accepted accounting principles (GAAP), that organize and integrate existing and future
reference models into a holistic view of the enterprise. These principles must provide flexibility and growth as
business practices evolve and change. In this way, the principles create a business measurement framework that
can be used by executives and managers to help guide and grow the value of their organizations. Through 2005,
the balanced scorecard will continue to be the most popular overall performance management methodology. By
2008, leading-edge global enterprises will incorporate internal measurement practices that systematically
measure the value and return on intellectual capital, as well as measures that include indexes for governance
value and economic value-added performance criteria.
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information
contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such
information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes
Lane Leskela
sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. 01C, SYM14, 10/04, AE Page 11
Presentation Title
Information &
Communication Risk
Response
Control
Activities
ITIL and CobiT >>
Internal Environment: management sets philosophy regarding risk and establishes risk appetite while internal environment
sets foundation for how risk and control are viewed and addressed. Objective Setting: objectives exist before management
can identify events affecting their achievement; enterprise risk management ensures management has process to set
objectives and that chosen objectives support and align with the mission, consistent with the entity’s risk appetite. Event
Identification: potential events that might affect the firm must be identified; includes identifying factors — internal and
external — that influence how potential events affect strategy implementation and achievement of objectives. Risk
Assessment: identified risks analyzed to form basis for determining how they should be managed; risks assessed on inherent
and residual basis and assessment considers both risk likelihood and impact; range of possible results may be associated
with potential event. Risk Response: management selects approach to align assessed risks with risk appetite, in context of
strategy and objectives; staff identify and evaluate possible responses to risks, including avoiding, transferring, accepting,
reducing and sharing. Control Activities: policies and procedures established and executed to ensure that the risk responses
selected are effectively carried out. Information and Communication: relevant information is identified, captured and
communicated in a form and time frame that enable people to carry out responsibilities; information needed at all levels for
identifying, assessing and responding to risk; communication must occur in a broad sense, flowing down, across and up;
staff need clear communication regarding roles and responsibilities. Monitoring: the risk management process must be
monitored and modifications made as necessary so the system can react dynamically, changing as conditions warrant;
monitoring is accomplished through ongoing management activities and separate evaluations of enterprise risk management
processes.
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information
contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such
information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes
Lane Leskela
sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. 01C, SYM14, 10/04, AE Page 12
Presentation Title
Dynamic: Framework development is a complex and collaborative process. The goal of enterprise risk
management is to extract maximum value and avoid loss. A number of risk management activities have
associated technologies, but no single vendor supplies them all. Nor is a monolithic, single-vendor risk
management solution feasible. Despite some commonality of processes across and within industries, the final 10
percent to 15 percent of organizational requirements are highly specialized processes. Best-of-breed vendors can
bring specialized solutions, but a full understanding of the internal environment requires in-house development.
Individual business units have already invested in some risk management processes and technology. Scrapping
these would be costly and disruptive to business processes and culture, and would stir up considerable resistance
from the process “owners” of key risk components. ERM processes must, therefore, leverage other initiatives
such as customer relationship management and corporate performance management in the context of compliance
deadlines and completion requirements. The basic processes, many of the data points and much of the
technology are the same across operations, financial management and disclosure. What is different is the purpose
for which the capabilities are being used. Building on investments such as data warehousing, business
intelligence and business activity monitoring can remove redundancies and allow risk management to more
readily integrate with these initiatives.
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information
contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such
information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes
Lane Leskela
sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. 01C, SYM14, 10/04, AE Page 13
Presentation Title
Recommendation: Business applications qualify as an asset, having a value — you paid for them! The key
question is how to align corporate compliance management progress with regulatory requirements and enterprise
performance goals. After the initial phase of the compliance management project is complete, implementation
partners and software vendors will have been selected. The actual process of going live requires different
procedures and processes. Implementation is clearly not a single process or configuration. Implementation
involves parallel processes that must be managed in a rigorous fashion. Once a compliance management goes
live, application management has only begun. Section 404 attestation has been a leading culprit in the
perpetuation of the single compliance management cycle myth.
A 10-year-plus compliance management life cycle will commence at the first go-live point. This means there's
no such thing as a compliance application project. We have to think in terms of an application life cycle.
Significantly, although much of the market focus and effort has been placed on the implementation process,
users are finding the post-implementation part of the life cycle extremely difficult. Because most of the focus of
compliance projects centers on rapid implementation and “going live,” little effort has been placed on building
the right ongoing support model. Post-implementation issues surrounding upgrades, scope changes and system
changes are more challenging and critical to compliance due diligence than the implementation process.
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information
contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such
information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes
Lane Leskela
sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. 01C, SYM14, 10/04, AE Page 14
Presentation Title
Recommendation: During compliance implementation projects, enterprises must decide if they are willing to
adopt package-provided processes or if the package should be tailored to support unique business process
requirements. Although customization of applications may be required in some areas, enterprises need to
consider the impact on total cost of ownership as part of the overall decision-making process. Application
customization ownership costs go far beyond the initial costs of development and integration. Custom
components may be superseded, fully or partially, by new packaged capabilities, causing customization
elimination or rewrite. These analyses must be performed with each packaged-application upgrade. In the case of
best-of-breed applications, similar issues occur when managing multiple versions of multiple packages. With
each package upgrade, integration applications must be verified and modified as appropriate. Process
description, automation and monitoring are the heart of any compliance solution, but complex regulatory
legislation rarely offers enterprises a formula or list of ingredients that will ensure compliance. Consider hiring a
vendor or consultant with expertise in the specific processes involved. For example, hire an auditing or
accounting firm when addressing the Sarbanes-Oxley Act. Best practices are emerging for information systems
leveraged to secure disclosure.
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information
contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such
information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes
Lane Leskela
sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. 01C, SYM14, 10/04, AE Page 15
Presentation Title
Recommendation: once you're convinced that your compliance management applications are a form of
corporate asset and require appropriate levels of maintenance and investment, your perspective can change. A
review of structured and unstructured compliance data infrastructure capabilities will support a 10-year view of
the application life cycle. Insight into the required levels of licensing, maintenance and support will guide
appropriate investment in systems and applications . Looking past the initial compliance project into multiple
upgrades, years of support and enhancement provides a clearer view of the application and compliance data
management life cycle and potential costs. ROI considerations must include unfamiliar areas such as avoidance
of legal fines and reductions in unnecessary insurance premiums.
• The initial deployment project typically has a specific plan (like Section 404 attestation) and must have a
business case with a bounded timeline and completion milestones.
• Support is a required function with variability. It can be difficult to justify the required budget. Users
armed with external compliance management benchmark data, however, are able to make their cases.
• Enhancement initiatives have the same dynamics as deployments, with a plan and a set of benefits.
Upgrades tend to be more challenging. Users often feel forced (at inconvenient times) into projects that are
good for the vendor, but have unclear business benefits.
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information
contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such
information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes
Lane Leskela
sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. 01C, SYM14, 10/04, AE Page 16
Presentation Title
Compliance
• Corporate • Corporate • Operations • Technology
Performance – Brand – People – Applications
– BU 1… BU n – Market – Processes – Hardware
EnterpriseManagement
Metrics
Business
BusinessIntelligence
Intelligence
Recommendation: Through the metric selection and baselining process, meaningful business information
and level setting about relevant business issues, strategic alignment and so forth are exchanged between the
process owner and the user. Direct benefits must be modeled against the measurements selected, along with
effects on other areas of the enterprise’s operations that can be affected positively or negatively, which are
known “cause and effect” metrics. These business metrics are key to the analysis because they become the
“living” part of the compliance-ready business. These metrics should be monitored before, during and after
implementation to determine how the projected value is being delivered. In this regard, enterprises are
looking to corporate performance management to improve compliance planning and risk control capabilities.
Best-practice enterprises will increasingly use performance management criteria to increase the speed, quality
and accuracy of decision making and management reporting; to enhance the agility of the planning process; to
create the necessary organizational alignment for tight strategy execution; and to facilitate corporate
transparency (that is, to provide regulators, board of directors, shareholders and other external parties with
insight into the enterprise’s operations).
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information
contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such
information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes
Lane Leskela
sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. 01C, SYM14, 10/04, AE Page 17
Presentation Title
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information
contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such
information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes
Lane Leskela
sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. 01C, SYM14, 10/04, AE Page 18
This is the end of this presentation. Click any
where to continue.
These materials can be reproduced only with Gartner’s written approval. Such approvals must be requested via
e-mail — quote.requests@gartner.com.