Sym14 01c

Tutorial: Compliance Management Best Practices
Gartner Industry Research
Tutorial: Compliance Management Best

Practices
Lane Leskela
Notes accompany this presentation. Please select Notes Page view.

These materials can be reproduced only with Gartner’s official approval.
Such approvals may be requested via e-mail — quote.requests@gartner.com.
U.S. Symposium/ITxpo
Lane Leskela
Walt Disney World
Lake Buena Vista, Florida
17–22 October 2004
These materials can be reproduced only with Gartner’s written approval.

Such approvals must be requested via e-mail—quote.requests@gartner.com.
Presentation Title
Client Issues
! How can enterprises build on established compliance
management processes and technologies?
! How does the IS organization support enterprise
compliance?
! What are the critical success factors for effective
compliance?
Compliance Management in the IT Context:

– Control-Based Environment for Processes
– Enterprise Risk Mitigation and Change
Management
– Policy Administration for Governance
Support
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information
contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such
information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes
Lane Leskela
sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. 01C, SYM14, 10/04, AE Page 1
Presentation Title
Leverage Compliance With Multiple Regulations

SEC/OCC/Fed Draft Regulations
Set New Standards for Data Enacts “Know Your Customer” Anti-
Center Proximity and Industry Money-Laundering Regulations
Testing
SEC PATRIOT
New Accord Requires White Act Sets Higher Financial Reporting
Financial Institutions to Paper and Governance Standards for
Advance Risk Corporate Boards and
Management and Report Sarbanes-
Executives
Basel II
on “Operational Risk” Op Risk, Oxley
Reporting,
Requires Companies to U.K. Data Mgmt.

KonTrag
Report to Shareholders Combined Requires Directors to
(Germany) Establish Risk Management
All Information on Code
Financial and Operational Gramm
Supervisory Systems and
Risk Management IAS Leach Report “Control”
Controls Bliley Information to Shareholders
Requires Institutions to Align Requires Financial

Accounting Standards With Institutions to Safeguard and
Financial Disclosures Keep Private “Nonpublic”
Customer Information
Recommendation: The Balanced Scorecard, Supply Chain Council, total quality management (TQM),
European Foundation for Quality Management (EFQM), Six Sigma and many other methodologies have helped
executives extend their focus beyond traditional accounting measures. The automation of business transactions
in software applications like enterprise resource planning (ERP) and customer relationship management (CRM)
has resulted in the availability of performance measures at all levels of management. Standardization of
nonaccounting performance measures will be driven by the need for collaboration between existing and potential
trading partners. Gartner believes that a business measurement framework consisting of a set of precisely defined
performance metrics that extend financial reporting measures, representing a complete and holistic view of an
enterprise’s business operations, will close the gaps in determining real business value for regulatory
compliance. Operational audits should include a review of the management decision process, as well as internal
controls.
Lane Leskela
Presentation Title
Conquer the Regulatory Hype Cycle

Visibility Key: Time to Plateau
Less than two years
SEC 17 4. a/b and Sarbanes-Oxley (2002)
NYSE 440 (2003) Two to five years
Insurance Industry Five to 10 years
Modernization and IASB (2001)
Consumer Protection Act More than 10 years
(2003)
(As of 3Q04)
UK Companies Bill (2002) USA PATRIOT Act (2001)
Basel I (1988)
CAD 3 (2000) Basel II (1999)
FAS 133 (1986)
Solvency 2 (2002) FAS 150 (2003)

EU Privacy Laws (1997)
Gramm-Leach-
IAIS (1995) Bliley (1999) Large U.S. States—
Privacy Laws (2003)
FAS 144 (2001)
Herstatt (1984)
Compliance requirements evolve at different rates ...
Trigger Peak of Trough of Slope of Plateau of

Inflated Disillusionmen Enlightenment Productivity
Expectations t
Maturity
Prediction: New legislation will continually challenge companies’ capabilities and will require a comprehensive
performance-plus-risk management framework to manage them effectively. Regulators abound:
U.S. banking regulators include federal, FDIC, comptroller of the currency, the office of thrift supervision, the
national credit union administration and 50 state banking regulators. U.S. insurance regulators are in each of the
50 states, coordinated by the NAIC. U.S. securities regulators include the SEC and numerous self-regulatory
organizations.
Companies face numerous issues, regulations and pending legislation that will affect business conduct in the
future. For example: pending revisions of consumer bankruptcy laws, new tax laws, disaster recovery rules,
expanded state-regulated privacy initiatives, consumer privacy, money laundering, information security, Basel II
and the pending Insurance Industry Modernization and Consumer Protection Act. Businesses must get ready to
leverage core technology and process competencies to master the intricacies of superior financial performance
and enterprise risk management in this new compliance-centered market environment.
Lane Leskela
Presentation Title
Incorporate the New Governance Environment

" PCAOB is the first public audit regulator, a not-for-profit agency with board
member and operating budget approval from the SEC
Federal Oversight
SEC
Legal Audit Accounting
Enforcement Practices Standards
DOJ PCAOB FASB
Public Companies Public Auditors
" 1,000 US Public Auditors have been registered in the first year of PCAOB operation.
" PCAOB is currently reviewing income tax advisory roles of public audit firms with
respect to their financial audit clients.
Viewpoint: The U.S. Securities and Exchange Commission (SEC) approved a new auditing standard on 21 June
2004 clarifying an auditor’s role in attesting to a company's internal fiscal controls. The Public Company
Accounting Oversight Board (PCAOB) submitted the standard for SEC approval in March. Both the PCAOB
and the SEC are responsible for implementing the new standard, addressing details like transition periods,
disclosure requirements relating to deficiencies in internal controls, and assessment of the internal control for
foreign subsidiaries. New audit requirements are not an excuse for a lack of corporate performance management
and sound enterprise risk management. Corporations that adopt these practices at a high level and bake them into
the corporate culture will have an easier time complying with Sarbanes-Oxley, PATRIOT Act anti-money-
laundering provisions, and privacy requirements under Graham-Leach-Bliley. The Basel accords that will govern
a financial institution’s charges to capital for credit, market and operational risk also represent an opportunity for
competitive advantage for well-run institutions. At the same time, sound high-level strategy for corporate
performance management and enterprise risk management will not guarantee compliance with regulations. The
corporate eye must continuously focus on the regulatory ball.
Lane Leskela
Presentation Title
Case Study 1: Industrial-Strength SOX Compliance
! CFO and CIO jointly responsible for

compliance deadlines and ongoing performance.
! Semantic agreement with auditors, including
planned communication with IT-experienced audit
staff.
! Joint project ownership for audit, legal, finance
and IT.
! Ongoing central compliance committee
management, with association of process owners
and IT owners across business units.
! Board-level report for chief compliance officer,
promoted from operations.
! Alignment of CobiT processes with
BCP and U.S. Government Sentencing
Commission requirements.
Situation: This Global 500 industrial manufacturing and engineering enterprise, based in the United States, has
130,000 full-time employees and 25 business units. The company has mandated direct oversight and ongoing
involvement of 5 percent of all legal, audit, corporate and IT staff in operational transparency, control and
disclosure requirements. 500 people in the United States and Europe have official attestation responsibilities for
audit, triggered by Sarbanes-Oxley. Regulators, including four primary federal agencies, have driven
comprehensive compliance management best practices for a generation, combined with TQM and Six Sigma
management capabilities. TQM and Six Sigma were broadly adopted in the 1980s and have been maintained in
global operations. EVA and CPM criteria were added in the 1990s. Official corporate operational risk
management frameworks and performance management criteria are aligned with corporate objectives. EVA
extends to compensation for compliance management targets. The U.S. Department of Defense drives primary
control framework and performance tolerances. IT standards and governance, BCP and security environment
evolved with responsiveness to EPA and OSHA regulations. Relevant standards pre-dated Sarbanes-Oxley. The
CFO is ultimately responsible for material financial disclosure with assistance provided by chief legal counsel
and support of IT. Enterprisewide ownership and understanding of challenges and solutions are embedded in the
corporate culture.
Lane Leskela
Presentation Title
Lesson 1: Build a Solid Compliance Organization
External Controls Internal Controls

• Corporate law • Code of ethics
• Regulatory • Code of behavior
agencies BOD • Corporate values
• International • Corporate charter
standards Audit • Corporate policies
• Professional Committee • Standard processes
standards • Internal financial
• Industry best Legal Compliance controls
practices Committee • Internal
• Standard operational
processes controls
• Vendor/partner • Corporate
Financial Management
practices best practices
• Stock market • Risk
rules management
• Customer Operational Management metrics
requirements
Source: FEI, January 2004
Source: FEI
Viewpoint: Because the processes and the internal controls are implemented principally in technology systems,
operational and financial audits involve a detailed assessment of these systems, and the IS organization needs to
document and implement any process changes to meet compliance. Most companies use technology for financial
reporting, and the CIO and the IT organization occupy a central role in auditing and compliance projects. Form
8-K and 8-KS filing updates in August 2004 now require the reporting of any one of 22 material financial impact
changes within four business days. This is the most specific indication of a regulatory definition for rapid and
timely disclosure of financially material changes. New enterprise resource planning (ERP) systems, or any
material impact changes to a structured data system, could require a new audit, attestation and report. Public
companies must disclose information on material changes to the financial condition or operations on a rapid and
current basis. The goal is to protect investors against the potential impact of delaying unreported losses. IT
systems that support business operations and financial management play a significant role in detecting and
managing material events. Proactive, policy-enforced use of systems allows the earliest detection and potential
for mitigation of material events.
Lane Leskela
Presentation Title
Lesson 2: Align Compliance Control Methodologies

Link Internal Control (IC) Frameworks
CobiT ITIL COSO SAS (Type 2)

Primary Management, users, Information system Management External auditors
Audience information system auditors auditors
IC viewed as a: Set of processes: policies, Standardized processes, Operational processes Financial processes
procedures, practices & procedures & best and risk practices & alignment with GAAP
organizational structures practices library
IC objectives Effective & efficient IT Effective & efficient Effective & efficient Reliable financial reporting
organizational process management IT operations management operations
Confidentiality, integrity & Reliable systems; Reliable reporting; Effective & efficient
availability of information; compliance with operating procedures financial operations;
reliable financial reporting; technology best practices alignment with risk reporting, disclosure and
compliance with laws & and industry standards for management and legal compliance with laws &
regulations security and continuity compliance regulations
Components or Domains: Planning & Components: Control Components: Control Components: Control
Domains organization; acquisition environment; environment; risk financial risk;
and implementation; manual & automated; management control; assessment control;
delivery and support system control activities information & activities information &
monitoring procedures communication communication
monitoring monitoring
Focus IT and operations IT and IS Overall entity Financial statements
Dynamic: Sarbanes-Oxley demands increased attention to internal control by auditors, managers, accountants
and legislators. Multiple control systems are the result of continuing efforts to define, assess, report on and
improve internal control. The most widely adopted are the Information Systems Audit and Control Foundation’s
CobiT, the IT reference library (ITIL), the Committee of Sponsoring Organizations of the Treadway
Commission's Internal Control — Integrated Framework (COSO) and the American Institute of Certified Public
Accountants' Consideration of the Internal Control Structure in a Financial Statement Audit (SAS 55), amended
by Consideration of Internal Control in a Financial Statement Audit (SAS 78). CobiT (1996) is a framework
providing a tool for business process owners to identify and manage IS control responsibilities efficiently and
effectively. ITIL offers the IT department assistance with internal and external security audits on the control and
audit of information systems and technology. COSO (1992) makes recommendations to management on how to
evaluate, report and improve control systems. SASs 55 (1988) and 78 (1995) provide guidance to external
auditors regarding the impact of internal control on planning and performing an audit of an organization’s
financial statements.
Action Item: Document and align the set of operational control measures that drive your organization’s
compliance performance, and link investment proposals to those measures.
Lane Leskela
Presentation Title
Lesson 3: Complete Integrated Reporting Infrastructure
Controls Repository
Corporate Controls
and Aggregated Close Instance
Content (MD&A Coincides
With Supporting Secure Web
(XML/XBRL) Publishing
Documentation)
Association of Structured
and Unstructured Data ICW
(Certification and
Financial Data Subcertification
(via ETL, links & imports) Forms Support) 10K
Archives: Storage,
10Q
Access and 302 &
8K
Annual
Retrieval Report
404:
2004 Q1’05
Subcert
2005 Subcert
2006
Source: IMA, September 2003
Source: IMA
Recommendation: The important criteria for accurate and timely disclosure are how well audit processes are
documented and how well-equipped the company is for continuous monitoring to solve future problems before
formal reporting deadlines. Companies with systems for integrated document, records, communication, financial
data and process management are focusing on collating all workflow processes and filling in the gaps to
determine future user requirements for applications.
Once in-process audit and final attestation are completed, it’s time to prepare for the future. Sarbanes-Oxley
includes compressed timing for reporting changes as well as quarterly and annual report filing deadlines.
Sarbanes-Oxley requires audits and attestations with every periodic report, and disclosures of material events as
they occur. IT projects that could materially affect the financial input and reconciliation process need to be
evaluated and reported quarterly. CIOs should document all changes to supporting systems that might change the
financial process or internal controls, and report these changes to the CFO, the CEO and the risk management or
compliance committee. CIOs and direct reports should develop compliance management architectures to account
for compliance needs, with an emphasis on business process management and records management.
Lane Leskela
Presentation Title
Case Study 2: Domestic Financial Firm
! Rapid growth and large, unpublicized ! Basel II operational risk criteria were
operational losses exposed need to improve viewed as a good baseline, although the
operational risk management controls. institution does not fall directly under the
! Risk self-assessment and capital Accord.
modeling were put in place.
! Suitable data collection and management
! Company had outgrown core risk processes were in place before capital
systems and controls, and informal risk allocation analysis was conducted.
management practices were not sufficient.
! Business unit risk practices were
! A series of significant but undisclosed integrated with enterprise-level risk initiatives
operational losses exceeded levels desired and change management efforts.
by the company and raised red flags
internally. ! Business unit managers remain
accountable for managing risk levels.
! The company sought to improve risk
sensitivity, improve its market image and ! Operational risk self-assessment tools are
limit unfavorable regulatory attention. deployed, but as stand-alone applications.
Situation: In 2002, this U.S.-headquartered, $100 billion financial services firm instituted a new program for
corporate governance and control with the objective of creating an enterprisewide approach to risk management
and establishing associated roles and responsibilities within the organization. The program was formalized into
an enterprise risk management (ERM) department, and a chief risk officer (CRO) was appointed. Based on the
current position of U.S. banking regulators, this company is not compelled to comply with the Basel II Capital
Accord, and it has not decided if it will “opt in.” Nevertheless, the firm views the Basel II framework and its
advanced internal ratings based approach as “good criteria” for managing enterprise risk and decided to use the
Accord as guidance to align capital with risk-based performance. Operational risk management had, in fact,
become increasingly problematic in light of rapid growth, the entrepreneurial culture and the decentralized,
nonstandard approach to business operations.
Lane Leskela
Presentation Title
Case Study 2: Basel II Best Practices Emerge
" Comprehensive program for corporate " Established risk governance and reporting
governance and risk control. process.
" Board of directors created and " Standardized risk definitions across the
approved company’s risk policy entire organization.
framework. " Corporatewide methodology to assess
" Enterprisewide approach to risk and rate operational risk exposures based
management established roles and on likelihood and potential impact.
responsibilities across the " Created an internal database on
organization. operational risk events and near misses.
" Incorporated change management as " Minimum requirements established for
part of enterprise risk management business unit assessment and reporting
initiative. of operational risk exposures.
" Formalized into enterprise risk " Operational risk management user
management (ERM) department with a communities successfully shared best
chief risk officer (CRO). practices, developed reporting and tested
" Specialized risk departments for new technologies.
information technology, operational " Automated document classification
risk and compliance under the CRO. process implemented across the company
" Basel II framework’s advanced risk using a “spreadsheet registry”
approach voluntarily adopted.
Progress Results
Result:The CRO established an operational risk department to structure, aggregate and analyze operational risk
exposures, create management awareness and implement methodologies and tools to proactively understand and
manage these exposures. The operational risk department is now the focus of control-based compliance due
diligence, the objective being to move from an informal qualitative approach to understanding risk quantitatively
using objective criteria. Specialized risk departments including information technology, credit risk, operational
risk and compliance were formed under the CRO. The company does not maintain a separate department to
manage market risk.
While grouped under the CRO, there is little direct coordination of activities among the various risk management
areas. The operational risk department also addresses broader enterprise issues, such as reputation, strategic and
compliance risks, but essentially operates under a completely different framework from its peer groups. The only
formal connection with the operational risk department and other areas is as a standing agenda item at the
monthly Enterprise Risk Management Committee meeting. That group is co-chaired by the senior executive
responsible for governance and the CRO and includes representatives from major business lines and staff areas.
Lane Leskela
Presentation Title
Lesson 1: Engage in Federated Corporate Governance
" Centralization of a rule repository is not required,

but central coordination is absolutely necessary.
Federated Structure and Policy
Corporate Rules
Higher levels take
precedence over
BU Rules BU Rules lower …
National Rules Local Rules

Local Rules
" All enterprises operate in environments where some rules are in

conflict … resolutions must now be documented.
Viewpoint: Through the work of the measurement methodologies (balanced scorecard, TQM, EFQM, Six
Sigma), reference models are providing measures that, taken together, are effective leading indicators of
financial performance and are well-recognized and generally accepted. What is missing is a set of principles,
similar to generally accepted accounting principles (GAAP), that organize and integrate existing and future
reference models into a holistic view of the enterprise. These principles must provide flexibility and growth as
business practices evolve and change. In this way, the principles create a business measurement framework that
can be used by executives and managers to help guide and grow the value of their organizations. Through 2005,
the balanced scorecard will continue to be the most popular overall performance management methodology. By
2008, leading-edge global enterprises will incorporate internal measurement practices that systematically
measure the value and return on intellectual capital, as well as measures that include indexes for governance
value and economic value-added performance criteria.
Lane Leskela
Presentation Title
Lesson 2: Apply Risk Management to Compliance
<< ISO 17799

Objective
Internal Setting
Environment Event
Identification
COSO ERM
Monitoring
Risk
Assessment
Information &
Communication Risk
Response
Control
Activities
ITIL and CobiT >>
Internal Environment: management sets philosophy regarding risk and establishes risk appetite while internal environment
sets foundation for how risk and control are viewed and addressed. Objective Setting: objectives exist before management
can identify events affecting their achievement; enterprise risk management ensures management has process to set
objectives and that chosen objectives support and align with the mission, consistent with the entity’s risk appetite. Event
Identification: potential events that might affect the firm must be identified; includes identifying factors — internal and
external — that influence how potential events affect strategy implementation and achievement of objectives. Risk
Assessment: identified risks analyzed to form basis for determining how they should be managed; risks assessed on inherent
and residual basis and assessment considers both risk likelihood and impact; range of possible results may be associated
with potential event. Risk Response: management selects approach to align assessed risks with risk appetite, in context of
strategy and objectives; staff identify and evaluate possible responses to risks, including avoiding, transferring, accepting,
reducing and sharing. Control Activities: policies and procedures established and executed to ensure that the risk responses
selected are effectively carried out. Information and Communication: relevant information is identified, captured and
communicated in a form and time frame that enable people to carry out responsibilities; information needed at all levels for
identifying, assessing and responding to risk; communication must occur in a broad sense, flowing down, across and up;
staff need clear communication regarding roles and responsibilities. Monitoring: the risk management process must be
monitored and modifications made as necessary so the system can react dynamically, changing as conditions warrant;
monitoring is accomplished through ongoing management activities and separate evaluations of enterprise risk management
processes.
Lane Leskela
Presentation Title
Lesson 3: Employ the IT Risk Management Framework
Connect and integrate

Networking, portals, enterprise application integration, Web services, standards
Plan and oversee

Business process modeling, workflow and planning tools
Collect data Manage data Analyze Respond
ETL, data quality Operational store, events Business rule
tools, filters data warehouse, Statistical, ad hoc engines, automated
metadata,“virtual” query, OLAP response systems
Sources: Subjects: Tasks: Risks:
• Internal systems • Financial • Build models • Operational
(GL, operational)
• Systems • Test events • Market
• Transactions
• Customer • Predict events • Credit
(deposits, claims,
charges, trades, • Market, etc. • Contextualize • Liquidity, etc.
transfers) events
• External feeds
Report and advise
(market, reference,
partner)
Reporting tools, alerts, scorecards, dashboards
Dynamic: Framework development is a complex and collaborative process. The goal of enterprise risk
management is to extract maximum value and avoid loss. A number of risk management activities have
associated technologies, but no single vendor supplies them all. Nor is a monolithic, single-vendor risk
management solution feasible. Despite some commonality of processes across and within industries, the final 10
percent to 15 percent of organizational requirements are highly specialized processes. Best-of-breed vendors can
bring specialized solutions, but a full understanding of the internal environment requires in-house development.
Individual business units have already invested in some risk management processes and technology. Scrapping
these would be costly and disruptive to business processes and culture, and would stir up considerable resistance
from the process “owners” of key risk components. ERM processes must, therefore, leverage other initiatives
such as customer relationship management and corporate performance management in the context of compliance
deadlines and completion requirements. The basic processes, many of the data points and much of the
technology are the same across operations, financial management and disclosure. What is different is the purpose
for which the capabilities are being used. Building on investments such as data warehousing, business
intelligence and business activity monitoring can remove redundancies and allow risk management to more
readily integrate with these initiatives.
Lane Leskela
Presentation Title
Internal Compliance Progress Gartner Industry Research

With Gartner COMPARE
Gartner COMPARE Cycle Score*
Sense 0
Assess 1
Reconcile 2
Remediate 3
Attest 4
CobiT Category Aggregates Actual Score*

User & Operations Management 3
Risks & Controls: Assessment & Monitoring 3
Reliability & Security Management 4
Configuration & Systems Management 1
Quality & Change Management 2
Records & Data Management 2
User & Operations Management

4
3
Records & Data Management 2 Risks & Controls: Assessment &
1 Monitoring
0
Quality & Change Management Reliability & Security Management
Configuration & Systems Management
Recommendation: Business applications qualify as an asset, having a value — you paid for them! The key
question is how to align corporate compliance management progress with regulatory requirements and enterprise
performance goals. After the initial phase of the compliance management project is complete, implementation
partners and software vendors will have been selected. The actual process of going live requires different
procedures and processes. Implementation is clearly not a single process or configuration. Implementation
involves parallel processes that must be managed in a rigorous fashion. Once a compliance management goes
live, application management has only begun. Section 404 attestation has been a leading culprit in the
perpetuation of the single compliance management cycle myth.
A 10-year-plus compliance management life cycle will commence at the first go-live point. This means there's
no such thing as a compliance application project. We have to think in terms of an application life cycle.
Significantly, although much of the market focus and effort has been placed on the implementation process,
users are finding the post-implementation part of the life cycle extremely difficult. Because most of the focus of
compliance projects centers on rapid implementation and “going live,” little effort has been placed on building
the right ongoing support model. Post-implementation issues surrounding upgrades, scope changes and system
changes are more challenging and critical to compliance due diligence than the implementation process.
Lane Leskela
Presentation Title
Compliance Vendor Value With COMPARE

Functional Maturity SCALE Score
Not Offered 0
Currently under development and testing/beta deployments 1
First-generation commercial products in market/partial customer-defined capability delivered 2
One or more technology partner agreements are used to deliver full customer-defined capability 3
Mature product delivers full customer-defined capability without further development or acquisitions/this is our demonstrated core competence 4
CobiT Category Aggregates Actual Score*
User & Operations Management 2
Risks & Controls: Assessment & Monitoring 4
Reliability & Security Management 3
Configuration & Systems Management 3
Quality & Change Management 3
Records & Data Management 1
User & Operations Management

4
Records & Data Management 2 Risks & Controls: Assessment &

1 Monitoring
0
Quality & Change Management Reliability & Security Management
Configuration & Systems Management
Recommendation: During compliance implementation projects, enterprises must decide if they are willing to
adopt package-provided processes or if the package should be tailored to support unique business process
requirements. Although customization of applications may be required in some areas, enterprises need to
consider the impact on total cost of ownership as part of the overall decision-making process. Application
customization ownership costs go far beyond the initial costs of development and integration. Custom
components may be superseded, fully or partially, by new packaged capabilities, causing customization
elimination or rewrite. These analyses must be performed with each packaged-application upgrade. In the case of
best-of-breed applications, similar issues occur when managing multiple versions of multiple packages. With
each package upgrade, integration applications must be verified and modified as appropriate. Process
description, automation and monitoring are the heart of any compliance solution, but complex regulatory
legislation rarely offers enterprises a formula or list of ingredients that will ensure compliance. Consider hiring a
vendor or consultant with expertise in the specific processes involved. For example, hire an auditing or
accounting firm when addressing the Sarbanes-Oxley Act. Best practices are emerging for information systems
leveraged to secure disclosure.
Lane Leskela
Presentation Title

Select Applications With the
‘Due Diligence Ten’
➊ Process owner value defined (business process benefits)
➋ Interoperability with current structured and unstructured systems
➌ Application integration experience and vendor support capability
➍ Demonstrated implementation speed and scalability
➎ TCO and pricing structure (licensing, consulting and maintenance)
➏ Comprehensive user training and support
➐ Functional leverage to range of compliance, audit and risk management
requirements
➑ Compliance functionality relative to component maturity, product life
cycle
➒ Adaptability to organizational changes and user-determined processes
➓ Long-term vendor viability
Recommendation: once you're convinced that your compliance management applications are a form of
corporate asset and require appropriate levels of maintenance and investment, your perspective can change. A
review of structured and unstructured compliance data infrastructure capabilities will support a 10-year view of
the application life cycle. Insight into the required levels of licensing, maintenance and support will guide
appropriate investment in systems and applications . Looking past the initial compliance project into multiple
upgrades, years of support and enhancement provides a clearer view of the application and compliance data
management life cycle and potential costs. ROI considerations must include unfamiliar areas such as avoidance
of legal fines and reductions in unnecessary insurance premiums.
• The initial deployment project typically has a specific plan (like Section 404 attestation) and must have a
business case with a bounded timeline and completion milestones.
• Support is a required function with variability. It can be difficult to justify the required budget. Users
armed with external compliance management benchmark data, however, are able to make their cases.
• Enhancement initiatives have the same dynamics as deployments, with a plan and a set of benefits.
Upgrades tend to be more challenging. Users often feel forced (at inconvenient times) into projects that are
good for the vendor, but have unclear business benefits.
Lane Leskela
Presentation Title

Achieve Comprehensive
Corporate Management
trategic Context Corporate
CorporateGovernance
Governance
Investment
Performance
Performance
Management Enterprise
EnterpriseRisk
RiskManagement
Management
Management
System
ManagementSystem
Compliance
• Corporate • Corporate • Operations • Technology
Performance – Brand – People – Applications
– BU 1… BU n – Market – Processes – Hardware
EnterpriseManagement
– Operations – Competitor – Supply Chains – Software

– Technology – Financial – Partners – Networks Operating
– Customer – Legal – Service Results
– Regulatory – Credit Providers
– Personnel
– Regulatory
Compliance • Infrastructure • Information
– Interest Rate – Facilities – Access
Enterprise
– Currency – Transportation – Privacy

– Telecom – Integrity
– Power
– Water
Metrics
Business
BusinessIntelligence
Intelligence
Recommendation: Through the metric selection and baselining process, meaningful business information
and level setting about relevant business issues, strategic alignment and so forth are exchanged between the
process owner and the user. Direct benefits must be modeled against the measurements selected, along with
effects on other areas of the enterprise’s operations that can be affected positively or negatively, which are
known “cause and effect” metrics. These business metrics are key to the analysis because they become the
“living” part of the compliance-ready business. These metrics should be monitored before, during and after
implementation to determine how the projected value is being delivered. In this regard, enterprises are
looking to corporate performance management to improve compliance planning and risk control capabilities.
Best-practice enterprises will increasingly use performance management criteria to increase the speed, quality
and accuracy of decision making and management reporting; to enhance the agility of the planning process; to
create the necessary organizational alignment for tight strategy execution; and to facilitate corporate
transparency (that is, to provide regulators, board of directors, shareholders and other external parties with
insight into the enterprise’s operations).
Lane Leskela
Presentation Title
Compliance Best-Practice Recommendations

! Leverage corporate best practices for
compliance risk. Deploy performance
management tools, information controls and
operational risk processes to advance and remain
competitive in a stringent legal environment.
! Formalize a compliance-centric business
culture and tie governance practices and
compliance performance to operational risk
management. Imbue control-based processes in vs.
management systems with measurable
corporatewide performance criteria.
! Pursue the linked goals of corporate
governance, performance management and
risk management. Adopt a formal risk framework
in the context of an integrated communications
and change management strategy.
Recommended Reading and Related Gartner Research

“Sarbanes-Oxley Study Reveals Enormous Compliance Challenges,” 22 March 2004, By Lane Leskela
“Banks at Risk Over Handling of Risk Management Data,” 7 November 2003, By Douglas McKibben
“Align IT From Policy to Execution Through Business Process Fusion,” 9 October 2003, By Jorge Lopez
“Use Gartner's COMPARE Cycle to Guide Sarbanes-Oxley Efforts,” 1 July 2004, By J. Bace, C. Rozwell, D.
Logan, F. Caldwell and L. Leskela
Lane Leskela
This is the end of this presentation. Click any
where to continue.
These materials can be reproduced only with Gartner’s written approval. Such approvals must be requested via
e-mail — quote.requests@gartner.com.

Sym14 01c

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sym14 01c

Uploaded by

Copyright:

Available Formats

Tutorial: Compliance Management Best Practices

Gartner Industry Research

Tutorial: Compliance Management Best

Notes accompany this presentation. Please select Notes Page view.

These materials can be reproduced only with Gartner’s written approval.

Gartner Industry Research

Compliance Management in the IT Context:

Gartner Industry Research

Leverage Compliance With Multiple Regulations

Requires Companies to U.K. Data Mgmt.

Requires Institutions to Align Requires Financial

Gartner Industry Research

Conquer the Regulatory Hype Cycle

Solvency 2 (2002) FAS 150 (2003)

Trigger Peak of Trough of Slope of Plateau of

Gartner Industry Research

Incorporate the New Governance Environment

DOJ PCAOB FASB

Public Companies Public Auditors

Gartner Industry Research

Case Study 1: Industrial-Strength SOX Compliance

! CFO and CIO jointly responsible for

Gartner Industry Research

Lesson 1: Build a Solid Compliance Organization

External Controls Internal Controls

Source: FEI, January 2004

Gartner Industry Research

Lesson 2: Align Compliance Control Methodologies

CobiT ITIL COSO SAS (Type 2)

Focus IT and operations IT and IS Overall entity Financial statements

Gartner Industry Research

Lesson 3: Complete Integrated Reporting Infrastructure

Gartner Industry Research

Case Study 2: Domestic Financial Firm

Gartner Industry Research

Case Study 2: Basel II Best Practices Emerge

Gartner Industry Research

Lesson 1: Engage in Federated Corporate Governance

" Centralization of a rule repository is not required,

National Rules Local Rules

" All enterprises operate in environments where some rules are in

Gartner Industry Research

Lesson 2: Apply Risk Management to Compliance

<< ISO 17799

Gartner Industry Research

Lesson 3: Employ the IT Risk Management Framework

Connect and integrate

Plan and oversee

Internal Compliance Progress Gartner Industry Research

CobiT Category Aggregates Actual Score*

User & Operations Management

Quality & Change Management Reliability & Security Management

Configuration & Systems Management

Gartner Industry Research

Compliance Vendor Value With COMPARE

User & Operations Management

Records & Data Management 2 Risks & Controls: Assessment &

Quality & Change Management Reliability & Security Management

Configuration & Systems Management

Gartner Industry Research

Gartner Industry Research

– Operations – Competitor – Supply Chains – Software

– Currency – Transportation – Privacy