News
No way out
16th of March 2009 >
Governance regulations legislate good business practice, and they are non-negotiable
THE SHEER VOLUME of compliance requirements today could make an executive's head spin: Sarbanes-Oxley, King II, Basel II, IFRS, GLBA, FISMA, HIPAA, AML ... and the list grows each year. These regulations, following malfeasance on the part of companies like Enron, Global Crossing, Tyco, Adelphia and WorldCom-MCI, cover a variety of legislations, but what they all have in common is that they are non-negotiable.
According to Grant Morgan, CTO of data centre and storage solutions at Dimension Data, the governance regulations imposed on organisations worldwide merely legislate good business practice. Barry Gill, product strategist at Mimecast South Africa explains further: "Governance can be seen as a series of best practice guidelines set in place primarily as a risk mitigation tool. You can't have a good risk mitigation environment without good governance, and you need good governance to have good risk mitigation practices. This is where compliance to legislation comes in."
Adrian van der Merwe, MD of 8th Man Consulting, points out that part of the problem with the regulatory compliance frameworks is that each brings an onerous obligation on company processes, which have to be changed to accommodate each new framework. "Sometimes the changes take years, as in the case of Basel II," he says. However, he adds that if companies can come to see this not as an onerous process, but rather as something that is essential to the protection of an organisation and its stakeholders, it becomes far more than a tick-box exercise - it becomes a way of doing business.
TOUGH TIMES
The need for governance, risk management and compliance initiatives has been thrown into sharp relief by recent international events. The recession currently sweeping the world is the direct result of poor compliance to governance frameworks and little or no risk mitigation. Van der Merwe points out that there will be a lot more governance required going forward as a result, an opinion shared by most people in the industry.
Edward J. Pelcher, president of the local chapter of the Information Systems and Control Association (Isaca), adds that as it becomes more of an issue, it will become more relevant to business. "We will see growth in the awareness and application of good governance, and the Companies Act will become one of the key drivers," he says.
Scott Johnson of FrontRange Solu-tions says that governance has become a buzzword as a result of the increased awareness around the topic. "People are starting to realise the benefits," he says. "The mindset is starting to change - in the past it was a tool discussion, but it has now become a process discussion."
Clive Brindley, Solution Architect at HP Software, agrees, saying that the traction around the topic is allowing for a new kind of discussion - that of continual compliance. "Regular reviews are essential, and it is vital for businesses to embody compliance across the ethos of an organisation," he says. "Until now, industry has looked at compliance in pockets rather than as a whole, and when the auditors leave, most organisations start all over again."
According to Kevin Wilson-Smith, TQM manager at Gestetner SA, one of the reasons for this, and one of the biggest problems in the industry, is that people don't fully understand what governance means in practical terms. Like Brindley, he feels that it needs to viewed as part of the structure of an organisation, with regular reviews of processes and procedures to ensure a continuous cycle of compliance.
TICKING THE BOXES
Unfortunately, due to the many misconceptions around the topic, compliance has become an exercise in doing the barest minimum. Amir Lubashevsky, executive director at Magix Integration, says that many companies approach it with an attitude of just getting through the next audit, and that the systems necessary to ensure effective risk management, governance and compliance are still a grudge purchase. The biggest problem, he and Gill believe, is that there are no penalties for non-compliance in South Africa. "People believe there are grey areas that they can hide behind," says Gill. This sentiment is shared by Van der Merwe, who adds that any system can be beaten. It is therefore vital that any governance, risk and compliance initiative is implemented correctly, eliminating as many loopholes as possible.
Pelcher and Winston Hayden, vice-president of ISACA South Africa, say that legislation will not eliminate the grey areas, and that the issue is, in fact, the ethics of an organisation. "Only organisations demonstrating good governance will survive the economic meltdown," says Pelcher. "The misconception is that it's all about compliance, but the balance between conformance and performance is necessary in order to achieve good governance."
Paul Bornhutter of FrontRange Solutions says the key to success is a system that has the scope to grow as an organisation changes. "The way we work and interact has to change. The world is changing, and we need to embrace the change," he says. "We should be asking ourselves how we can together drive business forward."
SMES BEWARE
And SMEs shouldn't see themselves as immune to this situation. Barry points out that while the size of an organisation determines whether governance measures need to be put in place, smaller organisations are more prone to taking risks. Allen Smith, CEO of Continuity SA, says that the reality is that SMEs are more vulnerable because they don't have the financial backing to sustain any outage. "There is a lack of awareness and a reluctance to spend," he says. "No one is educationg the smaller companies on the need to implement governance, risk and compliance measures." Morgan adds that because the bigger companies have more to lose, they are more aware. "The situation is way more reactive in small companies," he says. However, he says that South African businesses - particularly those of the larger variety - have become more proactive as awareness increases.
