Down To Business: Time To Regulate The Regulations?

Most people never met a regulation they didn't like. A growth company you hold stock in found cooking its books? Make it so that no public company can lift its head without establishing absolute financial accountability. Your insurance or health-care provider expose some of your personal information to the public? Demand laws that require every data collector to meet stringent guidelines on storage, security, and handling. Someone unwittingly send you a worm or virus in an E-mail attachment? Push for mandatory courses on security and etiquette for all Net newbies. Hamstring the masses for the sins of a few. We'll worry about the direct and indirect costs later.

When it comes to the mother of all regulations, Sarbanes-Oxley, CEOs of most fast-growing privately held companies like what they see. In a recent survey by PricewaterhouseCoopers, 73% of private company CEOs said SOX has done at least a decent job of improving financial governance and transparency for public companies. One in four of those private companies has voluntarily adopted SOX "best practices." So should Sarbanes-Oxley be applied broadly to their companies, not just to public ones, at the state or federal level? Uh, no. That would be overkill, they say. In fact, more than a third of those same CEOs believe that private companies enjoy a competitive advantage over publicly traded companies precisely because they don't have to run the same gauntlet of regulations.

Those who manage information technology for a living can relate. You're becoming slaves to compliance, not just with the SOXs and HIPAAs, but also with tech-oriented guidelines like ITIL and COBIT. These regs certainly do some good, ensuring uniformity, quality, transparency, privacy, and proficiency, but as they take on lives of their own, they instill a false sense of accomplishment. And they can chew up resources that would otherwise be driving new business. By one estimate, organizations will continue to spend as much as 10% of their IT budgets for the foreseeable future on information security, storage, archiving, content and data management, business process management, disaster recovery, and other upgrades related to regulatory compliance.

"There are weeks, even months, that go by when I don't feel like I'm doing anything for my company because all I'm doing is complying with Uncle Sam," says one frustrated VP of IT. In this post-9/11, post-Enron, post-ChoicePoint world, he and his colleagues are doing a lot of retrenching, rationalizing, and track covering. They're safeguarding "sensitive" digital assets no one covets, storing and archiving terabytes of data no one will ever access. "It's just insane," the VP says.

Says another IT exec: "I'm not driving jack. I'm being driven. We're all being driven by lawyers."

The heavy lifting isn't over. Back to SOX: In a separate survey by PricewaterhouseCoopers last July, nearly half of the executive respondents said their public companies made only satisfactory use of information technology in year one of their Sarbanes-Oxley 404 financial compliance efforts, citing "lots of room for improvement." Three-quarters of those execs expect their companies to make significant IT changes in year two.

SOX is just one of scores of regulations business-technology managers must grapple with. We received an E-mail last week on guidelines from the Federal Financial Institutions Examination Council that stipulate how financial companies must prevent identity theft through use of strong authentication. Evidently, these guidelines are creating "markets and jobs," according to the E-mail, by spawning a cottage software and services industry.

Now, we can all agree that preventing ID theft is a laudable goal, but to position a set of regulations as a kind of New Deal jobs program is more than a little over the top. We can see the 2008 political party platform now: Prosperity Through Regulation.

Rob Preston,
VP/Editor In Chief
[email protected]

To find out more about Rob Preston, please visit his page.