With Compliance, Knowing Is Better Than Guessing

Opinion: Companies should make spending decisions based on knowledge, not fear, but that's not what's happening in the compliance market.

I was walking around the vendor showcase floor at a recent conference and was amazed at the number of vendors pushing compliance-related themes. Thats not all that surprising I suppose when estimates have pegged compliance spending at more than $15 billion annually.

Compliance after all is one of the easier sells because it is by and large a fear-based sales pitch. Lets face it: Companies are not spending millions of dollars a year on compliance because they can quantify their return on investment. Now we can debate the so-called rational ROI approach to buying software or services, but nothing gets a market more pumped up than fear.

My wife hates those Michelin tire commercials—the ones where the message essentially is that you are a bad parent if you dont buy Michelin tires "because so much is riding on your tires." Having said that, we all know that fear sells. Why else are we willing to stand in line at the airport while some hourly TSA employee X-rays the shoes of a 70-year-old grandmother? Fear selling rules the election process, so why not software sales?

Compliance and the fear of running afoul of some regulatory mandate or another is driving this spending. Rationality has been set aside while organizations scramble to address an issue that is a priority because CEOs and boards of directors view compliance as a self-preservation activity.

To be clear, I am not anti-compliance. Indeed, I believe we could all do with a bit of order, process and accountability I just hate seeing people make decisions based on fear. Clearly what we fear most is the fear of the unknown.

So we hire experts to explain to us how we can become compliant. I find this part a bit ironic, actually. We hire firms to assess our organizations compliance and then we seem surprised when we discover they also offer services to enable us to address the weaknesses they have uncovered.

This seems like a conflict of interest, but thats just me. It has been my experience that we dont fear that which we know. I was recently introduced to a company that provides an automated solution for helping managers monitor just how compliant the organization is. It strikes me that this is a much better approach than simply trusting in a consultant or other third party.

/zimages/6/28571.gifChange management database systems are gaining traction because of fast-spreading audits to check for compliance with regulations. Click here to read more.

Monitoring the organizations progress toward compliance or if they are maintaining a state of compliance has created a new software category known as enterprise systems compliance monitoring, or ESCM.

I ran across a vendor named Bendemeer Technology recently that is focusing its efforts in this area. It rightfully pointed out that consulting assessments on compliance are merely a snapshot in time and that the job of actually following up after the fact can be a very labor-intensive and time-consuming effort. Bendemeer Technology, or BT, is taking a manager-of-managers approach. BTs ESCM solution provides a platform for automatically defining any number of compliance rules and objectives and tapping into an organizations existing IT infrastructure and management tools or applications to pull information, evaluate it against rules and provide a compliance scorecard.

What I liked about the BT approach was that compliance status could be delivered in a format that managers from a C-level on down could use and easily understand. Scorecards could be viewed from an enterprise perspective or broken down for example by such compliance initiatives as the Sarbanes-Oxley Act or HIPAA (Health Insurance Portability and Accountability Act), and managers could drill into tasks that received failing scores to see who was assigned responsibility for the task.

The great thing is that BT understood that basically all the information managers need to understand their compliance status is already there (most likely) and there was no need to reinvent the wheel.

/zimages/6/84833.gifZiff Davis Media eSeminars invite: Join us on May 10 at 11 a.m. ET to learn how to bring your investments to life by providing rich visualization and business insight through reporting, query and analysis, and performance management.

While government-mandated compliance rules may be on most peoples minds today, BTs ESCM solution is flexible enough to support any type of compliance rule. Users can build in their own rules or "control statements" to evaluate any type of process. Indeed, one customer was even using the platform to monitor the progress of staff training on compliance issues. BT simply tapped into a human resources database that is updated whenever an employee takes a class.

Auditors would love this approach because it is a single platform for monitoring the entire organizations infrastructure—even tracking history of what was done to respond to a specific failed compliance check. As a manager of managers, BT could tap into database logs, audit records, performance history databases or anything really to understand what the current state of compliance is on a ongoing basis.

The best part about this find is that I ran across a company with a positive message about compliance—one based on knowledge, not on fear. When in doubt I always recommend knowing rather than guessing.

Charles Garry is an independent industry analyst based in Simsbury, Conn. He is a former vice president with META Groups Technology Research Services. He can be reached at cegarry@yahoo.com.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest news, commentary and analysis on regulatory compliance.