Can Real Business Value Be Gained from Sarbanes-Oxley?By Marcus Blosch | Posted 05-01-2004
It's good to be optimistic, and CIOs have some reason to be. More than 87 percent of respondents think their top executives take Sarbanes-Oxley compliance seriously, and, since executive sponsorship is the single most important success factor for any project, it's not surprising that almost the same percentage of CIOs think their companies will be compliant by their deadline.
Most CIOs, however, think they'll get something more than bare compliance for their efforts, and we wonder if that's being a bit too optimistic. Almost half the CIOs who responded to the survey said their companies will do the minimum necessary to achieve compliance. Can those CIOs really get valueimprovements in business processesthat they haven't paid for?
CIOs cite problems with data structures, difficulties ensuring adequate security and business continuity, and variations in infrastructure between business units as three of the top four obstacles to compliance. These issues are closely related; they are the result of years of building information systems one-by-one in complex organizations, where data definitions, business rules and operating procedures are set department by department. A big company might have dozens of definitions built into its information systems for something as fundamental as a "product" or a "customer," and it might have hundreds of conflicting business rules for managing the data. For a company that's grown rapidly via mergers and acquisitionsas many have over the past decadethe problem is compounded.
In theory, dealing with these issues should be straightforward: Analyze and document data definitions, values and business rules; then compare and reconcile as necessary. In practice, however, this is a demanding, time-consuming exercise that requires knowledgeable business analysts and programmers. Gartner Research estimates that over 70 percent of the effort spent on a typical data-warehouse project is devoted to data analysis. And where the data is concerned, complying with Sarbanes is not much different.
Have CIOs underestimated the effort required to do all that analysis? There are signs that some CIOs are feeling the kind of pressure that goes with an unexpectedly big job. CIOs also cited "inadequate IT budget" as one of the top four obstacles to complianceand that's just another way of saying that the problem is bigger than the solution. There are three ways to deal with the situation: Get a bigger budget, exceed the budget (for time, money, or both), or cut the scope of the project down to something that can be done within the budget.
It appears that many CIOs in our survey are choosing the third approach. Almost half said that their enterprises would do the minimum necessary to become compliant. In effect, that means they'll focus primarily on financial data and systems.
the minimum enough? Only if you want minimum returns. In March, Gartner's Executive Programs group published a survey of almost 1,000 CIOs worldwide. Respondents cited enabling new products, business intelligence and process improvement as the biggest new IS priorities. Standardized data about customers, products, services and operations are essential to these ambitions. Limiting the Sarbanes-Oxley cleanup effort to financial data may cost CIOs, and those costs may not be very far down the line. Those survey respondents who see Sarbanes-Oxley as a significant business disruptionmeaning they're putting more effort into itare also most likely to think they're going to get business benefits. We think they're right.
In the last decade, businesses have funded big waves of IT spendingon client-server technology, e-business, Y2K, ERP, CRM, and now Sarbanes-Oxley. It's not surprising that many businesses want to spend as little as possible to solve this one. It's probably too late for many CIOs to scope their compliance projects to include information that would really improve their customer- facing business processes. But they'll get another chance, because the need to do so will remain long after compliance deadlines have passed.
Richard Hunter and Marcus Blosch are vice presidents at Gartner Executive Programs.