The Cost of Compliance

For decades, CIOs have struggled to define information technology as more than a cost center, a necessary evil, or administrative overhead. Many have argued that IT is a set of valuable, strategic tools that can increase revenues, dramatically reduce costs, and even spur brand-new business models. And very real strides have been made toward making that case. But the current wave of burdensome regulation threatens to push CIOs further onto the cost side of the ledger, undermining much of the momentum that has been gained in recent years.

Of course, when it comes to griping about Sarbanes-Oxley and HIPAA, not to mention other regulations, the government is Enemy No. 1. But the IT department runs a close second. AMR Research says spending on Sarbanes-Oxley compliance will hold steady in 2006, at $6 billion, but the percentage spent on IT will increase, with overall IT dollars spent on compliance hitting nearly $2 billion.

That’s not making many CFOs happy. But there is a method to the spending madness. Among the reasons for increased IT spending on compliance is that companies are using technology to reduce the overall cost of compliance by automating processes and winnowing the armies of auditors and consultants hired during the early SOX panic. Indeed, says AMR, IT spending will reduce headcount, and will ultimately lead to decreased spending on compliance.

In the meantime, savvy CIOs can show the bean counters the flip side of the compliance coin: IT is helping companies navigate “a perfect storm” of corporate pain, expense and struggle brought on by compliance demands, says Alex Fowler, a director in IT risk and compliance (and coleader of the national privacy practice) at PricewaterhouseCoopers.

Fowler says IT is deeply involved with compliance in ways it has not been before, because companies need systems to track and verify things such as emissions from power-plant stacks, the security of networks, and appropriate financial controls. All of which makes IT an ever more critical part of the enterprise.

There’s no getting around the cost issues, Fowler concedes: Compliance is an essential cost of doing business. But CIOs can demonstrate how technology reduces the complexity and cost of compliance: “Smart organizations will look to IT to gain strategic and measurable efficiencies” in their compliance efforts, he says.

Another perspective on the role of IT actually turns the tables. Eric Brown, an analyst at Forrester Research Inc., argues that the increasing importance of IT in the organization has actually led to the increase in regulation.

“Because IT is more important, it has become more regulated,” Brown says. This is particularly true for HIPAA legislation. “Look at healthcare technology over the past few years. Health plans have individually identified patient information, which is now aggregated in a way that can be used to more powerfully manage people’s health. And this information could, if released, also do damage to people’s lives.”