Organizations currently face intense pressure to comply with several complex regulations including: Sarbanes-Oxley, HIPAA, the Gramm-Leach Bliley Act, FISMA, California’s SB 1386, and others. Unfortunately, companies must abide by these laws in an already heightened cyber-threat environment where IT resources are constrained.
These threats are not like Y2K, a huge hype bubble without substance. The ability to siphon valuable information from companies is spawning criminals anxious to exploit a company’s weaknesses. This can have disastrous effects because even the smallest non-compliant business decision can lead to a data breach risking negative impact on a company’s brand integrity and consumer confidence. But compliance can be pricy.
According to Gartner, companies spend an average of $2 million on SOX. Even though these organizations are investing vast resources on compliance, they still continue to failing to meet requirements. The American Health Information Management Association (AHIMA) reported that only 18 percent of hospitals and health systems can prove compliance with HIPAA security regulations, and Gartner announced two-thirds of all companies discovered material weaknesses in controls this year, and audit deficiencies are expected to double until 2008.
These inaccuracies can significantly harm business productivity. Fraud cases cost companies about $15,000 for each occurrence, and IT departments spend an average of 175 hours on remediation following a security incident. Gartner said that by 2006, 20 to 30 percent of Global 1000 companies will suffer exposure due to privacy mismanagement. Companies could easily spend $5 to 20 million to recover from each incident. These figures also do not account for the millions that could be lost with intellectual property leakage or brand image deflation.
Organizations must build a culture of compliance in order to reduce these risks and meet regulatory demands. This culture grows most effectively when people, processes, and technology combine to provide an effective, measurable and repeatable operating framework that delivers long-term results.
Sometimes, businesses struggle with bringing this culture to fruition. When evaluating their regulatory compliance strategy, one of the most common missteps companies make is restricting compliance reviews to small groups, usually limited to the board of directors, auditors, and some senior management. This limited involvement easily translates to inadequate performance.
However, these evaluations and measurements can greatly enhance a company’s productivity. Regulatory compliance-based measurements and controls can continually identify and improve ineffective internal business and technology controls. Businesses can significantly improve their results by integrating regulatory compliance activities with business process improvement programs.