Regulatory concerns over operating risk have risen to the top of the corporate agenda with the advent of new regulations, such as the Basel II Capital Accord and Sarbanes-Oxley. In an increasingly globalised marketplace, international organisations have to address how they can be globally compliant to disparate legislation.
First there was Sarbanes-Oxley
Passed in 2002, the Sarbanes-Oxley Act is the most significant change to American federal securities laws, affecting corporate governance, financial disclosure and the practice of public accounting, since the US securities legislation of the early 1930s. Listed companies and the accounting profession are under tremendous pressure to meet the rigorous requirements of this legislation in a relatively short period.
One of the greatest challenges involves new demands on the process by which organisations store, protect and recover their business critical data – known as data protection management. The complexity of enterprise data protection and the continued explosion in total data under management has made it difficult to certify that procedures are meeting the expectations of the new regulations.
Then Basel II
In the US, round one of the Sarbanes Oxley compliance battle is in its last stages, while in Europe, many organisations are still girding for Basel II, with the compliance deadline of 2007 fast approaching.
Basel II is an international accord developed by the Basel Committee for Banking Supervision. It was implemented to ensure that the assessments of the banks’ own investments and loans were more sensitive to credit and market related risks. It requires organisations to hold capital expressly related to operational risk; specifically loss resulting from inadequate or failed internal processes, people and systems, or from external events.
The new requirements are a significant test of the capabilities of existing information systems, in which there are often already serious flaws. The far-reaching scope, and the lack of specific procedures to be followed leaves organisations to navigate the waters of compliance management on their own. Some are still unsure as to how they should be storing data and exactly what they should be keeping in order to comply.
A key consideration for international financial institutions is how they manage and adhere to twin compliance, and whether these two operational mandates are in fact in conflict with one another.
The Sarbanes-Oxley Act applies to all US public corporations (including those based outside the USA), while Basel II covers financial institutions in over 100 countries. Sarbanes-Oxley primarily aims to restore investor confidence by addressing issues such as financial reporting, conflicts of interest, corporate ethics, and accounting oversight. Under Basel II, financial institutions must more actively manage operational risk in order to reduce capital reserves and it places a greater emphasis on a bank’s own assessment of the risks to which they are exposed in the calculation of the regulatory charges.
To be successful a common framework and governance model is required for both sets of regulations. Both set operational requirements and new standards to manage policies, undertake training, perform analysis and enable reporting. In effect, Sarbanes-Oxley and Basel II are complimentary, not competitive mandates for operational compliance and should satisfy the needs of shareholders and credit regulators alike.
However, the fact that both regulations demand widespread operational changes and the adoption of new tools and systems does create real competition between them in one key aspect: The significant cost and prioritisation of resources necessary to meet the compliance guidelines.
Lessons learned by Sarbanes-Oxley and Basel II
Building and managing an effective internal control structure and instituting new procedures for financial reporting and ongoing compliance are continuing to cause headaches for organisations preparing for Sarbox deadlines.
Compliance is no longer an issue just for accountants, regulators and auditors; the operational impacts are broad and touch virtually every department within an organisation. At the centre, information technology services and the technology staff bear the brunt of the changes necessary to comply. Building a compliant organisation is a block by block process, but the impact on people and processes is often underestimated.
There are no systems shortcuts, or all-in-one compliance solutions that eliminate the need to work within the legacy systems infrastructure, modify processes, and account for the human element. In data protection, at a tactical level, this means working to provide the necessary visibility and information critical to enabling process optimisation and the establishment of standards.
To ease the burden, companies should begin assessing data policies and performance right now to get a baseline understanding of where they stand. Performance gaps can be remedied, processes can be standardised, and the evolution toward best practices can get underway. Companies working towards compliance need to think ahead and consider the issues that the legislation will create. How will your organisation deal with these issues on a long-term basis and what policies and procedures should be deployed?
A noteworthy by-product of Sarbanes-Oxley has been an increased demand to measure Service Level Agreements (SLAs) to match internal IT policies and controls with the requirements set by government regulations. Organisations now want to measure their performance and provide proof that they are delivering results via standarised reports, across the entire business. This means establishing the process to quickly find and fix compliance issues with targeted troubleshooting reports and creating an auditable trail for compliance records.
Ultimately, both Sarbanes-Oxley and Basel II push for greater operational visibility and ensure employees have what they need to evolve and comply with corporate policies.
While expensive and time consuming, new regulations have prodded organisations into improving their core business processes and developing greater efficiency in their data management, security and protection procedures. In the quest to eliminate so-called ‘creative accounting’, organisations may well find that they have helped themselves become more efficient and profitable in the long-run.