<body>

Tuesday, February 01, 2005

IT's latest windfall... IT directors are using regulatory compliance to justify a new wave of technology investments.

By Tim Bradshaw - Infoconomy

It is being called the 'compliance dividend'. The unprecedented raft of new business regulations either recently brought in or looming into view is spurring a fresh wave of technology investment on at least a par with the last two great IT 'dividends' - Y2K and the Internet.

One head of IT at a financial institution, who prefers to remain anonymous (for obvious reasons), tells Information Age that he has been successfully pushing through business plans for IT projects that had lain fallow for months, if not years.

The thing to do is to liberally spread the word 'compliance' around the plan, apparently. Do that, he says, and the chances are, CEOs and chief financial officers - particularly those who have to personally sign their company's financial statements under the so-called 'Sarbanes-Oxley' Act, and who thus face personal fines (or worse) for non-compliance - will enthusiastically back the proposal.

Feeding off paranoia is a good start for any business plan. One sign that things, especially since Enron, have got a little out of control is the fact that there were no fewer than 323 financial restatements in the US last year - up by one-fifth since 2001. Companies have become extremely cautious about filing the wrong numbers. Many would prefer to face a short-term PR disaster than risk the prospect of being found to have fallen foul of a particular regulation.

Happily for IT directors, the need to comply covers a lot of potential areas of investment. Not that this need matter much to decision-makers, but none of it comes cheap. IT sector analysts at the Meta Group think that banks complying with the Basel II risk-management accord will each spend between £15 million and £25 million on relevant IT projects. (The overall cost, including IT spending, is likely to be around £130 million for the biggest institutions.) Add a few more zeroes to the IT bills of companies that must comply with Sarbanes-Oxley, not to mention Turnbull, Higgs and International Accounting Standards, and you are getting closer to the true cost of compliance.

A poll of 166 senior executives around the world, commissioned by Changepoint and conducted by the Economist Intelligence Unit (EIU), found that compliance is spurring 59% of companies to invest "heavily" in existing IT equipment, while 34% are buying whole new systems.

There is evidence that bigger budgets for compliance are pushing up salaries, especially in the financial services sector - in a possible repeat of the Y2K pay hike. One survey found that salaries for IT vacancies in the City of London were 15% higher in March 2004 than six months earlier. Recruitment experts describe "desperation" within senior management seeking the right IT skills.

It is good news for vendors, too. "It's the greatest thing in the world," says Phillip Strand, a global strategist for business intelligence software company SAS Institute. Dave DeWalt, CEO of Documentum, EMC's content management division, says: "We're seeing a highly accelerated business model for compliance, which is perhaps as big if not bigger than the justifications of the Internet were."

Buying habits are also changing. "The decision is coming from much higher in the organisation, which makes a world of difference in terms of spending on technology," says DeWalt.

That is creating a golden opportunity for career development. "This is the situation that will get the CIO on the board," says Mike Davis, an analyst with the Butler Group. "The CIO is the only person who has the breadth of understanding and can put together the strategy that can help an organisation be compliant."

Only the CIO, Davis argues, is in a position to judge which tools will keep the management team free from unwanted attention from regulators. Reporting, records management and business processing software, for example, might not have been deemed sufficiently critical to warrant investment before, but post-Sarbanes-Oxley, they can suddenly seem vital. And as such software can only operate effectively on secure foundations, the CIO has the perfect excuse to invest in that data centre that had failed to get funding before.

The scale of the new regulations' boost to IT investment is being compared to the Y2K panic, when whole systems were overhauled just to make sure they could read the correct date. But unlike Y2K, regulatory compliance has no end point, no midnight deadline. "Compliance is bigger [than Y2K]," says Anita Bradshaw, a senior industry analyst at CSC. And the regulations just keep coming: a tough new auditing directive from the European Commission, for example, was announced as recently as March 2004.

Analysts say that even small, young companies might need to show good governance, say, to qualify for venture capital funding. Although in theory it only applies in the US, so many European companies have partners or subsidiaries there that the Sarbanes-Oxley standards have become international. Such culture of honesty and transparency gives the right impression to customers as well as auditors. "There is a gen-eral shift in the world outlook," says Peter Thomas, VP of IT management for Chubb Insurance.

David Weymouth, CIO of Barclays Bank, has heard a lot of sales pitches on the subject. "All the vendors are saying, 'Upgrade to our latest system and that will be as close as you can get to complying'," he says.

Weymouth acknowledges that rules on direct marketing, for example, have enabled Barclays to "completely clean up" its postcoding system: "Over the last three months we've sorted out 80,000 data issues that were around integrity of data and matching data." This initiative, he says, along with data warehousing and customer management projects, may not have occurred without a need to address new regulations.

Some argue that the benefits to IT from such regulations go further than just being a handy hook for a difficult business case. CSC's Bradshaw says it ushers in a new interdependency that could bridge the traditional gap between the business and IT. "It's alignment with the business and getting that link more and more self evident in everything that you do. Now there is a logical business reason for everyone talking to each other," she says. "The most exciting thing is that it is bringing technology higher up in the organisation."

The EIU/Changepoint survey, which found that in 63% of organisations senior IT personnel were not involved at a strategic level when planning the company's compliance programme, may suggest that this is overstating the case. And SAS's Strand gives an example of one customer which told him that, out of a total expenditure of $32 million to comply with Sarbanes-Oxley, less than $1 million was spent on software.

Even if a substantial sum of money is granted to IT, Bradshaw warns that too radical an overhaul of IT systems might "throw the baby out with the bathwater. Integrating new systems is inherently risky. If you can adapt what you've already got, you're way ahead."