Regulatory Compliance Will Have Heavy Impact On IT

Compliance with new federal regulations that address security, privacy, and corporate accountability will have a broad impact on IT operations at many organizations.

Some companies will likely take on additional IT staff to help cope with the added burden of compliance work. Some will delay technology initiatives in order to fast-track compliance efforts while others will speed up IT projects that help the organization reach compliance goals.

Among the regulations having the biggest impact on companies and their IT organizations are the Health Insurance Portability and Accountability Act (HIPAA), which is designed to secure electronic patient information; the Gramm-Leach-Bliley Act (GLBA), which requires banks and financial services firms to protect customer data; and the Sarbanes-Oxley Act, which requires all public companies to back up financial statements with proof of the procedures and controls in place.

Compliance is reminding some people of another, recent event that led to a surge in IT activity and spending: Y2K. This time, however, there’s no “end-time” for the event; compliance is something that must continue as long as the laws are in effect.

Research firms expect regulatory compliance to have a big impact on business and IT. AMR Research Inc. in Boston estimates that companies will spend up to $2.5 billion for Sarbanes-Oxley compliance in 2003, and says 85% of companies predict the law will require changes in their IT and application infrastructures.

Nearly 77% of companies surveyed by AMR said they will spend more on IT, business process change, corporate governance, and/or consulting this year as a direct result of Sarbanes-Oxley compliance. Frost & Sullivan in New York estimates that businesses spent $270 million in 2002 to comply with HIPAA.

John Hagerty, vice president at AMR, says the firm expects spending on Sarbanes-Oxley compliance to increase significantly in 2004, and that a growing portion of the spending will be IT-related. Hagerty says compliance has become a top priority for many businesses, but IT has not yet felt a major impact. That will change soon enough, he says.

“Over the next 12 months and beyond IT will get more and more involved, as companies put together their plan of attack to get to compliance,” Hagerty says. Among the key areas that will draw on IT resources, he says, are documentation and records management; storage; business process management; risk management and business intelligence; and security and business continuity.

IT managers should be prepared to support two major components of compliance, says Michael Juergens, a principal at consulting firm Deloitte in New York. One is the actual work to get applications and systems to meet regulatory standards, and the other is implementing and supporting tools that help companies achieve compliance.

“Most of the time an IT environment is not compliant with regulations,” Juergens says. “For example, with HIPPA you’ve got some privacy requirements for data and in many cases the way data is stored isn’t fully encrypted and doesn’t meet the regulations. [IT] needs to prepare the data so it is compliant. That takes time and effort.”

Many companies are deploying software products to help with compliance, particularly for Sarbanes-Oxley, Juergens says.

May Prompt IT Hiring

“As they implement tools the IT department has to get involved in supporting these tools,” he says.

Analysts believe compliance may lead to the hiring of IT staffers at some organizations. For example, Juergens says, Sarbanes-Oxley calls for organizations to have good internal controls such as the segregation of specific duties. So if a company has one person serving as the security administrator and database administrator, it will likely have to hire someone to take on one of the functions.

“A number of our clients are looking to add people because of the new regulations,” Juergens says. “They’re looking for people with skills like encryption.” But he says the needs will span from data engineers to senior managers with experience in compliance work.

Hagerty also expects to see companies adding IT staff for certain areas of compliance when theres no one on staff to handle particular tasks.

“But this isn’t a license to hire,” he notes. “Companies will augment their resources as much as they can, and in some cases they will hire consultants so they can fill the gaps with contracted resources.”

Watson Wyatt Worldwide, a financial services and technology consulting firm in Washington, is already feeling a significant IT impact from compliance and is having to make due without adding staff.

“There’s a tremendous amount of work to be done and so far we have not been able to get any headcount added to deal with it,” says Jeffrey Held, chief technology officer.

Held says Watson Wyatt has delayed some IT projects in order to deal with more time-sensitive compliance issues. Efforts such as software upgrades and new application development are being delayed as the firm works to be compliant with HIPPA and Sarbanes-Oxley, he says.

“Compliance has pretty hard deadlines and it’s something we have to do,” Held says. “We have consultants working with us on Sarbanes-Oxley but we’re not hiring individuals to deal with that. The good news is we haven’t been asked to reduce [IT] headcount.”

He says if business picks up it’s possible Watson Wyatt could add personnel, but in the meantime “we just have to be more efficient.”

Some organizations will actually speed up IT initiatives in their effort to be compliant with regulations, Hagerty says. For example, the Sarbanes-Oxley law “gives organizations a reason to streamline business processes,” Hagerty says. “This may have been on the docket for some companies and will now be accelerated.”