IBM's Vice President, Security Counsel, and Chief Privacy Officer Harriet Pearson told CMSWire during last week’s IBM Pulse 2010 event that compliance consultants really should know how to apply regulations and mandates to working IT processes, such as document and record management. Leaving the interpretation of regulations to the IT department is just begging for disaster.
Consultants working in the areas of document and record management processes should thus bundle regulatory expertise with IT-process know-how to enable compliance to be achieved. When new laws are passed, standards get updated, or new mandates are put into effect, consultants should be able to communicate specifics about how these new regulations get worked into business processes, Pearson says. “It is a matter of saying, ‘here is what we think is required, now let’s address it to the context of what we are doing, and figure out how we manage it,’” Pearson says.
Otherwise, consultants that merely communicate information limited to summaries and descriptions of new compliance regulations only add unnecessary costs required to change processes for compliance to be achieved.
Pearson says studies show, for example, that “if an organization undertakes a compliance project every time there is a new mandate, then the cost of compliance is huge number compared to what it would actually cost if you were to do it in a more integrated fashion.”
Leaving Interpretation to IT is a Disaster
What has happened in the past is that consultants, as well as those in-house working as compliance experts, privacy officers, lawyers, risk managers, or “e-discovery types,” have often merely just put the network managers and the IT department on notice about new regulations, “which is a disaster,” Pearson says. “[The IT department] then has to interpret it themselves and they don’t know what it means,” Pearson says. “You then end up adding work and replicating complexity to your guidance to whoever has to do it.”
Instead, consultants need to take the essences of new mandates and compliance measures and communicate exactly what and how process need to be changed to comply. “What are the foundational elements we have to do to achieve compliance?” Pearson says. “That becomes what the business departments need to do.”
A Unified Approach is the Solution
In-house, at IBM and other companies, Pearson says there are people like herself who hold the role of chief privacy officers or compliance experts, privacy officers, lawyers, risk managers, or “e-discovery types.” “The guy or gal who gets e-discovery hung on their head, has to find and manage, retain, or get rid of the data. As a consequence, they need to deal with the enabling technology or figure out a strategy for it, but their main focus is on data,” Pearson says. “So the concept of data governance, data-sensitive security, data management, compliance in the data space, and data risk emerges from this group of people. And their decisional behaviors are influenced by what they see through the lens of data as an asset or a liability kind of question.”
Then, in the IT department, there are those who work as data network engineers or in cyber security, whose job is to detect and mitigate attacks. “What I have been seeing over the past five years is that [the compliance experts and the IT department] had not been talking, like very strong silos.
But what is happening is that the barrier between the two does not exist,” Pearson says. “There is one unified approach to managing risk, enabling compliance, and innovating business innovation.”