With the heightened focus on corporate governance in general and compliance in particular, companies are weighing more than ever the potential effect of technology on their compliance programs—both to get the job done, and to make the job more complicated.
The blueprint to see how technology can help or hinder compliance efforts is a “technology roadmap.” Exactly what should be in that roadmap depends on whom you ask, but whatever its precise contents, experts say the need for one has come into sharp relief in today’s regulatory environment.
“Post-SOX, as we consider almost every piece of the technology landscape, we have to ask the question, ‘How will this impact, positively or negatively, on our compliance?’" says Robert Worrall, vice president of information technology at Sun Microsystems.
Sun has been used technology roadmaps since its inception, Worrall says. The company has roadmaps for “every major technology area of concern: one for networking, another for security, one for storage, and the list goes on and on.”
“They’re such a fundamental part of our planning process that it’s really a requirement every year as we look at which business initiatives we’re going to support or invest in for the coming year,” he says. “Just like we consider the human resource need for those initiatives, we look at which technologies we need.”
Kent Anderson, managing director of Network Risk Management Corp. and a member of the Information Systems Audit and Control Association, agrees that compliance is “obviously much more important” post-Sarbanes-Oxley. “Roadmaps can be used to help the company figure out how to meet its business objective of compliance. They’re one of several tools C-level certifying officers can use to help ensure compliance with Sarbox.”
As more regulatory and compliance-oriented requirements arise, Anderson says executives need processes “to guide them and to provide documentation that they’ve done their due diligence and due care. A technology roadmap is a very powerful tool for doing that.”
According to the Open Compliance and Ethics Group, having a roadmap does make a difference as companies develop and structure their governance and compliance programs. A recent OCEG survey of 272 compliance executives found that those who had an IT roadmap were more likely to feel that their current technologies met their needs. While over half of respondents didn’t have a roadmap, among those who did, 58 percent said their current technologies met their needs, compared with just 15 percent of those without roadmaps.
A technology roadmap not only can help align the company’s investment in IT with its compliance strategies and risk profiles, Anderson says. It also sends a valuable message to top executives and the board, that compliance executives do have a plan to do their jobs, and “provides a transparent and common understanding of the organization’s technical strategy.”
Building A Roadmap
At least as a concept, IT roadmaps “have been around long time,” says Denis Desjardins, a principal with technology management consulting firm The W Group. At the most basic level, Desjardins describes a technology roadmap as “a marriage between what’s happening in the business and what’s happening in the technology world.”
The scope and complexity of a roadmap—including whether it should encompass governance needs—depends on the size and complexity of organization itself. “All companies need one,” Desjardins says, “but the extent of the roadmap—the level of detail and the comprehensiveness—is a function of the business and the way it’s managed.”
At Sun, a 15-person IT strategy and architecture function, led by Worrall, is assigned with defining various technology roadmaps used by the $11 billion company. “We don’t have a specific technology roadmap for compliance, but compliance is baked in to all of our other tech roadmaps,” Worrall says. “Our roadmaps highlight all of the things that affect our compliance initiatives across the company.”
Worrall’s team examines the roadmaps quarterly and updates them as necessary, depending on changes in Sun’s business efforts or on the technology landscape. The results of those efforts are published annually in a comprehensive enterprise architecture document, but changes made throughout the year are made available internally on real-time basis thought the company’s internal portal.
In addition to updating roadmaps for their designated areas, the team members help in the deployment of the solutions. “They translate the roadmap into an engineering specification that can be used by our operations team to make the solution real,” Worrall explains.
Ted Frank, co-chair of OCEG’s technology council and president of governance software maker Axentis, says roadmaps can be developed in many ways so long as they are “collaboratively developed by the operating personnel and IT personnel.”
In addition, Frank says, a road map must be tied to a strong strategy for the business function in question, whether it be compliance or anything else. “A roadmap does not—and should not—exist in isolation,” he says. “It should be a supporting document to an over-riding operating plan or strategy for a business function.”
To make a roadmap successful, Anderson stresses that someone at the senior management or C-level of the company must also “own” the roadmap and ensure that its goals are followed. In addition, he says, companies should treat their roadmap as “a living document” and review it at least annually to re-evaluate compliance obligations and business strategies, as well as new technologies that might help compliance efforts. “It’s like many initiatives in that people have good intentions, but following through long-term is often difficult,” he says.
Desjardins agrees. He says many companies “make a concerted effort to develop a roadmap, and then literally and figuratively put it on a shelf and never update it.”