Hard-Boiled Compliance

NOTE: This originally appeared on this date at Quest Software's ToadWorld, on the expert blog "John Weathington's Quest for Compliance". The link to the actual ToadWorld article is at the bottom.

Happy Independence Day!

On this festive occasion, which celebrates our independence as a nation, I saw it appropriate to discuss the independence of Information Technology in a corporation’s compliance program. In other words, how much centralization is a good thing, when it comes to pulling off a compliance effort in your company?
Compliance aside, this debate has been going on ever since the birth of IT. I feel the classic answer of, “Well, it depends,” is a cop out for the intellectually curious to debate over for hours, days, or even months, without moving an inch forward on a consensus.

So, is IT independence a good thing for a company’s compliance efforts? In general, the answer is “No.” Of course complete decentralization is not the answer either, however in my view the gauge favors decentralization over centralization. To help you see my point, let’s look at some advantages and disadvantages to both sides of the scale.

The Advantages of Centralization

The biggest advantage to centralization is IT governance. You might find it odd that I’m a proponent of decentralization given that IT governance is core to my business, but I have to call it straight. When IT is centralized, it’s much easier to get IT governance under control. Having the control and influence that centralization affords, is key to governing the operations that IT performs. Even data governance is easier to manage with a centralized effort, as it’s easier to catalog your data when your scope of visibility is wide. This can only be accomplished in a centralized operation.

Aside from IT governance, IT centralization helps the IT function run in an efficient manner. If you view IT as a service business with a set of processes, it’s much easier to get your processes under control and lean (elimination of duplication and waste) when things are more centralized.

Finally, centralization allows the concerns of IT to be organized and enforced. There are certain things that are good for the organization, that nobody else but IT will worry about. For example, the business may not realize that running your compliance system on a Microsoft Access database is a bad idea!

The Advantages of Decentralization

So, let’s now discuss the reasons why a tendency toward decentralization is the best way to organize your IT function. The number one reason why decentralization is important is because it affords the best alignment with the business objectives – in our case compliance. IT is a support function, and that needs to be remembered. Data systems cannot build themselves. Even with talented architects, if you ignore the real business need, you’re just practicing your skills on something that has no value to the business. Even if you think you know what’s best for the business, that’s not your role.

My lovely dog is a perfect example of how I see some IT shops work. I love her to death, but she really has a mind of her own. We don’t give her commands – to her they’re “suggestions.” One day we were all out in the front yard, when her sister, the instigator, took off running for no apparent reason. Obviously we screamed, “Come here right now!” On this occasion, she decided that although this was a reasonable idea, it made more sense to follow her sister across the street and down the sidewalk. She came within a few feet of an oncoming car.

Don’t misunderstand me. I’m not saying IT is not valuable. In fact in my view, IT is the most important part of the equation. It takes a lot of skill to be an IT professional, especially one that’s involved in a compliance-related effort (because the stakes are usually high). Just remember however, that your skill and talent doesn’t translate to your authority to run the show. It’s a compliance problem you’re trying to solve, not an IT problem, so leave the requirements to the compliance specialists.

There are some other advantages to decentralization. In general, a decentralized organization is more flexible, which is vitally important in a compliance environment. As you may have heard me mention before, expect requirements on a compliance project to change – sometimes radically and often with very short notice. The ability of a decentralized organization to react to these changes is a big advantage.

Finally, for most IT people, being in a decentralized organization is just more fun. IT people are intelligent people that love to learn. Learning about compliance is actually very interesting, and it adds a great dimension to your breadth of knowledge. Being part of something bigger than IT, and seeing your efforts make an impact, is a very rewarding experience.

One Part Centralized, Three Parts Decentralized

 The best mix for me is one part centralization, and three parts decentralization. Don’t take this literally; it’s just a conceptual rule of thumb. You need to exploit all the advantages of decentralization, while taking advantage of as much centralization as you can.

To do this effectively, decentralize as much as possible, and build good metrics around your compliance function. Capture metrics that demonstrate how efficient your compliance function is, without regard for IT specific constraints.

At this point I would formally improve ( i.e. through Six Sigma ) your compliance program as much as you can while your IT function is completely decentralized. If done properly, you should have good control plans around your compliance processes, so you know what levels you should be operating at.

Then, and only then, start to centralize the IT function, watching your compliance metrics closely. The instant the efficiency of your compliance program degrades even a small amount, stop! Centralization cannot be allowed to encroach on your business’ ability to conduct proper compliance.

To Centralize or Decentralize, That is the Question

Well, you have my answer.

If you want the compliance efforts at your company to be the most effective, mix one part centralization with three parts decentralization. Your IT organization should be completely aligned with the compliance function of your company, flexible and adaptable to change, and the people should be having fun. This is not equivocal. With this specification firmly in place, you should strive to be as centralized as you can, eliminating redundancies and administering proper governance.

If your compliance efforts are not where they need to be, analyze your level of IT centralization. You may find that you need to decentralize a bit, to obtain optimum performance.

...read the article on ToadWorld