American authorities added some sizzle to the issue of corporate governance. Who didn’t thrill to the image of corporate fat-cats being forced, practically at gunpoint, to sign their names and bind their reputations to financial reports after isolated — but huge — abuses had tarred U.S. industry
with a single swindling brush?
It was an especially good-and-smug time to be Canadian, since such grasping, avaricious corporate behaviour is alien to us.
An Enron or Worldcom scandal could never happen here, as I once scribbled on the back of my souvenir Bre-X shares.
(An aside: Researching the very first story I wrote on the technology industry lo those many years ago, I discovered, through online forums like Silicon Investor, that the American percep-tion of publicly traded Canadian companies was almost uniformly — and nearly slanderously — suspicious. But I digress.)
Perhaps we won’t have legislation a là the Sarbanes-Oxley Act north of the border any time soon, but rest assured increased scrutiny of corporate governance in some way, shape or form is coming, and technology has a role in ensuring compliance.
John Hagerty — who has the refreshingly short title of vice-president with AMR Research Inc. in Boston — is an acknowledged expert on the SOA and technological compliance. There are two approaches to SOA compliance, he says: the passive, “”tell me what I do”” philosophy, and the active, enforcement-oriented school of thought.
“”You want to make sure people do what you want them to do,”” says Hagerty, who advocates the latter. The role of technology is not to merely define business rules, but to enforce them.
Hagerty identifies four key areas where IT can police compliance.
* Business process management models and monitors key business processes to ensure standardization and enforcement.
* Document and records management — often the first phase in a compliance regimen — provides “”a document repository that lives and breathes,”” tracking the provenance of the documents.
* A reporting and risk management architecture that assures accountability and quickly assesses financial threats to the company.
* A security and audit control function that ensures people aren’t taking on functions they’re not supposed — for example, defining new vendors in the system and cutting them cheques. Audit control must maintain a record of what took place in the system, when, and through whose handiwork.
Hagerty says American firms seem evenly split between three categories.
A third of them view compliance as a cost of doing business that they’ll make an effort to minimize.
Another third views it as an opportunity to improve business processes, and wring some ROI out of it.
The remainder sit on the fence, but as SOA deadlines loom, many will fall into the second camp, Hagerty believes. But that depends on the C-suite.
“”Compliance is something whose tone is set at the top of the company,”” he says.
