Why Regulatory Compliance Remains Important

Stephen DeAngelis

June 13, 2006

The latest shady business practice to have the bright light of the press shined on it is selectively backdating when stock options were granted to executives. Stocks, as anyone who invests knows, are volatile. Executives have taken advantage of this volatility by dating stock options at the nadir of their company’s stock price; thus maximizing the worth of their options. Buy low, sell high. The latest company to be caught up in this investigation is Monster Worldwide, the parent company of the job search site Monster.com. [Associated Press, “Monster Is Subpoenaed,” The New York Times, 13 June 2006].

Whenever greed finds a weakness in character, criminal activity can’t be far behind. The passage of legislation like the Sarbanes-Oxley Act is keeping compliance on center stage in the business world. As a result, more and more analysts are coming to understand that a more systematic (automated) way of dealing with compliance is required. The latest comes from Michael Rasmussen, a Vice President at Forrester Research:

Enterprise risk management (ERM) entails the effective management of risk to realize opportunity while navigating adverse events. Forrester believes that business demands, increased regulations, and greater risk exposure are driving firms to take a structured, centralized approach to governance, risk, and compliance (GRC) that will become the hallmark of ERM.

This “structured, centralized approach to governance, risk, and compliance” is gaining steam. I believe that Sarbanes-Oxley is going to separate weak public companies from the strong ones. Strong companies understand that SOX is the “ante” they must make in order to stay in the game, but they are going to ensure that ante is as small as possible and, when possible, turn it into a competitive advantage. Weak companies will continue to throw manpower and money at compliance challenges in a much more ad hoc way. This latter strategy will eventually make them uncompetitive — hence non-resilient.

Rasmussen is going to lead a teleconference discussion on “Monitoring Risk with Enterprise Risk Dashboards.” While I agree that dashboards are a great idea, Rasmussen doesn’t go far enough in fostering their use. Resilient Enterprises are going to have to monitor all critical business processes using dashboards, not just compliance. That’s why I’m such a great proponent of service-oriented architectures and business process layers that can be used to embed rule sets that drive business processes right in a company’s corporate DNA. In fact, that’s a subject I’m addressing today at the DC Area Service-Oriented Architecture Users Group.