Leading companies are focusing resources on how they can better integrate compliance enterprise-wide as a part of everyday business operations and decision making. Companies that once were more likely to invest in compliance programs because they had to are beginning to invest because they want to, seeing the value proposition in technology-enabled compliance measures that also improve business processes and performance. One of the drivers of this new mind-set - in fact, its primary enabler - is information technology.

IT is often the expert in a company at facilitating broad business process improvement because of its instrumental role in Sox compliance, ERP implementation or other transformational projects. That gives IT and the CIO a justifiable seat at the executive table when compliance strategy is planned and strategic business goals are set. One way IT can help is by cataloguing what rules, regulations and laws specifically apply to the company. While obtaining this information may not be its sole and precise responsibility, IT can create a robust infrastructure and repeatable mechanism for identifying and tracking any overlaps, inconsistencies, and conflicts. Though no one department is responsible for company-wide compliance, IT is unique in its ability to move well beyond the four walls of the data centre in response to its expanded mandate to create value, rationalize costs and manage risk for the entire enterprise.

Conducting a risk assessment will help determine what regulations require full compliance, what's most important in terms of the company's definition of its own risk profile and where to focus corporate efforts in the expanding compliance universe. This will also determine the extent to which outcomes of the assessment are integrated into other business processes, such as strategic planning, internal audit or compliance training, and whether there are regulatory or compliance risks associated with doing business in other countries or other industries.

IT can also identify the current state of the company's compliance controls, processes and capabilities. Many existing IT investments - ERP systems, reporting systems and controls monitoring systems implemented specifically to support Sox compliance - can be leveraged to improve the company's overall compliance position.

Why It's Worth the Effort

The objective of risk convergence is to establish an integrated approach and consistent set of processes that reduce redundant control activities, eliminate duplication in the business units, drive down costs and support strategic decision making. Convergence can reduce compliance gaps overall and risk management fatigue in the business units. It can facilitate a risk and control model that is more efficient and effective in supporting business needs, responding to regulatory change, and addressing demands for more granular risk-related disclosure. Both internal and external stakeholders will have greater confidence in the quality of the risk management, compliance and assurance model, with reduced remediation activities and positive external ratings reinforcing its value.

After all, the disparate kinds and sources of data notwithstanding, compliance mandates come down to the fundamental issues of integrity, availability, security, confidentiality and access. Expanding the overall charter and leveraging its potential for value delivery can establish IT as the centre of excellence within the business, facilitating overall compliance and its resultant business process improvement. With IT at its best, risk convergence, although challenging, is possible. Choosing this path will reward the organization with a flexible, efficient, sustainable risk management framework that supports today's business requirements and those of the future.

Matt Podowitz is an executive director in the Risk Advisory Services practice of Ernst & Young and is the firm's global IT effectiveness leader. Brian Tretick is an executive director in the Risk Advisory Services practice of Ernst & Young