Skip to main contentSkip to menu

FUJITSU

  1. Home >
  2. News >
  3. Press Releases >
  4. Planning Ahead by Mia Andric
Main contents start here

Fujitsu Services


Planning Ahead by Mia Andric


Johannesburg, April 9, 2008 — Companies are slowly realising that governance is about more than technology – people and processes are just as important

Companies are preparing for today’s business challenges by devoting more time and resources to managing strategic planning and business risks. However, governance, risk management and compliance are some of the most critical, yet sadly misunderstood, areas affecting business today, according to Haydn Pinnell, MD of Gallium Technology, an EOH Company

Pinnell explains that governance has to do with doing “good” business : doing the right thing at the right time for the right reason. It thus is associated with decision-making and the actual business of doing good business.

“Compliance, on the other hand, has to do with regulatory and legislative requirements and standards that businesses are required to meet in terms of the law,” he says. He adds that the common misunderstanding that the two are one and the same continues to live in the industry and business in general.

“Governance doesn’t ‘come with’ compliance. They are two very separate projects, and implementation of either is not a quick fix.”

GOOD GOVERNANCE = GOOD OPERATIONS

Pinnell says that an appreciation of what each involves will go a long way to moving companies towards building a business with its foundation in best practice. When it comes to IT governance in particular, Pinnell explains that this has its foundation in the governance principles described above. “IT governance is about making business processes automated, repeatable and sustainable. In this way they became proven, established methods of operation that can be repeated whenever required.”

Amir Lubashevsky, MD of Magix, says to achieve a proper governance deployment, it is necessary to understand what its purpose is. “You need to look at the gaps, the vulnerabilities, and ensure that there are proper controls in place, that there is visibility and enforcement all the way through the organisation,’ he says. “A quick reaction is essential – a company should be able to identify what the problem is, how an incident occurred, and how the situation can be escalated to the appropriate people.”

On the other hand, Guy Nolan, MD of NGS, a SecureData Holdings company, feels that the governance compliance is merely an excuse for companies to buy yet another product. “Essentially, risk is the subject companies are worried about, not governance,’ he says.

“Since governance regulations are standardised, and companies are forced to follow these rules – whether it’s practical for them or not – there is often a conflict between the regulations companies have to follow and the risks they are exposed to. A demonstration of compliance is ultimately the only way for businesses to show themselves to be doing the right thing, to cover their butts – it often has no bearing on the actual problems the business encounters.”

He suggests that governance should be approached from a practical viewpoint, not tackled in a ‘religious’ manner. Like Lubashevsky, Golan recommends that companies use a risk assessment as a starting point, examining what risks the business is exposed to, what is likely to cause damage or losses to the business, and he suggests that businesses fit the regulations to the risks rather than the other way around.

COSTS

Because companies have been thrown into having to meet governance regulations relatively recently, this area has been fraught with problems of one kind or another. And the biggest difficulty for most businesses has been the cost of complying with the regulations.

It’s no surprise that for many organisations compliance with multiple legislative and regulatory standards is seen as another cost and resource burden impacting on bottom-line business goals. One of the major complaints about the flurry of recent regulations to arise over the past decade is the financial impact on businesses form meeting compliance objectives.

These costs, combined with a strong increase in the size of penalties associated with regulations, lead many people to question whether the ultimate impact of the regulation does more harm than good.

Underlying these complaints is the general feeling that compliance initiatives are antiethical to business objectives, and that the tasks required to meet those initiatives are a hindrance to efficient business practices. In the current “do more with less” high efficiency, business environment, compliance is often seen as unnecessary overhead, which does little to bolster the success of the organisation.

Sarbanes-Oxley (SOX) in particular, is seen as particularly onerous. Although costs have fallen over the years since the Act’s initial impact, many senior executives have said that they underestimated the amount of money and time that would need to be pumped into SOX. The law, which applies to all companies listed on the New York Stock Exchange (NYSE), comes with strict deterrents to combat accounting mismanagement. But it is the costs associated with SOX compliance that have angered managers the most.

Smaller players in the market have also protested against being forced to pay disproportionately high compliance costs because of past scandals. Some public companies even took the bold decision to voluntarily delist from the NYSE because the cost of SOX compliance was deemed too expensive. The advantages of being a public reporting company are seen to be outweighed by the significant accounting, legal and administrative costs. “This has led some companies to pull out of the stock market and others to do U-turns on planned listings,” says Golan, “The problem is that many see SOX as too much hassle”.

Lubashevsky adds that, as with all security, the costs involved in complying with governance regulations are seen as a burden because it is essentially another grudge purchase for businesses.

INTEGRATED STRATEGY

For any wide governance, risk and compliance management initiative to be effective, it must deliver a single integrated management strategy across the whole organisation, be harmonious with the organisational or business goals and drill down into every day business processes. But few have adopted an integrated approach to governance, risk Management and compliance. Motivated by fear rather than strategy, companies often take a piecemeal approach: they implement fragmented, one-off processes that prevent regulatory fines in the short term but compound risk and compliance costs in the long run. According to Errol Rhoden, IT governance, risk and compliance solutions sales manager for the EMEA region at Symantec, initiatives in this area have traditionally flowed from pain points. Golan adds that most companies from around the world are still complying with the bare minimum requirements of the regulations that apply to them.

MANAGEMENT ESSENTIAL

Pinnell says senior managers and executives worldwide need direction on how to confront these challenges – not only in terms of implementation and its effects on day to day operations, but also on how to derive best value and proficiency from the investment required.

Cortell Business Solutions director Greg Bogiages says the role and focus of the company director is changing dramatically from what it was just a few years ago.

“Legislation and compliance pressures such as Sarbanes-Oxley and King II to mention a few, colossal corporate failures, increased competition in a low-inflation environment, masses of data to analyse (and resultant data overload) increased corporate citizen and environmental reporting imperatives (the triple bottom line) and increased shareholder activism – these are just some of the factors impacting the life of today’s directors.”

Louise Theunissen, GM of consulting services at Continuity SA, takes this one step further. She says that the success of governance, risk and compliance initiatives hinge on a company’s leadership. “Without board commitment, these initiatives won’t filter down to all levels. The board’s responsibility is the protection of stakeholder interest, and if it does not mitigate risk and implement good governance, the board is betraying that responsibility.”

THE TECHNOLOGY ENABLER

Bogiages believes that technology holds the key to enabling company directors to focus on strategy while ensuring that the organisation meets the onerous requirements of good governance.

Pinnell too, is quick to explain that IT governance in particular shouldn’t be viewed as a fad “It’s rather an invaluable way of bridging gaps between business and IT.”

Ignatious Thithi, a consultant at Ovations, a Johannesburg-based business performance improvement consultancy, says “For governance to be fully effective, it has to be built into business and technology solutions from the beginning and not introduced as an afterthought – it has to be standardised across the enterprise so that there are no gaps or weaknesses in the overall system.”

When it comes to governance, risk and compliance, neither software nor comprehensive processes alone are sufficient to guarantee compliance. According to Andre February, managing consultant at Fujitsu Services, the biggest problem has been that organisations have been looking at IT’s role in this arena in the traditional way - making the issue fit the IT.

“The fundamental flaw in the traditional approach is that IT investments are often seen as a silver bullet. This leads to businesses running the risk of their IT systems not delivering what the enterprise is seeking,” he says.

Theunissen says another problem is that governance is run at the IT level, focusing on the technology rather than the actual operation. “I’ve often found that if it’s in the IT manager’s hands, they tend to focus on the IT only”, she says. “However the infrastructure, the people and the processes are equally important.”

THE SA WAY

South African business has been slow to adopt the necessary measures and put the requisite IT systems in place for full compliance. Pinnell says “We don’t have a legacy of putting processes in place that control governance. We’re experiencing exceptional resistance in the market place from an operational point of view when it comes to changing mindsets around this.”

Rhoden disagrees, saying there has been a lot of understanding of the needs for best practice and governance approach to business. “Companies are starting to look across the organisation. What were silos in terms of departmental divisions are now being looked at in correlation and companies have started taking a best practice approach,” he says.

However, Morris points out it is becoming a mindfield for businesses that don’t know what pieces of legislation apply to them or how to comply with them. This is a particularly fuzzy area in SA, with many of the regulations in place being forced on companies as a direct result of international developments. Then there are a few local sets of legislation that companies need to comply with, such as King II (any JSE-listed company should comply with this), the South African Electronic Communications and Transactions (ECT) Act (relevant to any organisation performing any part of their business electronically) and various other pieces of legislation relating to the management and flow of confidential business and client information as well as the circulation of offensive content.

With governance, risk management and compliance essentially about controls, checks and balances, creation of an accurate data trail and reporting become critical. What companies are slowly realising, however, is that governance is about a lot more than technology.


Top of Page

Related menu starts here
  • News
  • Press Releases

Main menu starts here
End of the page