The recent torrent of laws and regulations affecting businesses has forced many to undertake a radical rethink of how they manage information. The role of technology in meeting compliance regulations is indisputable, but in many organisations, the IT systems are simply not ready.

Often, the IT department is treated as a separate entity from the rest of the business. Many employees lack an understanding of what the IT function does and there may be silos of data buried in dozens of legacy systems throughout the organisation. How does a business deal with this mess?

“All regulations are alike,” says Jay Heiser, research director at Gartner, the research company. “They are just asking for greater levels of control, and greater levels of transparency to document that control.” The key to meeting compliance requirements is to create a relationship between IT and the business that allows the latter to see the information it needs to see. This means that even if legislation such as Basel II and Sarbanes-Oxley are not asking for the same thing, the processes that will enable organisations to meet those requirements are the same in both cases.

The organisational structure needs to reflect the centrality of IT’s role. IT is simply too important to be left to the IT department or, as Paul Beach, head of corporate banking at Atos Consulting, puts it: “If there’s a problem in IT, it’s still the CEO who goes to jail.”

The traditional hands-off attitude of the board towards IT no longer works, says Tim Jennings, research director at Butler Group, the analyst: “As soon as board members start to ask searching questions of the IT function, such as where do these figures come from or how do we make sure that regulations are addressed, then they find that there are no methods in place to make sure it happens and very little visibility for board and senior business managers to know that it’s happened.”

The best way to meet this challenge is to start from the top. As Mr Heiser points out, this does not mean that the board should simply issue a ‘Thou shalt be compliant’ mandate. It needs to be backed up with leadership by putting a board member in charge of compliance who can create a consistent framework. “I’ve talked to organisations that literally have a different programme office for each regulation and that’s just a recipe for disaster. You have to treat all of these as a set of operational risks,” says Mr Heiser.

An example of this top-down approach is in those areas where regulations overlap, says Mr Beach: “One of the key components… is the need to have a clear view of your client information. One thing organisations have to look at is how they invest in their client data infrastructure in such a way that it meets all those requirements rather than having piecemeal solutions that meet particular requirements.”

For organisations struggling with structured data held in multiple legacy databases, or unstructured information, such as Word documents or e-mails scattered on servers, laptops and desktop PCs, creating a clear, consistent view of information is no small task.

Two technologies will be key: first, a business intelligence solution that can aggregate structured data from across the organisation, and provide high level information for executives along with the ability to drill down to source data; and second, an information management system that will store unstructured data and allow rapid access to those documents should auditors require them.

To have the desired effect, procedural changes must be implemented at the same time: a business intelligence system is only useful if there are procedures in place to make sure that the source data is accurate and consistent. Such procedural changes need to be driven from the top as part of a change management programme, and to be subject to spot-checks from internal auditors.

Mr Jennings advises boards to approach the problem in terms of information rather than technology. The task can be split into three broad areas: information management, information security and information analysis. Management is about understanding what information the organisation has and how to retrieve it. Security is about access control – making sure that only the right people have access to certain information. And analysis is about understanding what the information means. For example, detection of fraud within the organisation would begin by analysing transactions and looking for irregular patterns.

Businesses also need to be agile enough to deal both with regulations in different jurisdictions and with regulations that may not yet be in force. Any compliance solution has be scalable and adaptable.

For example, the Stroud Swindon Building Society had to meet stringent new regulations from the Financial Services Authority on mortgages that require documentary evidence to be produced within 48 hours if requested. The company implemented a documents management system from Vignette that has enabled them to store mortgage applications online and to search and retrieve them quickly.

An organisation has to be flexible enough to change and adapt, says Mr Heiser, because the impact of many regulations is still unclear: “The best practices for compliance evolve over a period of years. You cannot know exactly what you need to do, so you need to position your organisation so it evolves with the best practice understanding.”