Compliance Architecture for Competitive Advantage

Retooling IT for Compliance--Part II.

This article originally appeared on the BeyeNETWORK.

In our January article, we established that stringent new compliance regulations are here to stay. As the business and technology landscape evolves, more rules will follow. Indeed, spot fixing a specific process can meet some aspects of compliance. Precisely this type of Band-Aid fix, however, limits IT efficiency.

IT Can Transform Compliance Fixes into Competitive Advantage

U.S. enterprises compliance investments will exceed $3 billion in 2005. Compliance is an expensive mandatory undertaking. The enterprise must leverage this investment to boost total enterprise efficiency.

Compliance requirements ask for accurate information, timely dissemination of facts, preservation of records, protection of confidentiality and business-specific practices and certification. By integrating compliance fixes, IT optimization can also deliver competitive differentiation and profit advantages.

Streamlining reporting for compliance by fixing accuracy of reporting is the tip of the iceberg. Optimize and automate IT, and reap a competitive advantage. Faster and more frequent sales and profits trends can dispatch resources to rescue potential losses reversing reporting of poor results. Similarly, daily supplier cost escalation trends can alert teams to execute alternate strategies before supplies constrain sales. Mending the underlying infrastructure is the real opportunity for competitive gain. 

Opportunities abound. Organizations are challenged to reconcile non-standardized data and computations. A recent poll conducted by BI Results LLC revealed that some have: 

  • 113 instances of general-ledger programs;
  • 6 types of supply chain processes;
  • Call centers that do not see all customer transactions;
  • Separate divisional prospect lists that don’t reconcile with the same customer name for different products from the same parent company; and
  • Divisions of the same enterprise buying the same widget from the same vendor for different prices.

Two Paths to Meeting Compliance

The easy path is to fix individual business compliance requirements, apply appropriate scrutiny, some manual some automated, consolidate the results and switch on the green light. Execution is proving difficult as armies of auditors and experts have converged to fix breakage. Costs are no less than a strategic effort, but results will leave operational inefficiencies in place.

In this article, we will introduce the Program Authenticated Scaled Synchronized Compliance Architecture (Compliance Architecture) as a strategic approach to building compliance and delivering competitive advantage. It incorporates Control Objectives for IT (COBIT) guidelines with IT infrastructure architecture, Six Sigma quality measurement tools and Project Management milestone processes. It was developed from practical hands-on experience of working with Global cross-functional teams to gather requirements, multiple vendor collaboration to build specifications and integrated teams to test and deploy systems.

Compliance Architecture Overview

The Compliance Architecture is comprised of three macro components. In the first step, a programmed decision prism authenticates data for a variety of attributes. Next, authenticated (profiled, clean and secure) data and resulting integrated information is scaled for variance against a compliance and business-results measurement metrics. Scaled variance results are synchronized with a time-centric response for execution.

Result: an enterprise that is aware of compliance status and enabled to execute rapid responses that deliver not just compliance, but also competitive advantage.   

The Compliance Architecture in four phases:

  • Gather data to construct a strategic vision;
  • Secure resources and tools to plan, evaluate, test and deploy;
  • Phased deployment with scheduled improvements; and
  • Optimize, monitor and evaluate for continuous improvement.

For each phase, progress can be measured:

  • Enterprise vision, compliance requirements and success factors;
  • State of the current control factors, strengths and shortfalls;
  • Risk assessment of failures and extent of loss;
  • Effectiveness of control activities in meeting compliance and sustaining a competitive lead;
  • Quality of information and communications processes; and
  • Monitoring systems to trigger automated or manual alarms and alerts.

Phase 1: Gather data to construct a strategic vision

Collect facts with the objective of aligning IT with the enterprise’ plans and unleashing IT’s power for compliance and competitive advantage in support of the enterprise strategy.

Enterprise vision, compliance requirements and success factors.

This data collection and validation step is the most critical success factor in delivering compliance and competitive advantage. What path is the enterprise leadership charting for the current year, third year and fifth year targets for compliance and competitive advantage? The Annual Report often lists these for investors. However, executive priorities can vary. Cataloguing expectations and executive validation of needs will permeate infrastructure architecture, control policies, risk factors, control activities, communications and monitoring.


Validated at a top executive level, a vision statement of prioritized key performance indicators (KPIs): (a) Financial and performance targets; (b) Competitive criteria measurements; and (c) Customer satisfaction measurement variables.

State of the current control factors, strengths and shortfalls

We validated vision in the earlier step. Now test policies and procedures alignment with the enterprise vision. Are they agile and flexible in reflecting compliance and competitive changes? How complete and effective are the guidelines? IT’s role might be to facilitate access to right data in the right formats and on target systems to perform computations and supply results to meet policy requirements.


Validated at COO, CFO level, a gaps document, identifying policy requirements to implement, inspect and enforce compliance.

Risk assessment of failures and extent of loss

At this stage, we know the enterprise vision and priorities, and we know the policy and procedures’ gaps. Next, quantify risks—to what risks do lack of policies and procedures, execution ability, or systems limitations expose the enterprise?  What losses can result from lack of compliance or lack of ability to deliver KPIs? What is the liability to the enterprise or the executives? In light of recent convictions of (Enron) executives and closing down of some businesses (Arthur Anderson), consequences are well understood. Include in risk, competitive perspective and loss of brand value; tread factually but lightly on executive risks. They are already aware.


Validated by legal counsel, COO and CFO, a statement of non-compliance of risks.

Effectiveness of control activities in meeting compliance and sustaining a competitive lead

Policies without effective control activities and vice versa spell ineffective enterprise controls. Having already assessed policies and procedures, this is the scrutiny of execution. Are people trained and able to execute, are systems performing to support needs, are performance targets met, are quality of information targets met?


Validated by COO, and CFO, a statement of gaps in activities to meet compliance and competition.

Quality of information and communications processes

Is data accurate, delivered on time for analysis, integrated with the right data elements to provide a complete picture?  Is decision criteria predefined? How often is it updated?  This is the core of the enterprise’ ability to deliver compliance and maintain a leading competitive edge. What percentage is automated vs. manual? How are exceptions identified and fixed?


Validated by CIO/CTO, COO and CFO, a statement of improvements to meet compliance and competition.

Monitoring systems to trigger automated or manual alarms and alerts.

Can the systems handle multiple levels of alerts and alarms? For every field, is there a target range established and variance to set off alerts or alarms? Are data stewards or data owners in agreement with process to execute triggers and alerts? Is sharing of data and information possible and efficient?


Validated by CIO/CTO, COO and CFO, a list of data elements and integrated information fields that require static or dynamic computations: target, alert trigger variance, alarm variance trigger and synchronized fix process.


You now have a snapshot of: (a) Enterprise Vision for compliance and competitive advantage; (b) Gaps and fixes for policies and procedures to support the enterprise vision; (c) Gaps and fixes in execution of the procedures and policies; (d) Gaps and fixes for quality of data and information; and (e) Thresholds for monitoring compliance and competitive factors.

In the next article, we will discuss acquiring the resources and initiating implementation. To read the first article in the series, please click here--Retooling IT for Compliance.

For feedback or questions, please contact Rajeev Rawat at RR@BIResults.Com.

Dig Deeper on Financial reporting and compliance data management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.