Regulatory Compliance Putting ROI on Back Burner

By David Haskin

(Back to article)

The sun rises in the east, water flows downhill and strategic technology initiatives must show a positive return-on-investment (ROI). Well, two out of three isn't bad.

The need for strong Rios has long been a constant for CIOs. However, some CIOs and other industry experts are saying that emphasis is softening.

"ROI is a significant factor but, to me, the key point is linking an IT project to a valid business strategy," said Jay DeNovo, CIO of Home Savings Bank in Madison, WI. "ROI as a measuring tool becomes less important because it's the validity of the business strategy that you have to evaluate. Our metrics are provided by our government regulators and the strategic IT roadmap has to reflect that."

While DeNovo is CIO of a small organization, technology executives in larger enterprises are saying similar things. The reasons for this are simple: Large projects to insure security, disaster recovery and regulatory compliance are taking an increasing share of the resources available to technology executives. And those types of projects have no ROI.

"Now, there are all kinds of issues to deal with where there is no ROI," said Tom Pyra, COO and CIO for Clark Consulting, an executive benefits and compensation consultancy. "You either do it or you're in trouble."

In other words, the bottom line isn't always the bottom line anymore for many IT projects. And that is changing the nature of a CIO's job.

"It's definitely made the job more stressful and not everything you do is value-added any more," Pyra said. "We're dealing much more with projects that are value-preserving. And sometimes it's a black-and-white test: You either have it or you don't. If you don't, you can be fined."For instance, Pyra's company uses broker-dealers who are licensed.

"They have to keep three years of e-mail and, if they don't, they're fined," Pyra said. "You have to go out and buy the software and the systems. The ROI on that is that, if you don't do it, they lose their license."

Documenting Change

A strong element in federal regulations such as Sarbanes-Oxley (SOX), HIPAA and Gramm-Leach-Bliley (GLB) is security and data integrity. Disaster recovery is another issue that has come into focus lately, largely because of both the September 11 attacks and provisions in the various federal regulations. A third issue is privacy, which also is a major focus in many of the new bodies of federal regulations.

One thread that connects many of these requirements is the need to document changes, which also takes a lot of time and energy.

"Documenting our controls, there's nothing wrong with that," said Jim Harding, senior vice president and CIO of Henry Schein, a distributor of healthcare services. "But as far as doing projects that will enhance our competitive lead, (documentation) doesn't help us. I'd rather work on projects that have ROI and the must-dos cut into those projects."

The Occasional Silver Lining

Some CIOs did note, however, that not all compliance related activities are inherently bad. For one, regulations often lead enterprises to adopt best practices. In addition, regulations can, at times, help improve bottom line results, even in small companies.

"I try to look at our Graham-Leach-Bliley compliance activities as an opportunity," said Home Savings' DeNovo. "It has helped us expand our view of potential risks and threats."

All the CIOs interview for this story agree that even compliance and security issues can be challenging in the best sense of the word.

"The 'fun' in Sarbanes-Oxley is understanding all the systems you're using," said Gaucherin.

Want to discuss the issues raised in this story? Take it over to our IT Management Forum.