IT compliance: When regulations get too diverse, they become roadblocks

Can an integrated approach bring some relief?

The rules and regulations that ensure how we secure and control information technology (IT) are as diverse as the world itself. An integrated approach can help solve the IT compliance conundrum. Explore how.

Diversity can be a source of strength, knowledge, and creativity. However, there is one realm where much of the business community laments global diversity—the area of regulatory and legal compliance. Around the world, the multiplicity of standards, laws, and regulations that establish expectations for how IT systems are secured and controlled present a major challenge to organizations that operate across industries or beyond their home borders.

IT compliance: A complexity only getting compounded

The ubiquity of and our dependence on IT, overlaid with numerous jurisdictional, industry, and even contractual obligations, can create a daunting labyrinth for organizations to navigate as they pursue profitability and growth. Entering new markets, expanding to new geographies, developing new products or services, and cultivating new clients get trickier in such a scenario.

Unfortunately, many organizations take an “everyone for themselves” approach to compliance. This practice rarely yields good outcomes, as it lacks continuity and focus, dilutes responsibility, drains internal resources, increases costs, and creates a drag on competitiveness and profitability.

Larger entities tend to operate across multiple geographies and thus must deal with greater complexity and its associated costs. Also, heavily regulated sectors such as finance and health care would seem to have more incentive to get their compliance houses in order, yet the sheer volume and complexity of applicable laws and regulations often overwhelm the best intentions. With few organizations having fully optimized their IT compliance programs, will an “integrated” approach to IT compliance management work better? We think so and here’s why.

IT integrated compliance: A holistic approach for a streamlined system

Imagine a business that has operations in both Europe and the United States. Its American division is responsible for meeting the requirements of the California Consumer Privacy Act (CCPA), while the European unit addresses the EU General Data Protection Regulation (GDPR), with no collaboration between the two. This siloed approach, while perhaps making sense from an operational standpoint, fails to recognize the many overlapping requirements of the two laws, nor does it leverage the similar controls and reporting requirements of each.

One look at the entire universe of IT-related rules, laws, and regulations that govern the activities of multinational organizations, and an abundance of commonalities would emerge. And with it, the opportunity to leverage them for competitive advantage. When an integrated IT compliance program is functioning effectively, redundancies are eliminated, efficiencies gained, resources optimized, and risks reduced.

Adopting integrated IT compliance—daunting but doable

Global regulations, regardless of jurisdiction, typically focus on similar threats and require similar mitigating strategies, making the global compliance challenge more manageable than it may seem at first. Here are a few observations and suggestions to get things rolling:

The next steps: Doing things right across multiple dimensions

As you embark on your integrated IT compliance journey, consider taking these steps:

Integrated compliance will require an alliance

While regulatory requirements may seem disparate and convoluted from afar, upon closer scrutiny, many commonalities may be identified that can be leveraged to advantage. A thoughtful analysis that maps and correlates IT-related requirements across a company’s geographies and frameworks can be eye-opening, revealing the untapped potential for efficiencies and effectiveness.

Leaders need to recalibrate their thinking around IT compliance, devoting upfront time and resources to develop a well-thought-out plan. Roles must be clearly defined; accountability for the day-to-day program and its progress must be established. Many organizations have found that the use of consultants can provide needed expertise and specialized skills to help ensure the program rests on solid footing and that the long-term outlook is positive.

Comply, then fly.

Get in touch

Brandon Brown
Managing Director | Deloitte Risk & Financial Advisory
Deloitte & Touche LLP

Chad Phillips
Managing Director | Deloitte Risk & Financial Advisory
Deloitte & Touche LLP

Dasha Seleznyov
Senior Manager | Deloitte Risk & Financial Advisory
Deloitte & Touche LLP

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Did you find this useful?