Figuring Out Compliance
For IT departments, it’s an elusive, ever-changing target. For VARs, it’s an opportunity.
If there ever was an IT specialty tailor-made for VARs and solutions providers, it’s compliance. American industry is reeling from corporate scandals of recent years, and tremendous resources are being directed toward satisfying new and, in some cases, unclear mandates from various regulatory agencies. Plenty of companies have had trouble complying with new regulations. Even experts acknowledge they’re still learning.
Case in point: Publicly held BearingPoint, the management consultancy and systems integrator with its own compliance practice, found it had major problems of its own. In early 2006, a failure to file financials for the second half of 2004 and all of 2005 put it squarely in violation of the Sarbanes-Oxley Act of 2002, the most prominent of the new rules intended to clean up corporate America.
As companies learn more about what it costs to be in compliance, they’re looking for ways to manage those costs as well as their risks. “For the past two years, businesses have been focused on documenting business processes,” says Vivian Gopico-Tero, a senior analyst covering compliance infrastructure for International Data Corp. (IDC), Framingham, Mass. “Going forward, companies are going to be looking to reduce the ongoing cost of compliance.”
Those companies will typically want to work with consultants, VARs and integrators. And they won’t just be seeking out the big guns. “Sure, a lot of public companies look to larger vendors,” says Art Krulish, business development manager for the New York-based Sky I.T. Group. “But there are also plenty of companies on the border of becoming public companies. They are looking to make sure their houses are entirely in order before they go public.”
Krulish ticks off the kinds of questions customers will typically need answered. “How do you handle an order? Who touches an order? Do you need to make sure no one touches it between Step X and Step Y? Can you find where the invoices are? [We] can show these almost-public companies whatever the auditors need to get at.”
Some of the opportunity comes from the fact that the regulatory landscape is continually changing. For example, says Krulish, “Sarbanes-Oxley is not clearly defined yet. Going into 2007, we’ll all have a better sense of what it means. By then, we’ll be able to tell our clients, ‘Here are the 15 items your IT team is responsible for, and here are 15 more items the CFO has to be able to track and monitor.'”
Regulations like Sarbanes-Oxley and the Health Insurance Portability and Accountability Act (HIPAA) are so young, says IDC’s Gopico-Tero, that much of the compliance work being done by IT consultancies is determining what the laws actually require. Add in a raft of local and state regulations, and compliance can become a pastiche of processes that require big-time consulting help.
That means some local channel players may not be able to play at the highest strategic levels with their customers, at least initially. Compared to the big players, says Gopico-Tero, “VARs may not have the same level of strategy-engagement skills or experience, so they’re focusing on specific [compliance] components, such as inventory reporting, order management or separation of duties.”
More Opportunity Coming
Down the road, Gopico-Tero says, VARs and integrators will find bigger opportunities, especially with IT controls that use software and new business processes to ensure that IT itself isn’t creating any compliance risks. “The smaller organizations [that VARs] serve haven’t leveraged IT toward compliance yet,” she says. “Sarbanes-Oxley looks at IT all the way down to the infrastructure layer, to the technologies that support the applications. So VARs will be looking at issues like security, availability and service levels.”
That means opportunity for niche players that can step in and leverage existing expertise to help customers with compliance. ECS Imaging Inc., a Riverside, Calif., specialist in records management, has used its experience to show how document imaging solutions can ease the process. ECS says that repositioning alone drove a 26 percent increase in sales last year.
Good News, Bad News
Yet despite such success stories, helping clients navigate laws and regulations isn’t always a perfect fit for some channel companies. “Compliance is a mixed blessing for us,” admits Pat Grillo, president and CEO of Atrion Communication Resources, an integrator based in Branchburg, N.J. “The good news is that there is a lot of opportunity. The bad news is that we might not be quite ready for that opportunity.” Grillo would like to be a better compliance expert, “but it’s hard to be in this field, because every time you turn around some part of the rule has been changed.” It’s especially difficult to keep abreast of changes in a range of vertical markets. “We can’t be experts in all of them,” he confesses.
How to solve the challenge? “When we take a particular engagement,” says Grillo, “we find a subject matter expert in that vertical who we can partner with.” That’s a process many VARs are already comfortable with-finding other companies with specific domain expertise, then customizing the necessary technology to meet the client’s needs.
For compliance to be profitable work for VARs, it’s important to focus on the right regulatory areas. Lighthouse Computer Services Inc., a $100-million IT services firm based in Lincoln, R.I., found Sarbanes-Oxley compliance services had greater demand than, say, HIPAA. “HIPAA has been slow to take off as a major IT services driver, since most hospitals are able to skirt the spirit of HIPAA without seeing severe penalties,” says Lighthouse IT compliance practice leader Jerry Hughes. “Compared to other regulated industries, the fines are relatively low. But Sarbanes-Oxley penalties are severe, and that drives greater need for compliance.”
In the past two years, this demand enabled Lighthouse to build a Regulatory Compliance practice area, employing several Certified Information Systems Auditors. “Soon more severe penalties could emerge for HIPAA, too,” Hughes says. “Because of Hurricane Katrina, plenty of folks lost their medical records forever. You saw in the aftermath of the hurricane that medical groups were not following best practices and storing records securely offsite. Patients are now paying for it in a big way. I believe it will open eyes -and will prompt stricter adherence to best practices-just as 9/11 did for disaster recovery.”
Compliance may also represent a way to build a more lasting relationship with customers, says Grillo of Atrion. Smart channel players won’t initially play the technology card, but will instead focus on business processes and internal controls when they walk in the door. “The first thing we do in these situations is assess security risks and make sure they have policies in place,” says Grillo.
That can mean a long-term impact on customers-and a long-term relationship with their integrator partner. “We are able to help clients define their infrastructure, help them write and implement policies, and educate them going forward,” Grillo points out. “We look at compliance as a recurrent opportunity, not just a one-time audit.”
Jimmy Guterman is a freelance writer based in Chestnut Hill, Massachusetts.