Compliance costs - and not just in IT, says financial sector

Compliance will mean an overhaul measured in the billions for the financial sector but despite the implications for IT systems, CIOs are often not at the forefront of changes and issues other than technology are being prioritised.

Research out this week from the Economist Intelligence Unit (EIU), commissioned by project portfolio management (PPM) specialist Changepoint, puts some figures on the big compliance issues which have come about after scandals such as Enron and WorldCom and the attacks of 11 September.

Readying a medium or large bank for International Accounting Standards (IAS) will cost between £15m and £60m says the EIU, and Sarbanes-Oxley, which affects those with a US listing, will cost £4.4m per organisation.

Meanwhile Basel II, which covers risk management in the financial sector and requires capturing several years of data with near real-time recall, could cost $2bn across Europe. The study states that "Basel II alone is more complex than Y2K and euro projects".

Gareth Lofthouse, EIU director Europe Executive Services, said: "We can expect those costs to rise further. It's clear the IT function in many of these companies is feeling the strain."

Change management at most financial sector organisations is made more difficult because few have the necessary integration of systems to get the mythical 'single version of the truth' - where individual or corporate details aren't duplicated or send out conflicting messages.

EIU interviewed 116 senior executives from around the world, just over half of whom are from Europe. While 59 per cent said 'adapting existing IT systems' will be a key area where investment for compliance will be targeted - against only 34 per cent who stated 'new IT systems', note vendors - top of investment priorities is 'employee training', cited by 65 per cent of respondents.

Indeed, non-IT investments loom large and there is a risk CIOs and the IT department are relegated to the status of those doing the implementing but not planning. Of the executives polled, who were from various business functions, after training and IT updates 49 per cent said they would be 'revising products and services to meet new regulatory requirements', 38 per cent said they would be 'employing specialists in risk analysis' and 34 per cent mentioned 'expansion of the compliance department'.

Peter Redshaw, Gartner Group senior analyst, said: "We are seeing the emergence of chief risk officers. But it is foolish to go too far down the line without the involvement of the IT department."

All financial institutions' compliance programmes, also covering the US Patriot Act, are now under way - "If they're only just starting now, they're in trouble," said Redshaw - but it is clear the process will benefit some more than others.

Assuming equal competence in implementation, Redshaw reckons there are a number of second- and third-tier organisations - typically those with less of a history of mergers and acquisitions and less fragmented IT - that will seize opportunities.

For all IT shops, however, compliance is an opportunity to improve processes and technology - though in the EIU study this was cited behind the benefits of 'reduced risk to business continuity', 'greater trust in your brand' and 'improved shareholder value'.