The other day I had a chat with Axentis president Ted Frank.

Axentis is regarded as one of the leading providers of governance, risk and compliance (GRC) management solutions.

We talked about why compliance seems to be so much of a challenge for companies, about the impact of Sarbanes-Oxley and how companies need to adjust their systems to a world where they will have remote workforces, sometimes spread around the globe.

SOX FIRST: There is no doubt that Sarbanes-Oxley has increased the compliance workload. And it seems to be getting worse. What are your thoughts?

TED FRANK: I guess when you think about what caused the US Government to put Sarbanes-Oxley in place, it really was about ethics and integrity issues. It wasn't necessarily about some very discrete, very weak financial reporting weaknesses and I don't know if you are ever going to be able to legislate ethics and integrity. But it has forced a level of diligence on companies. We may never have heard about a lot of these issues had Sarbanes Oxley not been around. If you never turn over a rock, you never find out what's underneath and I think Sarbanes-Oxley has forced companies and investors to turn over a lot of rocks. I don't know if it's any worse or any better but there's certainly more transparency around financial reporting and some of these issues, notwithstanding the fact that there will continue to be problems. You will never legislate some of these problems out of existence, you just do the best you can.

SOX FIRST: Turning over rocks? Are you saying companies had not invested enough in this area?

TED FRANK: Without any question. The level of diligence that companies are applying to Sarbanes-Oxley puts other areas of legal and regulatory compliance to shame. And because they are putting such good processes in place, and I would like to say good technology hopefully, that they can start leveraging in other areas, and that's a good thing.

SOX FIRST: IT governance is not an easy thing to measure. Companies tell me that it's difficult to quantify. But it seems to me that the benefits are not being defined up front so it's hard to put a value on it. What are your views?

TED FRANK: The problem is that most organisations are reactive. They wait until there's a crisis or a particular problem before they move and invest in fixing the problem. So you have got a reactive market, you've got fragmentation of compliance and risk management IT governance and when people who are managing IT governance try to get approval to do things proactively, what seems to happen is that they fail to make a good business case. Articulating the value proposition and the reason for making a proactive investment is key. So many companies seem to have trouble with that.

SOX FIRST: When I talk to companies about compliance, they tell me about the enormous opportunity costs and the problem of compliance risk.

TED FRANK: As somebody who serves this market, I can tell you it's way too hard to get these people to be proactive and to recognise that they need to spend money to fix the problem so they don't wind up in a reactive mode. I see it every single day, I've been in this market for seven years now and it's very tough. And it's hard to blame the compliance folks because they have never been given the resources. But realistically, if you are a good business person, you take calculated risks and at the end of the day, you control risks better than your competitors and if you control risks better, you can move faster.

SOX FIRST: But taking calculated risks means looking at the big picture. And for a lot of companies, risk management seems to be more about fulfilling compliance guidelines rather than working within some broader framework

TED FRANK: Outside the financial and banking services where you have Basel II, I would say that that is correct. I would say the driver in our market place is legal and regulatory compliance. People are thinking now more and more about general risk management around operations but what drives behavior is legal and regulatory compliance.

SOX FIRST: Can you see that trickling into other sectors?

TED FRANK: I think you will see it in adjacent sectors, like the insurance market place, the investment market place, maybe that will start trickling in. You will always have market leaders in various sectors that move more aggressively that way. We do a lot of work in the pharmaceutical market place. We have a strong position there. They are so highly regulated, they have to put all these procedures and controls in place, but they really are starting to think about how do I leverage this and use it more generally to have a more robust proactive risk management program. But in the foreseeable future, legal and regulatory compliance, the fear of problems, is going to drive the market. AMR projected that IT related regulation over the next five years will double. Think about it, like there's not enough of it already. And yet most organisations are still reactive. The US government did a study seven or eight years ago on the cost of US regulation alone and at the time, it was over $800 billion a year, but if you were to ask a company what's the cost of complying with US federal regulation, they wouldn't be able to tell you because it's not a line item, these are costs that are embedded in all the different parts of the operation and organisation. That's why it's always difficult to take people from that position. Like what does that mean? It's like saying the earth is going to die in four billion years. Well it's hard to think how that impacts my life.

SOX FIRST: Let me throw in a wild card. Gartner has forecast that through to 2010, companies that don't implement stringent remote worker policies and remote access controls with management tools will have their costs increase five to 10 times. Also, if they fail to act, security breaches will increase exponentially. With a remote workforce, what are challenges for compliance regimes?

TED FRANK: This is a huge issue. The difference between US regulation and some other counties is that the US regulations are not prescriptive. It sets these broad guidelines out and lets the market determine what best practice should be to comply with that regulation. So what you wind up with is a lot of ambiguity in an environment where you have to provide people with a lot of guidance. I call that the behavioral aspect of risk and compliance management. There's lots of behaviors where people need to seek guidance. You can't really put it into policy. This whole market of data breach and privacy is a monstrous issue. All the hacking and the loss of data in the past has been because of kids, just screwing around. Now there is criminal involvement and sophistication in the seeking out of data. As you have more and more fragmented operations, the ability to control the systems part and also the behavioral aspects increases in complexity exponentially. So I don't question that finding from Gartner at all. In fact, I think it's probably worse than a lot of people think, even in that report, because what they are talking about is the system components and the protection and IT security and what people forget are the behavioral aspects of it.

SOX FIRST: The other big issue is the global workforce. I was reading the other day, for example, that IBM has 52,000 employees in India. And Accenture last year said it had more employees in India than in the US. Now, in each case the company makes a decision about where a project can be sourced based on the costs and skills of those employees. What does that model mean for modern IT departments and compliance?

TED FRANK: A number of our clients establish a super-set guideline around risk and compliance management in particular domains. Axentis was the driver behind building an association and the purpose of that association was to say that we need to break down the DNA of compliance and risk and regulation and come up with some operational approach to managing these processes. You can't respond individually. These risks are global and they are very complex. We did that and we merged it with this association called the open compliance and ethics group and so what we did there was we published a process model which said even if there is variability in your dealings with IT security, or privacy or Sarbanes-Oxley, whatever these different regulations and risks are, your basic core process can in fact be the same. The way you communicate with your employees and with your business partners and with your contractors should be consistent. So when we think about fragmentation, it means we have to establish an operational approach to all of these risks in the organisation and supply chain, because if we don't it will break down. As you see greater and greater fragmentation and globalisation of these businesses, people had better take more notice of risk and compliance and they had better take it more seriously because the risks are growing.

SOX FIRST: Which means you need a whole organisation approach to risk instead of just looking at in silos?

TED FRANK: Yes and in most companies it remains very fragmented.

SOX FIRST: So how do you get companies into that space?

TED FRANK: We have multiple ways in which we can work with a company. Maybe they are in a highly regulated market that's getting a lot of scrutiny. Those are the companies much more likely to commit to a bigger, broader approach. We get many of those clients in highly regulated markets, like the pharmaceutical market or the insurance market and they say yes, you know we get it, we sleep it, we breathe it, and we want a better way. But that's a minority of companies. In most cases, we work with a team that may be focused on a discrete problem and we are able to say we can help you solve this very narrow specific problem but we will do it in a way that can be leveraged across multiple areas and multiple domains.