Had a chat this week with Brett Curran, vice president of GRC and privacy practices at Axentis. He was in Texas, I was in Melbourne, Australia. But it was a great session. We talked about all the issues companies faced struggling with compliance and what they needed to do. Here is the interview.

SOX FIRST: Sarbanes-Oxley has increased the compliance workload. Now with the losses coming in from subprime, regulators will bring in laws and that will make it worse. Do you think that's the case?

CURRAN: I do. The people that got sent to attack Sarbanes-Oxley issues, the CFOs and internal audit, they are great with writing audit papers and following through on processes but I don't think they were properly equipped to take a bigger look at what this thing is really going to require. It's about how can we create something out of the box rather than make it through year one and then year two try to improve things. And they are really struggling with that.

SOX FIRST: But let's take it further. It seems to me that the companies that should know better, like the insurers who are supposed to be the experts in risk management, are now losing billions of dollars from subprime. What are your thoughts?

CURRAN: That doesn't surprise me a bit. I was in the insurance and financial services business for 18 years. I found insurance companies were great with their actuarial departments and how they look at product configurations, and premiums and claims and demographics and geographics and their impact on premiums. But they were horrible on the compliance side. They were great on the risk management side from a product perspective but on compliance, policies, and training, there were sticky notes on cubicle walls. They would say we have to do something about it and I would say well let me look at your policies and procedures and they would say we don't have any of that written down. And I would say how then do you train your work force and have consistent outcomes. And they would say we don't want to write anything down. Because if there are procedures to follow and if we are not following those procedures then we would get into trouble. And the trouble we would get into from not having procedures is less than the trouble we would get into from having them and not following them. But when Sarbanes-Oxley came out, they were reluctant and they fought tooth and nail against it but they had to and were forced into it.

SOX FIRST: with the changes in the workplace we are seeing right around the world, we are going to have more and more issues about remote work forces, people who are working not on location. That's going to create a lot of ambiguity and challenges for compliance management. There will also be issues about privacy. What are your thoughts about that?

CURRAN: I have seen companies dealing with this for quite some time, particularly in the insurance industry. What they are doing with the at home work station that's company property. There is a lot of interplay there with privacy and security and that kind of thing. Electronic documents are almost a must for at-home workers and a lot of companies provide the work station for the at-home worker, so they are shipping out a small desk-top machine more often than not and they are configuring it with a high-speed Internet connection. But other than the operating system and security controls and some encryption, they can't even copy and paste or print. They are really locking them down. The type of worker might be for example someone doing data entry who is just typing in what they see.

SOX FIRST: One issue is that the approach to risk inside companies remains very fragmented. How do you deal with that?


CURRAN: That's a big challenge. It's a political challenge, it's a corporate culture challenge. It starts with tone at the top. You have got to have a chief general, the CFO and the COO getting the ear of the CEO and getting connected with the audit board. One of the problems we see is that as people start to learn about a broader federated governance risk and compliance approach, it can quickly become overwhelming and people say oh my gosh, where do you start. But you are never finished. It's not a process that everyone agrees to put it in and it's done. It's ever-changing and ever-evolving. The key thing is that you have a co-ordination of decision-makers and risk managers that are doing things in a consistent way and in a co-ordinated manner. They are doing it using underlying technology to help support a single repository meeting the needs of multiple constituents in a consistent manner. It's about figuring out a broad brush view about what all the compliance topics are that we should start with and let's get a handle on how we are going to govern that and guide the processes to support it, let's staff it, let's determine how we are going to measure it so if we can see if we making improvements or where our problems lie and we know where to focus our resources and dollars to improve the business, and leveraging the learning and the infrastructure and the organization to build on your successes.

SOX FIRST: There is now a growing interest in the US in exploring a different approach to laws and regulations. People are looking at a more principles-based approach which I think is overdue because the black-letter approach to law is just asking for trouble. It's like showing the burglar the diagram to your alarm system

CURRAN: Absolutely.

SOX FIRST: So what are your views about that?

CURRAN: Some of the most significant problems that we have come from the prescriptive check list mentality. I hear this a lot, particularly in the IT area. There are a lot of of risk and compliance offices sprouting up in IT and they are looking for a solution that has all the rules and regulations that might apply to IT and they are kept updated regularly. I can't blame them for thinking that way. It's a whole mind set shift. Then you have the authorities coming in and you argue over interpretation. It's just a big waste in my humble opinion.

SOX FIRST:Can you see the shift happening?

CURRAN: I think it will happen slowly. There is a lot of discussion going on, particularly in the insurance industry and pieces of it. The National Association of Insurance Commissioners is working on some principles-based approach to pieces of the insurance puzzle. Now i don't know how that's going to be effective because at the Federal level, and with lobbyists and industry, there is a big push for the Feds to take over insurance where they are saying we can't serve all these masters, we cannot comply with conflicting rules and regulations across the 50 states we do business in. Somebody please give us a set of rules, create a check list and we will do a lot better. Now I don't think that's going to solve the problems. It will be interesting to see how that plays out.