Control over the IT process of Ensure Compliance with External Requirements that satisfies the business requirement for IT of
- ensuring compliance with laws, regulations and contractual requirements
- identifying all applicable laws, regulations and contracts and the corresponding level of IT compliance and optimizing IT processes to reduce the risk of non-compliance
- Identifying legal, regulatory and contractual requirements related to IT
- Assessing the impact of compliance requirements
- Monitoring and reporting on compliance with these requirements
- Cost of IT non-compliance, including settlements and fines
- Average time lag between identification of external compliance issues and resolution
- Frequency of compliance reviews
1 Non-existent
2 Initial/Ad Hoc
3 Repeatable but Intuitive
4 Defined
5 Managed and Measurable
6 Optimized
Benchmarks/Guidelines for Scoring
1 Non-existent when
There is little awareness of external requirements that affect IT, with no process regarding compliance with regulatory, legal and contractual requirements.
2 Initial/Ad Hoc when
There is awareness of regulatory, contractual and legal compliance requirements impacting the organization. Informal processes are followed to maintain compliance, but only as the need arises in new projects or in response to audits or reviews.
3 Repeatable but Intuitive when
There is an understanding of the need to comply with external requirements, and the need is communicated. Where compliance is a recurring requirement, as in financial regulations or privacy legislation, individual compliance procedures have been developed and are followed on a year-to-year basis. There is, however, no standard approach. There is high reliance on the knowledge and responsibility of individuals, and errors are likely. There is informal training regarding external requirements and compliance issues.
4 Defined when
Policies, plans and procedures are developed, documented and communicated to ensure compliance with regulations and contractual and legal obligations, but some may not always be followed, and some may be out of date or impractical to implement. There is little monitoring performed and there are compliance requirements that have not been addressed. Training is provided in external legal and regulatory requirements affecting the organization and the defined compliance processes. Standard pro forma contracts and legal processes exist to minimize the risks associated with contractual liability.
5 Managed and Measurable when
Issues and exposures from external requirements and the need to ensure compliance at all levels are fully understood. A formal training scheme is in place to ensure that all staff members are aware of their compliance obligations. Responsibilities are clear and process ownership is understood. The process includes a review of the environment to identify external requirements and ongoing changes. There is a mechanism in place to monitor non-compliance with external requirements, enforce internal practices and implement corrective action. Non-compliance issues are analyzed for root causes in a standard manner, with the objective to identify sustainable solutions. standardized internal good practices are utilized for specific needs, such as standing regulations and recurring service contracts.
6 Optimized when
A well-organized, efficient and enforced process is in place for complying with external requirements, based on a single central function that provides guidance and co-ordination to the whole organization. Extensive knowledge of the applicable external requirements, including their future trends and anticipated changes, and the need for new solutions exist. The organization takes part in external discussions with regulatory and industry groups to understand and influence external requirements affecting them. Good practices are developed ensuring efficient compliance with external requirements, resulting in very few cases of compliance exceptions. A central, organization-wide tracking system exists, enabling management to document the work-flow and to measure and improve the quality and effectiveness of the compliance monitoring process. An external requirements self-assessment process is implemented and refined to a level of good practice. The organization’s management style and culture relating to compliance are sufficiently strong, and processes are developed well enough for training to be limited to new personnel and whenever there is a significant change.