impact new laws and reg existing IT systems

By Andrew White


Change as a long-term challenge

Most major IT projects nowadays are long-term. So it is inevitable that change over time will have an impact: for example, change in technology platform, change in the commercial requirements of the parties, change of personnel or locations, or an outsourcing or business restructuring.

One of the most important types of change which long-term IT projects need to accommodate is change in the laws and regulations which govern how businesses in particular industry sectors operate.

What are the implications of such changes for IT systems?

Rarely has this been more of a live issue than today. Three separate regulations are due to come into force in the next 2 years in the UK (there are many more, but these are among the headline-grabbers) which will have a significant impact upon thousands of business IT systems:-

  • So-called ‘Basel 2’ provides a new regulatory framework for the banking sector and will come into force in 2006. Basel 2 aims to improve the stability of the world’s financial system by making banks’ assessments of their own investments and loans more sensitive to credit and market-related risks. Banks will have to ensure financial data is timely and accurate and that it reflects the risks outlined under the Basel 2 Accord. Needless to say, IT systems will need to support this obligation.
  • New international accounting standards, due to be introduced in 2005, will require thousands of companies to record their financial performance in a new way. Again, the IT implications are major.
  • New regulations issued by the UK’s Financial Services Authority covering the reporting and management of mortgage applications, due to come into force in October 2004, will require the mortgage applicant and the adviser to use point of sale software systems to take them through a sales process. These systems will have to comply with the FSA regulations.

Compliance by business with these new laws will require extensive re-engineering of existing IT systems, and careful definition of future systems.

Good change management: a checklist

Certain common issues can be identified for companies who wish to manage this change process effectively. Here is a checklist of some of them:

  • Establish a strategy and a team: Affected companies need to define a strategy and a team to implement it, so that all parts of the change process are coordinated, and have a clear goal in view. Otherwise, the process could become fragmented, and ad hoc. Priorities need to be set, and good internal communications channels ensured.
  • What action needs to be taken? An impact assessment has to be the starting point. What do these new laws and regulations require the company to do to its existing IT systems in order to achieve to operate in the future in compliance with them?
  • Timescales: These change projects are time-critical. By when do the upgraded or new IT systems need to be in place? Where companies rely upon third parties to achieve compliance for them, what incentives should be put in place to maximise on-time completion, and what should the contractual recourse be for delay?
  • Who is going to make the changes? Allocating tasks is crucial. Many different entities could be involved: the original supplier of in-place software, support and outsourcing service providers, consultants and the in-house IT team. Businesses need to understand how the team should inter-relate, and the inter-dependencies.
  • Contract Review and cost allocation: Companies should carry out an audit of existing contracts which cover the IT systems which require change. Such contracts may define who is responsible to make the changes, and provide for the allocation of cost - either through one party paying being legally obliged to pay all the costs, or else making costs (and the change process generally) subject to a negotiated “change control” arrangement. It is important that businesses understand the contractual position as a basis for negotiation with third parties.
  • Watch out for “compliance with law” clauses: Many contracts contain ‘compliance with law’ clauses under which the original supplier of the IT product or service commits to ensure that it remains “compliant with all applicable laws and regulations” to which the customer is subject for the duration of the agreement. Such clauses have major legal repercussions (often not fully appreciated at the time they are included in the original contract). They mean that the supplier has made itself legally responsible for meeting all the costs of its customer’s changes.
  • Helping third parties: If a third party is going to upgrade particular systems for the company, what information and assistance does the company need to provide to ensure that the change programme succeeds? Businesses should not underestimate this. The third party is unlikely to be able to deliver a “quick fix” solution for the company without its sustained input in terms of people, time, information, software, facilities and much more besides. This is an increasingly critical area of best practice project management – a full appreciation that a complex change process is a collaborative process.
  • Carrying out agreed change controls: If the proposed changes are subject to a contractual change control (see above), ensure you understand how the process works, and how decisions and discussions should be minuted and recorded.
  • Procuring new systems: What does the company need to do about procuring new systems (as opposed to upgrading existing ones) in terms of specifications, warranties etc?
  • Reporting: What reporting obligations is the company under (to regulators, for instance) regarding how the IT compliance project is progressing?
  • What happens if the company is not compliant? What are the consequences for the company, its directors and stakeholders if the required changes aren’t achieved on time? The sooner the company is fully appraised of that, the better, for risk management and corporate governance purposes.

Is this the new Y2K challenge?

Commentators have suggested that the IT compliance challenges for financial institutions and PLCs are similar to the Y2K challenge that emerged before 2000.

While there are similarities, there is one overriding difference.

No-one knew in advance what impact the Y2K date change would have on IT systems. In fact, as we know, it was not what most people expected.

However, with the imminent changes in regulation outlined above, the situation is different. These changes are definitely on their way. There is no room for doubt as to their impact on company IT systems and the responsibilities which this places on all affected businesses to act in advance of their introduction.

Managing change successfully

Managing the impact of changes of law and regulation on IT systems can be a major cost and distraction for business. Addressing the issues early, establishing the company’s strategy, and clarifying its legal rights and responsibilities, can each help to manage risk, mitigate cost, and give a degree of assurance to the company’s management and shareholders.

Important - The information in this article is provided subject to the disclaimer. The law may have changed since first publication and the reader is cautioned accordingly.