Columns

Certification vs. Compliance: How Much is Enough?
June 2007

After the high-profile scandals of Enron and WorldCom at the turn of the century, the standardization and regulation of business practices became very critical issues of concern to many governments. Intended to protect the welfare of shareholders and the general public from the sometimes willful fraudulent practices in accounting and business management, a growing number of legislation and international regulations were introduced to counter the risks from future scandals.

In the provisioning of outsourced services on Information Technology (IT), the relevant regulations are on the protection of data security – particularly on the security of personal information. Laws on the protection of personal information, such as the US Personal Data Privacy & Security Act of 2005, define the set of standards in business practices to ensure that data privacy and security is maintained and protected from fraudulent activities. Other legislations that are also relevant to IT include the Sarbanes-Oxley Act (SOX) of 2002 which defines rules that affect the management of electronic record.

In the context of these legislations, business professionals and service providers are often provided a set of guidelines or standardized business practices to ensure compliance. Compliance to the guidelines and standards is a way by which governments and international organizations make certain that there is little risk of erroneous business transaction or exposure to fraud. Thus, compliance becomes a means of ensuring quality in terms of risk mitigation. In a similar manner, compliance can also ensure quality in accordance with quality standards as defined by a pre-defined set of specifications.

Certifications, on the other hand, have often been used interchangeably with observance to a set of standards. However, certifications provide more than observance of these standards. Certifications define not only the set of standards but also provide a means of measuring the degree of compliance to these set of standards. And this is where compliance by itself is often not a guarantee of sufficient observance of standards or of sufficient mitigation of risks. In some instances, the risks still remain because the degree of compliance is not sufficient to completely mitigate the threat from risks.

In the realm of IT services, various certifications have been introduced to bring the observance of standards closer to full compliance to regulations and legislations. With regard to laws on privacy and data security, for example, compliance to the Data Privacy and Security Act of 2005 can easily be claimed by a service provider. However, there exists a significant probability of risk that data security is not ensured unless it can be demonstrated that the compliance measures are found to be sufficient in mitigating this risk. That is the reason why the standards of data security, as defined by regulations and legislations, need to be translated into a set of certification standards that can test the degree of compliance. Only then can business practices be ensured of sufficiency in compliance to laws on privacy and data security. Relevant certification standards in privacy and data security include BS 7799, a set of standards defining the observance of information security practices in business.

In the case of BS7799, the observance of security standards can be as simple as the use of business processes and control documents that are designed to protect the security of information. However, certification provides more depth on compliance by showing proof that the company not only have a system in place for information security, but can actually use the system in ensuring the security of information under various circumstances. Mere observance of standards can thus be seen as insufficient in some instances unless a rigid certification process or system can guarantee the observance as sufficient in meeting full compliance.

Challenges to compliance are increasingly becoming critical to most businesses, however, due to two significant trends:

• The increasing number of legislation and regulation that are creating a myriad of standards for compliance
• The increasing cost of compliance resulting from the evolving complexity of certification testing procedures

In light of these trends, a growing number of business organizations are opting to adopt a wait-and-see attitude and put off acquiring certification, eventually settling with partial compliance by merely observing the standards. The usual justifications include:

• The prohibitive costs attributed to the certification process itself, and
• The apparent lack of integrated rationale that binds various certifications into a unified set of best practice standards

However, most of these organizations fail to see the wisdom of certification – it is a proof or evidence of an individual’s or organization’s ability to demonstrate consistently a skill or competence that contributes to compliance with standards. Without the proof from certification there is little evidence for demonstrating a capability or qualification to provide a service within quality standards. Companies expecting to get a quality of service that approximates a high level of compliance to standards risk being exposed to inconsistent quality. On the other hand, vendors wanting to demonstrate their capability risk losing their credibility in the marketplace especially if their organization has no established track record. Because of these risks, companies pursuing to establish a position in the global marketplace face threats of obtaining credibility or positive reputation if they cannot demonstrate their compliance to international regulations and other countries’ legislations. And in this context of practicing compliance, certification is a key.

Article written by Lauro Vives
for Asian Quality Magazine