Cisco: Poster child of regulatory compliance

The perfect storm that gave rise to Cisco Systems’ compliance initiative — often cited as exemplary — started brewing in the mid-to-late 1990s as the tech industry was widely perceived as a sleigh ride to riches. Prime acquisitions in addition to the company’s plan to counter the Y2K menace in part bolstered Cisco’s shares. Behind the scenes the company was also coping with the complexities of a unified currency in Europe, a deluge of data privacy laws in the United States, and its own high-level mission to create a single, worldwide HR system.

Headlines of corruption and corporate malfeasance in the years that followed spawned the Sarbanes-Oxley Act and its ilk. By then, Cisco was already operating from a position of “strong leadership, people who knew how to work together, and what has been called a high ‘business IQ,’ ” according to Gartner analyst Robert Handler, who praises the company’s compliance initiatives in his book IT Portfolio Management: Unlocking the Business Value of Technology.

“If we’ve been successful, it’s because we’ve had a continual stream of initiatives that demanded cross-functional business operations,” says Guido Jouret, global head of the innovations team in Cisco’s Internet business solutions group (IBSG). In other words, the left hand was adept at knowing what the right was doing — across departments, divisions, and oceans.

Tim Merrifield, IBSG’s director, was assigned to lead the team that among other tasks coordinated the response to Sarbanes-Oxley. The team’s efforts brought to bear an extensible compliance framework that was continually integrated into the company’s wider-reaching risk-assessment operations.

“In order to be effective there needed to be a single, coordinated response rather than having multiple organizations pursuing different responses,” Merrifield says.

His team was charged with identifying the provisions of Sarbanes-Oxley that would impact the business and sought to work with the appropriate, legal, financial, and HR divisions to enact IT policies that would help ensure the accuracy of financial reports — all the while keeping channels of communication flowing among departments.

The team enacted an IT portfolio management approach that made KBR (keep the business running) activities Job No. 1. But second on the list was implementing a compliance framework to satisfy the auditors. “It’s non-negotiable; people go to jail,” Merrifield says.

In terms of prioritization, “regulatory compliance goes up top,” Merrifield adds. From a portfolio management perspective, he says, a company can know only what its “discretionary” expenditures are after all the compliance mechanisms are sound and tightly enforced.