NEEDHAM, Mass. -- Adrian Bowles has a thing for regulations. He's not alone, but he's the only one who sees it...
as a labor of love and not a necessary evil.
Bowles, a 30-year veteran of the information technology business, sees opportunity where others see fear, confusion and frustration. As program director for regulatory compliance with the Object Management Group's Regulatory Compliance Alliance, he is leading a daunting effort to construct a database that may one day serve as a clearinghouse for all the world's rules, regulations and standards for IT.
Called the Compliance Global Regulatory Information Database (GRID), the project will be a searchable repository, not only offering enterprises an easy-to-follow playbook for adjusting their IT processes and procedures to comply with relevant regulations, but also serving as a bellwether for the regulatory climate in certain areas of the world.
In a nutshell, it would be like a one-stop regulatory check-up for virtually any business. For instance, a financial services firm would be able to query the database for all regulations relevant to financial services firms in the countries in which it operates, plus learn the basics for initiating the compliance process.
With many thousands of regulations in hundreds of countries around the world, describing the project as daunting is a gargantuan understatement. After verifying Bowles' sanity, the next logical question is, is such a comprehensive database even possible?
"Someone at a Big 4 consulting firm said we're an answer to a prayer," Bowles said. "But there's a fair amount of audacity that goes into starting something like this."
That's why Bowles is starting small, sort of. When the first version of the database launches later this year, it will be limited to regulations affecting the financial services industry, and only in about two dozen countries. Still, the preliminary data model (.pdf) on the OMG's Web site for just that single vertical industry lists about 300 regulations.
"The idea of the GRID is several years old now," Bowles said, "but the release that's coming out [this year] is just the tip of the iceberg."
The impetus for the project came during Bowles' work as an independent consultant about four years ago. A number of his enterprise clients began asking whether there was a secret recipe for achieving compliance with labyrinthine regulations like GLB, HIPAA and BASEL II. When his search turned up little useful information, he saw an opportunity.
Not everyone agrees. Abe DeLeon, program manager for risk management with IBM's Global Services group, said his organization tried to build such a database on its own, but soon realized how daunting the challenge would be.
"It's not our key competence, and I would rather hire someone to do it for us and ensure the data is up to date, rather than reinvent the wheel," DeLeon said. "It's not easy to develop such an infrastructure like this."
That's why IBM Global Services has signed on as a GRID sponsor. DeLeon said his company will rely on Bowles' group to keep the data updated, and use it to support and advise its international clients about the regulations to which they must adhere. Plus, he said, it will help his clients stay secure.
"If used appropriately, in the area of Gramm-Leach-Bliley, for example, the key regulatory mandate is that required firms have a very detailed security program," DeLeon said. "Knowing all the mandates like this here and elsewhere will educate our teams and help us to help our clients to secure their data more appropriately."
Unfortunately, Bowles' task is that much more daunting knowing that he's failed once before. A couple years ago he attempted to get the project off the ground through 101communications LLC, where he launched the organization's IT Compliance Institute.
It was there that the first prototype of the database was built. However, momentum soon waned and Bowles said it became harder for him to muster the support he needed within the organization. His departure followed, and the database seemed doomed until he landed at the OMG, where GRID quickly came to life.
Still, there is skepticism in the industry. Michael Rasmussen, a vice president with Cambridge, Mass.-based Forrester Research, said it will be a major challenge to keep the database current amid the burgeoning mountain of IT-related regulations already on the books.
"And it keeps growing," Rasmussen said. "The U.S. government alone has released 114,000 new regulations since 1981. I think it's too exhaustive of an effort, and that it will get so watered down that it won't be effective."
Plus, Rasmussen said, not only has the effort failed before, but also because it's funded by vendors, it gives them an inordinate amount of power and control over the GRID, when it should instead be driven by the needs of corporate compliance and risk officers. "I find that it gives it a bias that doesn't sit well in my mind."
Richi Jennings, an analyst with San Francisco-based Ferris Research, said the GRID project is both laudable and tricky, but not impossible.
"It's certainly a difficult challenge they've set for themselves, and perhaps they need to make it clear that the results shouldn't be seen as definite and complete," Jennings said, "but at the same time, something is better than nothing."
Bowles said if the GRID comes to fruition as he intends, it should provide not only a framework for regulatory compliance, but also an interesting snapshot of the regulatory climate in various regions.
"It will be able to tell us, 'Does a region lean toward personal privacy or data availability?'" Bowles said. "We'd think eventually you'd want to look there if you're considering setting up a new international operation."
Perhaps what ultimately makes the GRID seem both thrilling and harrowing is that it can never be completed. Bowles is keenly aware that rules and regulations around the world are constantly being created and updated, "so from the day you release it," he said, "if you don't update it, it loses value."
Of course, underlying the GRID's mission is the hope that it will help organizations stay secure. Bowles said a number of major security vendors are supporting the effort because they realize that regulatory compliance isn't just about avoiding fines.
"Cost is important," Bowles said, "but mitigation of risk is what will get people's attention."