For many business leaders the onslaught of new corporate governance regulations has appeared as an unwelcome, expensive and distracting burden to running day-to-day operations. Measures introduced to curb mismanagement on a grand scale – such as the Enron case – can appear irrelevant to those that have always managed their businesses in good faith.
And the costs involved are staggering. In 2004, multinational conglomerate General Electric became one of the first companies to publicly reveal the price of dealing with the new corporate governance regulations. Its estimates: $30 million a year.
Over the next five years, analyst group IDC estimates that global spending on compliance-related technologies will exceed $21 billion. The cost of maintaining compliant operations can be enormous, but is all this money being wasted on simply counting beans, ticking boxes?
Far from it, says Vivian Tero, a senior research analyst at IDC. The organisations that are coping with compliance best “understand that demonstrating good corporate governance is critical to their brand and positively impacts their cost of doing business,” she adds.
But while some CIOs may pay lip service to the notion that compliance provides a baseline for best business practice, others have seized the opportunity to introduce new methods of working that are helping drive the business forward. This is a look at some of the key technologies helping CIOs deliver on both the compliance and business improvement agendas.
Information retention
MANY of today’s corporate regulations share one common denominator: they all seek to impose greater accountability for information retention. This in turn has given rise to an increased interest in records management as a method of controlling the creation, management and ultimately, disposal of corporate information.
Digital records, such as Word documents, emails, spreadsheets and voicemails can be tracked through using technology. But as the number and type of digital records expands, and the diversity of applications and content repositories similarly increases, standalone records management applications begin to seem inadequate, says Kenneth Chin, research vice president at analyst group Gartner.
“The future for records management is increased integration with e-mail active archiving, compliance and e-discovery applications,” he says.
Increasingly, email records are now forming part of the overall records management system and for many organisations, email archiving – creating a searchable repository of all their email – is now an essential part of their compliance portfolio.
This, in turn, is driving spending on email archiving technology. According to market watchers the Radicati Group, European business will increase spending on email archiving from e207 million in 2005 to e1.8 billion by 2009.
But the benefits of records management extend far beyond mere improvements in email archiving. At the Scottish Executive, records management technologies have been used to improve the organisation’s internal and external sharing of information.
And while the Freedom of Information Act and the Data Protection Act may have guided the implementation of a new records management system, it has allowed the organisation to reduce the costs of storing paper documents, and improved operational agility through enhanced information sharing. The project “is seen as key to securing sustainable improvement in the Executive’s agility and effectiveness,” says Liz Ure, head of information strategy at the Scottish Executive.
Litigation protection
ThE $1.45 billion legal bill issued to investment bank Morgan Stanley has done much to alert executives of the need for robust electronic discovery capabilities. But Morgan Stanley is not the only business finding out that need the hard way: high profile cases of inadequate e-discovery practices also include Merck and UBS Warburg.
As the shift away from using paper records to electronic documents intensifies, the ability to find critical information amid a morass of corporate data is similarly increasing.
Finding, collecting and sorting information from multiple, large, data repositories is an immense challenge – according to IT advisory group Forrester Research, large organisations can easily generate 1 million emails a day.
Businesses “are sitting on a data landfill. All the data is there, we just cannot get it out,” says Mark Donkersley, MD at records management vendor AXS-One.
Time becomes a critical factor for businesses involved in litigation, adding to the burden. This has encouraged vendors to develop a range of electronic discovery (e-discovery) tools, capable of finding relevant documents in all manner of formats, from emails, to PDFs and PowerPoint presentations.
The range of vendors offering products already exceeds 400, according to Forrester, and includes technologies such as content analysis, search, email archiving and data collection.
Indeed, the early evidence suggests that companies that deploy e-discovery tools before they are subject to litigation can reduce the costs that eventually ensue from that litigation, says Barry Murphy, a senior analyst at Forrester: “Organisations that continue to conduct fire drills when discovery requests come in will undoubtedly endure higher costs and risk sanctions resulting from improper e-discovery efforts.”
However, implementing e-discovery technologies can also help organisations to get a better understanding of the data they generate, says David Macey, executive vice president at content management vendor Stellent. “Even where companies have a very mature content management strategy in place, typically this still only constitutes a small portion of the total content that is managed in that repository.”
The remainder of the content that might be included in a discovery request could be located elsewhere in the enterprise, such as in folders on users’ hard disk, laptops or servers, he says.
Process veracity
Executives at software giant CA (formerly Computer Associates) probably have more war stories about compliance than most. A string of accounting scandals has hit the company, and it is still suffering the consequences.
Against this backdrop, a fresh onslaught of regulations – such as Sarbanes-Oxley (SOX) – was the last thing its executives needed. But that is exactly what they got.
As Phil Stunt, CA’s CIO for Europe, the Middle East and Africa, explains, the company took urgent action to ensure that it fully met the SOX requirements in the first year. “We undertook the mother of all audits. But after that first year, it soon became apparent that the effort was not sustainable: we needed to make sure that compliance became a part of every single business process.”
The combination of systems management and workflow technologies and enterprise resource planning (ERP) suites is seen by many as the easiest way to build compliant behaviour into day-to-day business processes.
The response from technology vendors has been to introduce ERP compliance modules, process management tools and business rules engines. These tools allow executives to introduce process controls, providing greater oversight and insight into transactions.
At Commerzbank, the German financial services institution, a business rules engine provides evidence that its credit rating system is compliant with Basel II, regulations that control how financial services companies manage risk and that are due to come into affect in 2007.
Introducing a business rules engine from ILog has helped Commerzbank comply with Basel II in two ways: demonstrating which credit rating rules were compliant, and correcting those that were not.
At specialist medical equipment manufacturer, Creganna Medical Devices, its compliance efforts were part of a much wider efficiency drive. It had been running the bespoke ERP system, but the rapid international expansion of the business had taken that system to its limits, says quality manager Steven Langan.
And while the introduction of an ERP package from Oracle supported the business expansion, it also introduced electronic signatures and records standards that were verified by the US Federal Drug Administration, making it more efficient to comply with its quality standards.
Access controls
FOR today’s business leader, the loss of reputation resulting from breaches in security should be well understood. The damage is even greater when failures result in the loss of sensitive personal information. And yet, cases are still making the headlines.
A case in point is the US Department of Veterans Affairs. In May 2006, the theft of a laptop from an employee’s home resulted in the social security numbers of 26.5 million veterans potentially entering the black market.
It should come as little surprise then that many of the current wave of regulations governing business stress the importance of managing information access controls.
But with the range of data repositories such as databases, spreadsheets and emails growing and the variety of methods used to access that information also increasing, organisations face a Herculean task in trying to control this.
As Robert Whiteley, a senior analyst at Forrester Research explains, this has prompted an upsurge in demand for
network access control (NAC) technologies. “Organisations want NAC for increased security across all access technologies – wired, wireless, and remote-access alike.”
NAC typically use a mix of both hardware and software to dynamically control access to systems, using a predefined policy. This prevents unauthorised access both internally and externally, but also allows management to provide a compliance check against that policy.
However, such systems can still be undermined by so-called ‘ghost accounts’, where employees have left, but their accounts remain live.
US facilities management company, Unicco, employed IBM’s Tivoli Identity Management suite to tighten its grip on its 1,500 user accounts, and comply with local patient information regulations. By making it easier and faster to provision and cancel accounts, Unicco has reduced the risk of unauthorised access, while simultaneously reducing its own workload.
Device-level encryption further ensures the protection of personal customer or employee data. Insurance giant Swiss Re uses PointSec encryption software to ensure that without key identification data, the contents of its employees’ laptops are just a meaningless scramble.
Alongside compliance considerations, it also provides the basis for a single sign-on system, meaning that, again, heightened security is accompanied by a simpler experience for the user.
Data integrity
SEVERAL of the UK’s largest law firms saw hundreds of their essential records go up in flames following a fire at one of Iron Mountain’s document storage facilities in London, in July 2006. For law firm Norton Rose, this disaster has validated its strategy to increase the storage of documents electronically.
Electronic storage is an attractive option to many businesses, not just law firms, as it reduces the reliance on paper records and the need for vast storage facilities. However, it presents business leaders with a challenge in demonstrating the integrity of the record.
One solution to maintaining the integrity of such records is to use write-once storage media such as CDs or DVDs, but this does nothing to alleviate the risks of storing records as physical objects.
An alternative approach, beginning to gain traction, is content-addressed storage (CAS). CAS systems assigns an unique key for each file, based on the actual contents of the file. If the file is altered, a new key is generated. This unique key also makes it far easier to locate files stored for many years. Traditional storage file systems use a location-based approach, but if the record path changes – by replacing a drive for example – it can become difficult to trace records.
However, in some cases, regulations place further demands on organisations: businesses may need to demonstrate not only that stored data has not been changed, but that it can only be accessed by those with appropriate authorisation.
In such cases, protecting data at rest can be achieved through encryption. This is an area that the storage vendors have been keen to explore – in 2005, Network Appliance bought Decru, an encryption specialist, while in mid-2006 EMC promised its acquisition of RSA Security would enhance its encryption capabilities.
However, current regulations differ greatly in their approaches to encryption, notes Paul Stamp, an analyst at Forrester Research. “Organisations must look for [encryption] solutions that can address their multiple data protection needs across infrastructure components, like email, databases, and file repositories.”