The compliance conundrum

Organisations in every industry face a maelstrom of legislative regulations and requirements that demand a clearly defined, integrated approach to information management. Simon Lelic talks to representatives from some of the leading vendors operating in the compliance marketplace to find out which issues are causing companies the greatest concern and what can be done to resolve them.

Mention the word ‘compliance’ to the next CEO you encounter and watch his reaction. Do his pupils dilate? Does he start tugging at his shirt collar? Or wiping his palms on the side of his jacket? It is astounding the sense of dread such an ambiguous and ill-defined term can inspire. And yet it is precisely the vagaries of the compliance conundrum that cause business leaders such anxiety and frustration. Organisations in both the public and private sector face a raft of legislation, innumerable so-called solutions, and general confusion about what, precisely, is expected of them and what will happen if they fail to deliver. To make matters worse, those charged with devising a strategy to see their organisation through must do so to the metronomic rhythm of the clock ticking in the background, counting down the days, hours, minutes to the point at which they will face the reality of Non-Compliance (about the only word that causes CEOs greater unease than ‘compliance’ itself).

Given the amount of regulations and legislative requirements enterprises now face, it is not surprising that the subject of compliance is causing such a stir. In the US, and sometimes beyond, organisations must get to grips with the demands of the Gramm-Leach-Bliley Act, the Patriot Act and the Sarbanes-Oxley (SOX) Act; closer to home, Basel II, the Freedom of Information (FOI) Act and the Environmental Information Regulations are all equally pressing. And these are just the higher-profile examples. The demands facing a given organisation will naturally depend on the industry in which it operates, but Simon Gay of Computacenter believes it is SOX that is really causing people to sit up and take notice. “This is where it starts to get personal,” he says. “Under SOX, it’s you or me who gets the prison sentence or a fine. You can’t hide behind a company structure.” Industry analyst Alan Pelz-Sharpe of Ovum agrees that, rightly or wrongly, SOX is becoming the benchmark for corporate compliancy, but warns businesses not to overlook Data Protection and Consumer Data legislation. “This is often what can floor a company,” he says.

As one might expect, then, knowing where to start is, as Gay says, often what causes enterprises the biggest headache. “Companies are struggling with what regulations apply to them and how to deal with them,” adds Marie Thornton of Entrust. And only once they get beyond this first hurdle will they comprehend the size and complexity of the job they face. As Alex Thurgood of Canon points out, there are three major issues that organisations of all types typically have difficulty coping with. The first is retrieval of information for and from a variety of systems. “Companies want to know how they can link all their legacy systems together in a seamless way,” he says. Security is also a major worry. “They are also concerned that the need to provide information to more people within their organisation may mean that information ends up in the wrong hands.” Finally, while electronic content is inevitably at the forefront of people’s minds, Thurgood has also come across numerous businesses that are wrestling with the task of dealing with paper-based documents as part of their compliance strategy.

Implementing a compliance-focused IT solution may seem the natural remedy. But as Simon Atkinson of Verity says, choosing from the myriad software packages that have flooded the market is something of a risk. “Because you are betting your company on the solidity of the solution, it is very important that the solution works and doesn’t miss any vital information,” he says. Business leaders are also wary that they have been misled, or even lied to, in the past by vendors over-promising and under-delivering. “I’d compare this to the effect of the millennium bug,” says Thurgood. “The perceived impact is so great and the timescales so tight that some people have rushed to vendors that promise a single and immediate solution.” Nick Ellis of Mobius recognises that some software firms have made, as he puts it, ludicrously wild claims for their products. He advises potential buyers to bear in mind that, whatever the marketing material says, the product they ultimately choose will only be part of the overall solution. “How you implement it and the rules and regulations you have in place around your business are also important,” he says. Organisations that purchase a piece of software that they think will be a panacea to all their ills are forgetting that, in Eillis’s words, “it is a piece of software that needs to be installed, its users trained and policies around it considered and developed”.

Of course, software can certainly help. Many solution providers accept, however, that they have a difficult job convincing potential customers who may have had their fingers burnt before. “Vendors need to be upfront about how appropriate their solutions are,” says David Macey of Stellent. “It is vital for compliance solutions to meet IT standards and performance metrics, as well as have the capability to support the many regulatory and compliance demands.” Atkinson agrees that software suppliers need to be truthful about their company and products, honest about their capabilities and, above all, open throughout the sales process. But he also maintains that due diligence is the preserve of the client. “There will always be vendors that are either desperate or dishonest, sad as that is,” he says. “If a client undertakes a proper exercise in due diligence (that is, company, products, people, services and customer care), they are less likely to suffer problems.” It is also important that would-be customers manage their own expectations. No product has yet been developed that will allow an enterprise to become compliant at the flick of a switch. “The bottom line is that no one solution can provide compliance,” says Pelz-Sharpe.

Organisations should therefore be wary of any vendor that offers a complete, one-size-fits-all solution, as Thurgood says. “There are very few ‘solutions’ out there, because this implies one problem,” adds Atkinson. “Compliance means different things to different organisations and markets.” As such, enterprises should identify and look to address specific needs. Gay categorises organisational requirements when it comes to compliance under three broad headings. The first is availability. As Gay says, there is a time restriction on compliance, so systems need to be functioning and available within a specified timeframe. “Integrity is another key area,” he adds, referring primarily to security and the need to protect data and information from unwanted interference. “Third, being able to search and access all of your data is critical. Just storing data does not make you compliant. There are plenty of examples where companies have had information that would have bailed them out of a disclosure notice, but they couldn’t retrieve that information.” Gay challenges business leaders to consider whether or not their organisation would pass what he calls the Enron test. “If I said to you today, retrieve every record or every e-mail sent or received that contains the word ‘Enron’, could you do it? Most customers would sadly confess that they probably couldn’t.”

Indeed, e-mail is necessarily a major consideration in most compliance strategies. “Corporate e-mails require policies and management technologies to manage them effectively, which includes not only being able to retain and store e-mails, but also the ability to effectively retrieve them,” says Macey. Atkinson agrees, describing e-mail as a colossal part of corporate life and communications.

“It is the most likely area in which to find references and content that might indicate a provable breach of compliance standards,” he says. Some companies have in fact learnt this the hard way. “Most fines in the US have been because companies couldn’t get the data together, particularly data around e-mails,” explains Ellis. Atkinson also points to a recent, high-profile acquisition of a company operating in this area by a larger IT vendor as further evidence of the heightened role e-mail-management tools will play in modern organisations. As he says, “It is difficult to imagine a compliance solution in a corporation without some need for an e-mail component.”

As ever, though, and as already intimated, tools and technologies will only carry you so far along the road to compliance. Effective policies and work processes are critical in any compliance strategy, regardless of which IT solutions a company opts to put in place. Some industries are already one step ahead in this regard. Pelz-Sharpe, for instance, points to the oil and gas and pharmaceutical sectors as among those that have, as he puts it, embraced a culture of compliancy. In most organisations, though, there is a great deal of work still to be done. As a knee-jerk reaction to the time-sensitive demands of compliance legislation, some businesses have gone looking for the proverbial magic bullet, when in fact their efforts would have been better spent focusing on internal working practices. Fortunately, as our survey, outlined in the Information Management Compliance supplement enclosed in this magazine, reveals, many now recognise that business-process management is the area that requires the most attention if organisations are to meet the demands imposed by SOX, FOI, Basel II et al. As Pelz-Sharpe says, “Eighty per cent of the effort involved in meeting regulatory requirements is cultural and people centred. If your organisation has a non-compliant culture, no software in the world will help you.”

It is easy to see why compliance is causing business leaders so many sleepless nights. To make matters worse, and as Gay suggests, becoming compliant is not something organisations can do and then forget about. “It is a continual process of good governance and good procedures and discipline around your IT practice,” he says. “You can’t reach a state of compliance; you cannot just tick a box and move on to your next project. It is something you need to continually work at.” But therein also lies an opportunity. Regulations that force organisations to get their information-management practices in order are just the motivation many businesses need. The process may be painful and expensive in the short term, but the end result should be improvements to efficiency and operational effectiveness that help to build genuine competitive advantage. And that is something every CEO should aspire to achieve, irrespective of the threat of prosecution.