Rescuing the World from Compliance Nightmares
by Michael Pastore
Years from now, two events at the dawn of the 21st century will likely stand out in textbooks that deal with American history — the terrorist attacks of Sept. 11, 2001, and the corporate accounting scandals of 2002 (and beyond). In addition to spawning books of their own, each of these events seems to have had a profound effect on IT. Or at least that's what software vendors would like you to think.
After the Sept. 11 attack, software and IT strategies that promoted business continuity received a great deal of coverage. In the wake of the corporate accounting scandals, a number of federal and state regulations have been passed, the most talked about being the Sarbanes-Oxley Act of 2002. Sarbanes-Oxley essentially demands that companies leave an audit trail so all the information in their financial reports can be verified. (It also requires codes of ethics for senior financial officers, but software can only do so much.)
Compliance with Sarbanes-Oxley and all other existing and future regulatory demands has been a hot topic among hardware and software companies from all corners of the industry, not only because they themselves have to be in compliance with certain regulations if they are publicly traded, but because software (if you listen to software companies) is the key to being in compliance.
(In addition to Sarbanes-Oxley, other regulations garnering a lot of attention include the Department of Defense 5015.2 Standard and the Security and Exchange Commission's Rule 17a.)
Compliance Through Storage
According to a study by Enterprise Storage Group, compliance-related storage products and services could be worth as much as $6 billion over the next four years. With this in mind, a number of storage firms have released new products, or new versions of existing products, with an eye toward serving compliance needs. Here is a small sampling:
Document and Content Management
While storage is a natural fit for the intersection of compliance and IT, many document and content management systems are beginning to sell themselves as answers to corporate compliance issues. Most enterprise-level content managers already have many of the features that will help companies comply with numerous state and local regulations by defining workflow and approval processes and by making content accessible and searchable. Here's a small sampling:
According to Open Text's Northover, Sarbanes-Oxley compliance is a lot like ISO 9000 compliance, an area where Open Text's Livelink has been put to use in the past. Like ISO 9000, Sarbanes is not specific, but rather instructs where certain checkpoints should be located in the process without going into detail about how the checking should be done.
Livelink sits at the heart of corporate culture, Northover said. Its collaboration tools define how people work together, its content management component produces the output of employees' work, and by providing training it develops people.
Is Software Crucial to Compliance?
This leads to what is, literally, a thousand-dollar question: if compliance is all about a company's culture and its people, is all of this hardware and software being pitched really the answer to compliance? Not necessarily.
"In the end, this is about culture," Northover said. "Fundamentally, the blunt truth is you can do Sarbanes compliance without software." For a large company, however, compliance with mutiple government regulations is a very tall order.
Northover said he doesn't think companies even have a grasp of how much work these regulations are going to require. At this point, many companies are just beginning to talk with consultants about what will be required for compliance. With all the products claiming to be the answer, at least they won't have a shortage of ideas on how to tackle it. But at some point companies will have to decide which companies offer a true compliance solution and which are labeling themselves compliance solutions to grab the low-hanging fruit.
"I myself personally don't think compliance is low-hanging fruit," Northover said. "I think compliance done fully is a lot of work. There's a lot of gritty details."
Any software product that companies call on to help with compliance will need to be very flexible to deal with changing regulations. In addition to more U.S. federal and state regulations, large companies that do business internationally will have to comply with regulations coming from Canada, as well as the E.U., where compliance will likely clash with strict privacy guidelines.
Another factor that could complicate rollouts of IT projects dealing with compliance is the clash of the IT and business faces of many organizations. Northover compared Sarbanes-Oxley compliance with deadlines for having Y2K fixes in place three years ago. Y2K, he said, was a technically understood problem with a nice, hard deadline. And it was an IT problem with a fix coming from the IT department. Compliance issues come from the general business side, and they will be looking for an IT fix.
Much will be written about the corporate culture changes and how technology is used to enforce compliance in the near future. But the really interesting question regards which will be more powerful: the technology companies will employ to keep themselves in compliance, or executive greed.