Data regulatory requirements in 2004 will go beyond addressing
financial probity and delve further into the enterprise. Mark
Vernon examines the implications for other parts of the business
and the need for IT to offer more than simple compliance
The greatest challenge companies will face in complying with data
storage regulations in 2004 is that the compliance agenda is about
far more than just tweaking existing accounting packages. The
welter of new governance standards coming into force embraces IT
systems across the enterprise, rather than just financial
applications, as was the case in the past.
Systems as diverse as customer databases, content management
programs, collaboration tools and human resources may have to knit
together. The legislation is not just about setting new standards
of transparency and accountability, but about turning governance
into an ongoing issue - a culture that seeks to deepen and broaden
information flow and reporting.
Organisations face a variety of different kinds of legislation, yet
there is a common set of process arrangements that, when in place,
address many of the demands. In relation to IT, four areas can be
identified:
- Clear and documented authorities and accountabilities: chief
executives must relate properly to chief information officers, who
must in turn be clear about the demands being made on IT
managers
- Robust risk management systems covering operational, financial,
credit and other types by sector: many companies do not have
extensive or well-developed systems
- Sound financial controls, which means sound financial
systems
- A well-developed audit framework for collecting, collating and
delivering management information.
In collecting and delivering management information, storage
clearly comes into its own - and storage suppliers have seen the
opportunity coming. Sue Clarke, senior research analyst at Butler
Group, says, "Stricter regulations are providing new opportunities
for storage providers to supply [products] dedicated to the
retention of specific types of data such as e-mail and other data
that have to be retained for at least six years. Organisations need
low-cost storage devices to archive this data. This market for
hardware and software is growing as organisations begin to wake up
to the fact that they need to make a separate provision for certain
types of data."
We will see the growth of new storage applications, such as data
lifecycle management software, which will allow users to recover
data selectively without calling on the IT department, she says.
"For example, a user could quickly recover e-mails for a certain
period of time. This would also have implications for the rapid
restoration of data required for regulatory purposes."
Storage is also central because of the need to cope with burgeoning
new sources of regulation-sensitive data. The obvious example is
e-mail - its relevance to compliance stems from the fact that
decisions are now often taken online. Legislation such as the
latest accounting standards that requires companies to be able to
explain how decisions were reached, means that e-mail storage and
auditing is vital. New types of communication, such as instant
messaging are not exempt from the law and represent a significant
volume of online communication. According to a survey from Vanson
Bourne Research, IM is already widespread in half of the UK's
corporate and investment banks. The question is whether they, and
others, are able to ensure IM compliance. Rooting out old messages
from servers that do little more than act as a dumping ground for
electronic communications will not suffice.
Compliance seems set to further boost the role of chief information
officers. With new legislation threatening chief executives and
chief financial officers with imprisonment in the most extreme
cases, a united effort is required, from the top down, if mistakes
are to be avoided. Point solutions in different locations to meet
regulations piecemeal will fail because of inconsistency and
administrative overheads, if not because they do not provide the
enterprise-wide view much of the legislation requires.
"Implementing a holistic framework to address regulatory compliance
initiatives is the first step," says Mark Strauch, managing
director of Business Engine International, an IT project management
and governance specialist. Flexibility is essential. Unless
companies can centralise and simplify their database infrastructure
they will simply not be able to cope with the volume of data
involved, he says.
"The use of a project portfolio management solution, for example,
enables firms to manage the compliance process company-wide by
facilitating cross-collaboration among team members," says Strauch.
He also warns that it is not as simple as issuing a board-level
compliance decree. "A variety of processes must be ingrained within
the everyday workings of the entire workforce. This can include
educational and training activities, internal compliance reporting
systems and the inclusion of regulatory oversight within corporate
operating policy documents."
Business performance management (BPM) is also receiving a boost
from compliance demands, notably the US Sarbanes-Oxley Act. Public
accounting regulations intended to provide greater transparency and
visibility have put pressure on companies to provide better
accountability.
"BPM initiatives typically begin with a desire to move from Excel
in an attempt to support a more centralised, dynamic, and active
planning process within an organisation," says John Van Decker,
Meta Group vice-president. "They often expand top-cover reporting
and metrics management and, when applicable, financial
consolidations." A survey carried out by Meta Group at the end of
2003 showed that only 15% of organisations will do nothing about
BPM in the next 18 months, although there is also confusion about
the BPM supplier landscape.
Harry Baines, company secretary at high-street bank HBOS, says,
"There are many different levels of enthusiasm with which companies
can comply with governance requirements - from the minimalist,
grudging, approach that 'ticks all the right boxes' but adds no
value, through to embracing the spirit as well as the letter of
governance arrangements, aiming to comply in a way that delivers
business advantage on top of mere compliance."
Compliance is a game all must play, though just how competently is
a moot point. Indeed, although financial services organisations
seem to be particularly loaded with compliance demands because they
operate in a tightly controlled regulatory environment, Baines
warns that governance can often be more of challenge in those
sectors less used to it. Comparing the financial sector with
others, he says, "It still requires a lot of attention from board
and company secretaries to ensure that they are in a position to
confirm compliance with external governance requirements - but
probably less effort and attention than might be required outside
the regulated sectors, where internal governance arrangements may
well be less developed. It may be fair to say that 'implementation
effort', although still material, may be less than is the case for
other types of company."
Since governance is here to stay and is rising up the corporate
agenda, the challenge is to find ways of delivering compliance that
also provide business advantage. "The devil is always in the
detail," Baines says, "but, in general terms it should be possible
for companies to adopt an approach to governance that, perhaps over
the medium- to long-term, will deliver value and not simply be a
cost or a further regulatory burden." Progressive companies will be
much occupied with the opportunities for generating such synergy in
2004.
Top five compliance demands facing IT
directors
Basel 2
What is it? A new framework for international
financial regulation determined by the Basel Committee, also known
as the Committee on Banking Supervision. Basel 2 is an
international banking accord that will replace the capital rules of
1988. It is intended to mitigate the risks that affect modern
financial markets.
Who does it affect? All financial institutions,
not just banks.
When is the compliance deadline? 2006.
What is required for compliance? Rich stocks of
legacy data are essential for drawing up the picture of
enterprise-wide exposure that the legislation demands, so companies
must start gathering the right data now, as well as addressing the
current level of risk management capabilities.
Sarbanes-Oxley Act
What is it? This US Act embraces a wide range
of compliance measures that drive towards greater information
transparency, accuracy, and accelerated reporting. It creates,
among other things, a framework of responsibilities for audit
committees and other members of boards of directors of public
companies.
Who does it affect? All US companies and their
subsidiaries worldwide.
When is the compliance deadline? June
2004.
What is required for compliance? Everything
from financial records to e-mail communications are effected,
notably in relation to the management, maintenance and archiving of
data. As under Basel 2, companies must invest in storage that makes
available all data relevant to their business activities, including
proof that the processes which led to the creation of the data
conform to the rules.
International Accounting Standards
What is it? Also known as the International
Financial Reporting Standards, this legislation comes from the
European Union.
Who does it affect? Everyone.
When is the compliance deadline? 2005.
What is required for compliance? This will
differ from sector to sector, but it is particularly onerous for
financial services, which will have to reclassify financial
instruments, reassess the measurement of liabilities and assets and
ramp up disclosure. The legislation can necessitate dual-reporting,
according to the old standards and the new. Companies will, in
effect, be running two accounting systems.
Data Protection Act
What is it? An act passed in 1998 designed to
protect people's right to privacy.
Who does it affect? Everyone operating under UK
law.
When is the compliance deadline? Current.
What is required for compliance? Obtaining and
storing of personal data must be fair and lawful. Individuals have
rights to know how, where and why information about them is stored
and to see that information and challenge its accuracy. The rules
apply to paper and electronic records. Data must be kept up-to-date
and not be held for longer than is necessary. It must be stored
securely and not shared outside the EU except under special
circumstances.
Combined Code
What is it? A revision of the old Combined Code
of corporate governance.
Who does it affect? Everyone.
When is the compliance deadline? November
2003.
What is required for compliance? The code is
about enhancing the flow of information between companies and their
shareholders to aid investment decision making. It incorporates
recommendations made in relation to auditing best practices, fraud
avoidance and good accounting. Companies will not be breaking the
law if they do not adhere to the code but they must say so in their
annual reports and their openness and transparency could then be
called into question.
This article is part of Computer Weekly's special report on
storage produced in association with Hitachi Data Systems.