Compliance: what to store and why

Data regulatory requirements in 2004 will go beyond addressing financial probity and delve further into the enterprise. Mark...

Data regulatory requirements in 2004 will go beyond addressing financial probity and delve further into the enterprise. Mark Vernon examines the implications for other parts of the business and the need for IT to offer more than simple compliance

The greatest challenge companies will face in complying with data storage regulations in 2004 is that the compliance agenda is about far more than just tweaking existing accounting packages. The welter of new governance standards coming into force embraces IT systems across the enterprise, rather than just financial applications, as was the case in the past.

Systems as diverse as customer databases, content management programs, collaboration tools and human resources may have to knit together. The legislation is not just about setting new standards of transparency and accountability, but about turning governance into an ongoing issue - a culture that seeks to deepen and broaden information flow and reporting.

Organisations face a variety of different kinds of legislation, yet there is a common set of process arrangements that, when in place, address many of the demands. In relation to IT, four areas can be identified:

  • Clear and documented authorities and accountabilities: chief executives must relate properly to chief information officers, who must in turn be clear about the demands being made on IT managers

  • Robust risk management systems covering operational, financial, credit and other types by sector: many companies do not have extensive or well-developed systems

  • Sound financial controls, which means sound financial systems

  • A well-developed audit framework for collecting, collating and delivering management information.

In collecting and delivering management information, storage clearly comes into its own - and storage suppliers have seen the opportunity coming. Sue Clarke, senior research analyst at Butler Group, says, "Stricter regulations are providing new opportunities for storage providers to supply [products] dedicated to the retention of specific types of data such as e-mail and other data that have to be retained for at least six years. Organisations need low-cost storage devices to archive this data. This market for hardware and software is growing as organisations begin to wake up to the fact that they need to make a separate provision for certain types of data."

We will see the growth of new storage applications, such as data lifecycle management software, which will allow users to recover data selectively without calling on the IT department, she says. "For example, a user could quickly recover e-mails for a certain period of time. This would also have implications for the rapid restoration of data required for regulatory purposes."

Storage is also central because of the need to cope with burgeoning new sources of regulation-sensitive data. The obvious example is e-mail - its relevance to compliance stems from the fact that decisions are now often taken online. Legislation such as the latest accounting standards that requires companies to be able to explain how decisions were reached, means that e-mail storage and auditing is vital. New types of communication, such as instant messaging are not exempt from the law and represent a significant volume of online communication. According to a survey from Vanson Bourne Research, IM is already widespread in half of the UK's corporate and investment banks. The question is whether they, and others, are able to ensure IM compliance. Rooting out old messages from servers that do little more than act as a dumping ground for electronic communications will not suffice.

Compliance seems set to further boost the role of chief information officers. With new legislation threatening chief executives and chief financial officers with imprisonment in the most extreme cases, a united effort is required, from the top down, if mistakes are to be avoided. Point solutions in different locations to meet regulations piecemeal will fail because of inconsistency and administrative overheads, if not because they do not provide the enterprise-wide view much of the legislation requires.

"Implementing a holistic framework to address regulatory compliance initiatives is the first step," says Mark Strauch, managing director of Business Engine International, an IT project management and governance specialist. Flexibility is essential. Unless companies can centralise and simplify their database infrastructure they will simply not be able to cope with the volume of data involved, he says.

"The use of a project portfolio management solution, for example, enables firms to manage the compliance process company-wide by facilitating cross-collaboration among team members," says Strauch. He also warns that it is not as simple as issuing a board-level compliance decree. "A variety of processes must be ingrained within the everyday workings of the entire workforce. This can include educational and training activities, internal compliance reporting systems and the inclusion of regulatory oversight within corporate operating policy documents."

Business performance management (BPM) is also receiving a boost from compliance demands, notably the US Sarbanes-Oxley Act. Public accounting regulations intended to provide greater transparency and visibility have put pressure on companies to provide better accountability.

"BPM initiatives typically begin with a desire to move from Excel in an attempt to support a more centralised, dynamic, and active planning process within an organisation," says John Van Decker, Meta Group vice-president. "They often expand top-cover reporting and metrics management and, when applicable, financial consolidations." A survey carried out by Meta Group at the end of 2003 showed that only 15% of organisations will do nothing about BPM in the next 18 months, although there is also confusion about the BPM supplier landscape.

Harry Baines, company secretary at high-street bank HBOS, says, "There are many different levels of enthusiasm with which companies can comply with governance requirements - from the minimalist, grudging, approach that 'ticks all the right boxes' but adds no value, through to embracing the spirit as well as the letter of governance arrangements, aiming to comply in a way that delivers business advantage on top of mere compliance."

Compliance is a game all must play, though just how competently is a moot point. Indeed, although financial services organisations seem to be particularly loaded with compliance demands because they operate in a tightly controlled regulatory environment, Baines warns that governance can often be more of challenge in those sectors less used to it. Comparing the financial sector with others, he says, "It still requires a lot of attention from board and company secretaries to ensure that they are in a position to confirm compliance with external governance requirements - but probably less effort and attention than might be required outside the regulated sectors, where internal governance arrangements may well be less developed. It may be fair to say that 'implementation effort', although still material, may be less than is the case for other types of company."

Since governance is here to stay and is rising up the corporate agenda, the challenge is to find ways of delivering compliance that also provide business advantage. "The devil is always in the detail," Baines says, "but, in general terms it should be possible for companies to adopt an approach to governance that, perhaps over the medium- to long-term, will deliver value and not simply be a cost or a further regulatory burden." Progressive companies will be much occupied with the opportunities for generating such synergy in 2004.

Top five compliance demands facing IT directors     

Basel 2  

What is it? A new framework for international financial regulation determined by the Basel Committee, also known as the Committee on Banking Supervision. Basel 2 is an international banking accord that will replace the capital rules of 1988. It is intended to mitigate the risks that affect modern financial markets.  

Who does it affect? All financial institutions, not just banks. 

When is the compliance deadline? 2006.  

What is required for compliance? Rich stocks of legacy data are essential for drawing up the picture of enterprise-wide exposure that the legislation demands, so companies must start gathering the right data now, as well as addressing the current level of risk management capabilities. 

Sarbanes-Oxley Act 

What is it? This US Act embraces a wide range of compliance measures that drive towards greater information transparency, accuracy, and accelerated reporting. It creates, among other things, a framework of responsibilities for audit committees and other members of boards of directors of public companies. 

Who does it affect? All US companies and their subsidiaries worldwide. 

When is the compliance deadline? June 2004. 

What is required for compliance? Everything from financial records to e-mail communications are effected, notably in relation to the management, maintenance and archiving of data. As under Basel 2, companies must invest in storage that makes available all data relevant to their business activities, including proof that the processes which led to the creation of the data conform to the rules. 

International Accounting Standards 

What is it? Also known as the International Financial Reporting Standards, this legislation comes from the European Union.  

Who does it affect? Everyone. 

When is the compliance deadline? 2005. 

What is required for compliance? This will differ from sector to sector, but it is particularly onerous for financial services, which will have to reclassify financial instruments, reassess the measurement of liabilities and assets and ramp up disclosure. The legislation can necessitate dual-reporting, according to the old standards and the new. Companies will, in effect, be running two accounting systems. 

Data Protection Act 

 What is it? An act passed in 1998 designed to protect people's right to privacy. 

Who does it affect? Everyone operating under UK law. 

When is the compliance deadline? Current. 

What is required for compliance? Obtaining and storing of personal data must be fair and lawful. Individuals have rights to know how, where and why information about them is stored and to see that information and challenge its accuracy. The rules apply to paper and electronic records. Data must be kept up-to-date and not be held for longer than is necessary. It must be stored securely and not shared outside the EU except under special circumstances. 

Combined Code 

What is it? A revision of the old Combined Code of corporate governance. 

Who does it affect? Everyone. 

When is the compliance deadline? November 2003.  

What is required for compliance? The code is about enhancing the flow of information between companies and their shareholders to aid investment decision making. It incorporates recommendations made in relation to auditing best practices, fraud avoidance and good accounting. Companies will not be breaking the law if they do not adhere to the code but they must say so in their annual reports and their openness and transparency could then be called into question.

This article is part of Computer Weekly's special report on storage produced in association with Hitachi Data Systems.

Read more on IT risk management