Business managers used to be able to turn a blind eye to things that were happening in their department, following the adage that what you didn't know couldn't hurt you.
But these days, thanks to tighter legislative and regulatory restrictions, the opposite is true. High-profile cases such as Enron and WorldCom have prompted governments on both sides of the Atlantic to come down hard on companies, asking for more information about their operations than ever before. The penalty for not delivering can go beyond mere fines.
For example, the Sarbanes-Oxley legislation in the US, designed specifically to stop any more Enron-like debacles, has specific contingencies to jail directors who don't comply.
Even if you are not a subsidiary of a US company, and therefore not vulnerable to US legislation, the rules are becoming equally stringent on this side of the pond.
The most significant move to regulate companies over here comes in the form of the Joint Committee Report, combining the Higgs and Turnbull reports on corporate governance.
Directors who believe that simply archiving their email is enough to ensure corporate governance are wrong, claims AXS-One chief executive John Rade, whose company ironically sells records and email management software.
"For the first time the government is saying that data isn't enough," says Rade, arguing that corporate governance reporting is as much about the "how" as about the "what".
"It's not a data problem, it's a process problem," he says. Processes must not only be documented, but also need to be followed through.
It's only after you have tackled this problem that you can truly begin to address the data management part of the compliance challenge. Only by recording the information that flows through your company can you ensure that the processes you have defined are being implemented properly.
Working out the processes that underlie your company is a job for business departments, but documenting them and policing them is something that requires help from the IT department.
Many IT departments will already be overworked and under-resourced as a result of the downturn over the past two years. They will have a huge base of legacy data that they must contend with, and many will see governance and compliance projects as a 'wheel fix' solution which, like year 2000 compliance before it, offers no business gain other than avoiding disaster.
Dr Paul Toyne, director of corporate governance consultancy Article 13, explains that for this reason, the IT department must be brought on board early in a governance project, so it can feel it partly owns the project.
IT managers can also help business experts interpret the practical steps that they can take to address compliance rules, which are often relatively vague because they are sector independent.
"We need to recognise what an IT department can do,' says Toyne. 'Business people probably don't know."
Colin Clark, corporate cost audit manager at Somerfield Stores, works in the finance department, but liaised closely with the IT department when preparing for regulatory work with the Office of Fair Trading.
Clark says supermarkets have come under particular scrutiny in the past four years from critics who have accused them of unfair pricing, especially following consolidation in the retail market. He had to be sure that his internal governance procedures, supported by data records, protected him from any future investigations.
He ended up specifying and buying an email management product from mail-archiving company KVS, on the grounds that email is not simply an IT resource, but extends throughout the company.
The idea was to move from a situation in which email was stored across 3,500 desktop machines to a central, read-only archive. "How can you have a situation in which 3,500 people dictate your email management policy?" he asks.
Although specifying his own software choice doesn't appear to give the IT department much project ownership up front, he worked closely with IT managers to implement and support it, and ensured there were benefits for them, too.
Migrating from PST files (Outlook files normally held on local machines) to a new architecture in which an exchange server holds nothing more than pointers to a central email archive helped to reduce the IT department's storage requirements and make the system more manageable.
"It became a joint venture between us. I was buying software to make my life easier, but it would also make their life easier," he says.
Now, although Clark has made the choice not to store all internal demands following a risk assessment, he does store all emails crossing the firewall, so there is a record of interactions with external parties.
This echoes a recommendation made by AXS-One's Rade: it is important to be able to get a snapshot of your business communications at a certain point in time, to help you trace a decision-making process.
Unfortunately, just as regulations are tightening up, the amount of data that we produce is increasing exponentially.
Email, which represents just one part of the equation, can be dealt with intelligently to help reduce storage requirements. For example, the standard practice of copying email to a read-only archive at the time of creation or reception can be managed so that emails sent to multiple people are only stored once.
Companies must also think about other data types, both transactional and non-transactional. Documenting, for example, input from your SAP system for non-repudiation purposes can help you to get a clear picture of your business processes and just how well they are being supported.
But instant messaging is more difficult to manage. As more companies move towards instant messaging as a business tool - Reuters now uses instant messaging as a means of disseminating information in the financial community, for example - firms will have to engage it rather than simply prohibiting it, especially, as Rade reports, that the Securities Exchange Commission is now working on instant messaging legislation to follow up its existing 17a-4 email management rules.
Clearly, the need for business governance is becoming more of an IT issue than ever before. Only by working together will IT and business managers protect the organisation from future ramifications.
Technologies designed to make compliance easier
Security
Security is a part of internal control guidelines in both Sarbanes-Oxley and the UK Turnbull report. Proving that you have followed the spirit of regulatory guidelines in this area is important. Citicus produces risk-analysis and management software to help methodologically capture security risks and plug the holes.
Policy policing
Policies are only as good as the people who implement them. Peter Malcolm, UK managing director of Orchestria, is selling a piece of software called Active Policy Management.
It uses a mixture of keyword searches and Bayesian analysis techniques, to check communications such as email and instant messaging as they happen.
"We are examining communications before they ever leave the user's desktop, to ensure that they are compliant," says Malcolm.
Business managers can set rules to help trap specific communications patterns that could violate regulations, and alert compliance officers so they can "educate" the individuals involved.
Email archiving and content management IXOS has just produced a version of its content-management system to help companies meet compliance requirements.
It not only takes data in email form, but also from systems such as SAP, and from legacy sources, storing it in a central data repository.
The first version complies with US rules including NASD3010/3110, NYSE Rule 440 and the SEC 17a-4 rules on email retention.
UK managing director Nick Ellis says the company will also produce versions for other legislation.
Data mining and reporting
Business intelligence companies such as Hyperion are getting in on the compliance act, releasing tools designed to help chief executives serve up financial data more regularly to shareholders.
Hyperion offers a business performance benchmarking tool to help companies establish and police performance metrics.
Its financial management tool aims to help companies keep pace with shrinking reporting cycles and meet new accounting standards.
Data analysis
Before you can understand how your data storage can document and support your processes, you have to understand your data. Avellino sells a product called Discovery, which trawls company data to find duplicates, misspellings, broken data rules and invalid data structures, to help customers re-engineer it.
IT governance
Mercury Interactive has repackaged the tools it bought from Kintana into a governance suite.
IT departments coping with new governance requirements have to reallocate budgets and people, and accommodate compliance projects by moving around other deadlines.
Mercury's 'IT dashboard' approach helps IT directors stay on top of things, claims UK managing director David Harrison.
It also helps the IT department show the board it is running a tight ship. www.merc-int.com
reader comments