Power of Process

Sarbanes Oxley, Basel II, health and safety, data protection... take your pick on the legislation merry-go-round, there is plenty more to choose from. Fail to comply with their multitude of often-conflicting regulations and you could end up paying huge amounts. Only last month Shell faced a £900,000 fine for a serious breach of health and safety that led to the death of two workers.

Making your organisation compliant should be an opportunity to put best business practices into place, creating a slick-running operation with better access to information. Sarbanes Oxley is attempting to put best practice into law. Most companies, however, choose to see the slew of legislation as a threat rather than an opportunity.

The truth is, as Butler Group senior research analyst Mike Davis, says: "Companies don't want to be compliant as it takes them away from doing business. If everyone has to follow the same rules, you'll create a level playing field and then they'd have to compete on services and products and they'd much rather just find ways to save money."

Faced with the terrifying prospect of being audited, companies are eager to do the minimum it takes to placate officials. The knee-jerk reaction is to lob hardware and software at the problem rather than think more strategically. If legislation demands that they find a particular document, email or Instant Message, then they will save every scrap of data rather than risk deleting something important, and they'll invest in bigger, better archiving systems to do it.

"I think most people are panicking and most first-generation archiving is done at the level of grab the data and shovel it in bucket-loads onto media," says Dave Hunt, CEO of data and email archiving company C2C. This "you're gonna need a bigger boat" mentality does not really deal with the underlying problem, however. For one thing it is phenomenally expensive to save all information, particularly transactional data. Storage data is not the problem; accessing it is.

Even if you organise your storage so that you can retrieve data easily, it will not solve compliance problems alone. It is the people and processes that surround that technology that will truly make the difference.

"In typical organisations they don't really understand how data moves around. If they need to bring back critical data they have to bring back everything," says Jon Pavitt, professional services manager at StorageTek.

Compliance demands a shift in company culture rather than just a shift in funds to a particular vendor bank account. Just think about the Nick Leeson Barings Bank debacle. More attention to the people and processes aspect of compliance could have avoided disaster. "It's the culture," says Marcus Hill, business development manager for CMM (capability maturity model) at BT. "Nick Leeson knew he was breaking the rules, but the culture was that traders take risks. I think that's a pivotal point and that's the bit organisations will struggle with. We can all buy technology, but how to change the corporate culture is the $6bn- dollar question."

BT is well known for its flexible working practices and has had to think about how it maintains its company procedures and culture, even when employees are working at home rather than the office.

"We use web-based learning and have mandatory training that is logged down to the laptop number," explains Hill. In other words, there's no ducking the training. "Because we're regulated by Ofcom, it's important our employees understand why it [compliance] is important. That comes down to regulations and coherent communication."

Think about emails too. Companies can set up all kinds of sophisticated archiving and filtering systems for emails, but they can still be caught out by a hapless employee accidentally sharing confidential information with the wrong people. Creating an email usage policy - not only training employees how to use it but also explaining why it is important - will do as much as any piece of kit.

As email mutates from being a non-essential tool into a business-critical one, such email policies will become even more important. "We're starting to see a lot more education about the appropriateness of using email and enforcement of email policies," says Christopher Frampton, Veritas head of business continuity management, EMEA. "Even a simple email that says 'Yes' could be construed as a contractual obligation."

If people are involved in any process, mistakes are inevitable. "People will make mistakes, we all do that," says Nigel Hopgood, Sun Microsystems UK's head of compliance. "Culturally, we need to think: we don't pillory people for doing that. People do need to take risks, but what processes do we have to do that? And when we do find what went wrong, what do we do to ensure that it doesn't happen again? Then culturally people will start doing this."

Automating key business processes, such as automatically forwarding emails to the correct storage media can help, but as James Governor, co-founder of industry analyst company RedMonk, points out: "You can do some of it by automation, but in the same way you can't filter out all spam, you can't automate everything. There's no such thing as a business process with no people in it."

And be careful what you choose to automate, otherwise costs could spiral. A little education of staff could reap substantial rewards: both by training them in the correct procedures and how to correctly use a software package. In fact, according to Hill: "Some people say that 50% of the cost of compliance is training, education and analysis."

You cannot just come in on a Monday morning and declare a change of culture, of course. It takes time and perseverance. And change needs to come from the top.

A good place to start is to align your compliance strategy with your business strategy. To do that involves analysing your business processes - such as how a mortgage request is dealt with from the first enquiry to sale - because that will highlight how your company works now and how potentially it could work better.

"Like all things in life, one of the hardest things is getting started," says Pavitt. "You need to have processes and they need to be carefully documented. For a start, you need to have a policy because you need to a have a reference point, but it has to be a living document."

Like their audit trail, companies need to detail all the assumptions and dependencies in each process and establish which part of the organisation it crosses. Again, that is easier said than done. Most companies develop in an ad hoc way and the procedures and processes grow in an organic fashion, rather than follow logic or best practice. Each department will have its unique way of doing things. Multinationals will have even more to contend with as privacy laws differ greatly from country to country. Clever companies are looking beyond Basel II et al, and will use it as catalyst to streamline those processes.

"Compliance is a binary state: you either comply or you don't. It's as simple as that," says Shaun Fothergill, UK and Ireland security strategist at Computer Associates. "However poorly constructed, business processes that are fundamentally inefficient will still allow an organisation to be 'compliant' eventually. The problem is that this does not drive cost in the right direction nor does it allow for fuelling business growth and effectiveness. Compliance can be used as a catalyst for growth, but here is where process needs to be properly managed."

Process gurus

Many big companies are appointing compliance officers as process tzars, with responsibility for identifying and managing the changes needed to comply with legislation. In smaller companies it is often the financial director who shoulders the responsibility for compliance. Because this is new territory for most companies, they should attack it as any large new project management initiative: break it down into manageable sections.

Ken Turbitt, global practice director at BMC, argues that there are already established initiatives to help such as the ITIL (Information Technology Information Library), whose 'documented best practice' was devised by the British government.

But they cannot do it alone. Companies need to set up a compliance team made up of legal representation, IT, finance and business unit heads. This team can then identify the business process and IT can work out the best storage solution to fit those needs.

"Quite clearly, the nucleus of the storage strategy lies with the IT infrastructure group," says Stephen Nunn, a partner in Accenture's data centre technology and operations practice. "They need to have advisors from all parts of the business. Legal will only be able to give you high-level information. You also need business representatives who can take the guidelines and say, 'Within my business we store data in this particular process'. Then the applications team can actually say how that bit of data is stored on the database. Then that needs to be maintained in a certain way and you come back full circle to IT, who can decide the new technology needed to underpin that."

In an ideal world, companies would sort out the policies and procedures before they went out and bought any solutions. But the tight deadlines for legislation such as Sarbanes Oxley has meant that many have taken the more pragmatic approach of 'better to do something now than nothing at all'. And do not think you can do everything. In the same way that you could throw infinite funds at the NHS and it would still need more, compliance will soak up every penny you send its way.

As Nunn says: "It takes time to analyse and understand what data you are storing. So you need to involve the business. The business people are the ones who understand what that data is doing. There's a trade-off between technology investment versus time to get it right. It's easy just to put a wodge of technology into the data centre rather than spend time to look at the structure."

But looking at that structure will pay dividends in the long term. Companies need to discover who gets access to data, how often that data needs to be held and accessed, how important the data is, and what media it should be stored on. It also needs to be transparent if, when and how that data has been modified. In other words, companies should be implementing information lifecycle management: storing data in the optimum place for the company.

So compliance should be driving organisations to study their storage strategy and make the best match between data and media available. It does not necessarily mean buying more storage, just using what you have more efficiently. And that means saving money on the IT budget that can be spent elsewhere.

Centralised strategy

Just as companies should centralise their storage needs, they also need a central compliance strategy. Organisations will typically tackle legislation on a local level: one team will look at Basel II and another at data protection.

Ian McMillan, IBM partner in financial management practice at IBM business consulting, agrees that: "You've got point solutions driven by different demands and that really is not the way to do it."

Sun's Hopgood says that companies need to stand back and take a more holistic view of compliance, rather than just look at individual projects. "What we haven't got to yet is to make an umbrella across all of it and train people in a slightly different way," says Hopgood. "Only one company I've seen has its culture based around compliance and is doing exactly the right things. It's not following one legislation, but taking a holistic approach, and it's done it from a top-down culture of thinking what they want to do with the business."

No matter what the arguments, there will be many companies who tackle compliance piecemeal and do the minimum required. Compliance will be purely a cost, because that is how it is perceived.

CBR Opinion

Those companies that embrace compliance as a strategic opportunity, a chance to lay down the right processes and procedures, have much to gain. By removing costs from their storage infrastructure and creating a framework for the future, they will be better able to compete in the market. Ultimately, much of this legislation is about running a better business. And that is about people, not technology.