From the US Sarbanes-Oxley Act of 2002 and the US Patriot Act, to US Food and Drug Administration (FDA) approvals and US Environmental Protection Agency (EPA) regulations, the US government is increasingly legislating how companies run their businesses. Similar legislation is also seen in governments around the world.
As recent efforts around financial compliance have shown, regulations are often the primary catalysts for changing an organization’s behavior and approach. More broadly, however, organizations are increasingly implementing compliance initiatives within the context of enterprise risk management (ERM).
A common definition of ERM is the process of planning, organizing, leading and controlling the activities of an organization to minimize the effects of risk on an organization’s capital and earnings.
Organizational risk manifests itself in many ways, but one of the most obvious and visible is in the failure to comply with laws and regulations. Hence, an effective ERM strategy must include a visible, organizationwide commitment to strong compliance practices.
Leveraging IT to Optimize Compliance Processes
Complying with a broad spectrum of mandates can often be an overwhelming task. Companies are increasingly turning to IT solutions to help them establish and optimize their compliance processes.
However, with the growing number of technology offerings available to address compliance, it can be challenging for companies to determine which option will best fulfill their needs. Indeed, given the extraordinary focus on compliance in recent years, hundreds of vendors have repackaged their existing offerings as compliance solutions. It is hard to sort out reality from marketing.
While a customized Sarbanes-Oxley application may effectively support one particular regulation, it may do little to help organizations tackle other critical mandates—forcing them to make additional IT investments for each regulation with which they must comply.
A more cost-effective and strategic alternative to this scenario is implementing a comprehensive content management and workflow solution to support all compliance initiatives. This platform can provide a common set of compliance services required by all types of regulations; on top of this services foundation, a unified compliance platform can provide pure-play applications that offer capabilities to meet the specific needs of individual mandates.
This approach allows companies to easily access, share and leverage all compliance content, applications, processes and content services from a common user interface. Additionally, it decreases the number of separate, disparate applications needed for compliance, lowering the total cost of ownership for organizations.
Essentially, a unified compliance platform offers the advantages of using a common content repository and set of services, along with the added benefits of leveraging functionality that is customized for a particular regulation.
Key Components of a Unified Compliance Platform
There are a number of key technology components that comprise an effective universal compliance platform (see figure 1). As companies evaluate software offerings of this type, they should make sure the solutions include the following critical elements:
- A central, web-based repository where content for all compliance initiatives is stored and managed. This repository gives users a single view and access point for all compliance documentation, making it easy to share information that may apply to a variety of regulatory mandates. It is the single source for secure data that is up to date and consistent across the organization. Data access activity is also recorded; the time and identity of the user accessing data are captured in an audit trail supporting the compliance process.
- Change control management for all documentation involved in compliance processes. This function includes version control capabilities that allow companies to easily identify the most current version of a document, while archiving previous versions for review and audit purposes. Change control management features should also provide audit trails that track the history of compliance documentation and related processes.
- Task automation or workflow capabilities that automatically notify individuals via e-mail when a compliance task must be performed or documentation must be reviewed and approved. This feature may also be used to schedule due date reminders and escalate activities to a higher level of management.
- Retention management for the automatic disposition of records and nonrecords. This functionality should also provide single-source discovery and lockdown for records and nonrecords. Ultimately, a content retention process should be part of an organization’s daily compliance activities.
- Business process management for automating, maturing and optimizing internal controls. By turning manual business processes into automated tasks, companies can reduce the costs and time associated with compliance-related internal controls.
- Web publishing of policies and procedures to facilitate communication with target constituents, which is a critical requirement of most regulations. An effective universal compliance platform enables users to subscribe to specific published content or types of content that they want to monitor. When that content is updated or added, an e-mail is automatically sent to subscribers, alerting them of the change. Additionally, companies should be able to track the number of users who have viewed or accessed particular content.
- Reporting capabilities that allow organizations to analyze data to determine whether they are in or out of compliance and where high risks exist. A dashboard-style interface with field-specific terminology can enable executives to easily monitor compliance activities.
- Pure-play applications that “sit on top of” a common content management foundation. These applications should feature terminology and interfaces customized for each compliance mandate.
Benefits and Challenges of an Enterprise Solution
As with most enterprise solutions, implementation comes with its share of risks and complexities. Changing user behavior, deploying new approaches and rolling out systems across complex, multidivisional and international business units present timing, acceptance and cost challenges. Additionally, managing and maintaining a single repository approach to compliance requires organizational buy-in of the solution and executive support, which can take time to foster.
On the other hand, disparate point solutions—while sometimes convenient in the short term—can lead to confusing, duplicative processes. In addition, as various compliance initiatives become more intertwined from regulatory and organizational perspectives, a well-crafted enterprise solution can have a dramatic positive impact on organizational effectiveness by providing a clear, unambiguous process and a single point of reference for the organization. It can reduce the risk of duplicative and contradictory processes and documentation; eliminate duplicative software, hardware, training and rollout costs; and position the organization for all of the benefits that accrue from having a “single version of the truth” available to employees, management, auditors and regulatory bodies.
Advantages of a Unified Platform
By managing all compliance-related documentation and content processes within a single web-based architecture, companies can more easily compare and prioritize the risks and activities related to each regulatory mandate with which they must comply.
This process provides organizations with the visibility required to carry out effective ERM. For example, an enterprisewide view of compliance needs can help management teams appropriately allocate compliance resources. With a variety of departments often competing for these resources, it is critical for companies to be able to easily prioritize various compliance initiatives based on overall risk to the business.
A unified compliance platform also allows organizations to avoid some compliance-related costs. According to Gartner Inc., public companies that adopt a comprehensive compliance management architecture will spend 50 percent less per year than those that do not.1 These cost savings are driven by eliminating the redundant software acquisition and implementation costs of multiple point solutions through investment in a single compliance platform, and by the reduction in effort that comes from using a single, centralized approach to multiple compliance initiatives.
Additionally, this architecture increases the efficiency of compliance processes, since all content is stored in and accessible from a central, web-based location. Similarly, with change control management and version control capabilities, companies can ensure that compliance team members are working with only the most current version of documentation.
A unified compliance platform’s reporting features can also optimize compliance processes. For example, during an external audit of a company’s control results, an automated reporting function provides a quick and easy way for an auditor to obtain information about a variety of compliance activities vs. the time-intensive manual process of digging through filing cabinets. In the same way, workflow capabilities can enhance administrative tasks by automating e-mail reminders.
Compliance Success Stories
The following companies have successfully implemented a unified compliance platform that they can use to support compliance with a number of regulatory mandates.
Washoe Health System, Northern Nevada’s (USA) largest integrated health care system, implemented a unified compliance platform based on an enterprise content management software suite. This platform enables the company to more easily maintain compliance with Joint Commission on Accreditation of Healthcare Organizations (JCAHO) mandates, which require hospitals to maintain an audit trail of all updates, approvals and revisions to hospital policies. Using the system, Washoe publishes its policies and procedures to an intranet, where staff can access them from any web browser. To widen access to the intranet, Washoe implemented more than 20 kiosks in high-traffic areas across its hospitals where employees who do not have a computer readily available can easily access the policies and procedures.
Washoe also uses its compliance platform to support a Health Insurance Portability and Accountability Act (HIPAA) compliancy team web site. This site allows the organization to easily circulate the most current changes to HIPAA regulations throughout the health system—a critical requirement of this mandate.
Reliant Energy Inc., a provider of electricity and energy services to approximately 1.8 million retail and wholesale customers across the US, is using a pure-play application built upon a unified compliance platform to more easily achieve continuous compliance with the Sarbanes-Oxley Act. Reliant Energy uses a content management-based Sarbanes-Oxley compliance system to drive control testing and the management of documentation, such as process narratives, process diagrams, control descriptions and matrices, test documents, and remediation plans.
With the solution, Reliant has streamlined its compliance processes by distributing documentation tasks to process owners, and it smoothed its attestation processes. In addition, the solution provides Reliant’s core compliance team with an enterprisewide view of the company’s internal control makeup, helping the team track and schedule control changes based on company priorities. This process helps Reliant meet its goal of automating as many internal controls as possible.
Because the solution leverages a common set of services, Reliant can easily use the system to support other compliance needs in the future.
The Best of Both Worlds
The struggle to address compliance requirements in the most efficient and cost-effective manner possible is a big concern for many companies. Increasingly, organizations are relying on IT solutions to help them streamline compliance processes. However, they often are faced with the decision to purchase an application tailored to a specific mandate or a more comprehensive technology architecture that would involve a great deal of customization to support each regulation. Each option has its pros and cons.
A unified compliance platform offers the best of both worlds. It provides a common foundation of content services and a single repository to manage and optimize all compliance-related content and processes. At the same time, it can provide pure-play applications that effectively facilitate compliance with a specific mandate.
1 ComputerWorld, 5 July 2004
is vice president of product marketing compliance for Stellent Inc., a global provider of content management solutions. He is responsible for the development of Stellent’s strategy for governance, risk and compliance (GRC) solutions.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.