Printer Friendly Version

This month's Intranet Journal Q&A examines corporate governance and compliance. The software that will help corporations comply with Sarbanes-Oxley, new SEC regulations, and literally hundreds of standards across state and international boundaries is likely going to be a boon to vendors of storage and content management products.

According to a study by Enterprise Storage Group, compliance-related storage products and services could be worth as much as $6 billion over the next four years.

Christopher Sprague, who provides the answers to this month's questions, leads Documentum's Corporate Governance and Compliance solutions initiative. His current focus is on reducing the time, cost, and risk associated with a variety of mandates put in place to deal with widespread corporate malfeasance.

Prior to joining Documentum, Sprague spent more than 10 years doing business and IT strategy and consulting for Fortune 100 firms, working primarily for Accenture. His focus has been using technology to drive business value. He has a Master in Business from the MIT Sloan School of Management with a concentration in Strategy and Information Technology.

Let me answer this relative to Sarbanes-Oxley. While these are tight times, complying is not discretionary. Currently, companies are buying primarily services to address Sarbanes. AMR estimates that publicly traded organizations will spend $2.5 billion this year alone (a figure issued prior to the extension of the deadline from Sept. 15, 2003 to June 15, 2004), and of that, approximately 90 percent will be for audit and risk related services. And much of that 90 percent will be spent on hiring "advisory auditors" who help organizations prepare for Sarbanes-Oxley Section 404 control attestation, meaning the verification that these organizations have internal controls in place. Note that these advisory auditors are often in addition to a corporation's auditor of record.

These advisors typically provide "point software solutions," which consist of a set of controls mapped to a client's business processes and risk areas - typically at no/low cost. These advisors then charge large amounts to customize and document these controls based on specific business need.

Q: Buzzwords are nothing new in technology marketing, and now it seems almost every software company is coming out with a new product to help organizations with corporate governance and compliance. What effect will the number of solutions taking aim at compliance issues have on those that have to make the purchasing decisions? Can one product claim to be the answer, or is it going to take a number of pieces of software along with an educated human element?

Yes, it is certainly the case that many point solutions are now emerging in the marketplace. In some cases these solutions offer much needed expertise in solving a large, and likely very expensive, challenge, in other cases vendors are being opportunistic. We believe that it is very important for customers to look closely at these solutions and ensure that these potential vendors have a background and deep experience in the compliance area, and that the solution offered goes beyond solving only one very specific problem, and that it has the ability to provide a proven, enterprise-strength solution.

When clients understand their requirements, they will realize — as RedMonk, a leading analyst firm pointed out — that there is no silver bullet. No single product does it all. They will realize that an "enterprise compliance platform" must access structured data that exists in ERP and business intelligence systems and financial consolidation tools. The enterprise compliance solution must be able to access data from these information silos and manage all of the unstructured content/information. An enterprise content management solution can tie together structured and unstructured information and provide the ability to document it, collaborate around it, publish it and ultimately declare critical information as records.

"When clients understand their requirements, they will realize — as RedMonk, a leading analyst firm pointed out — that there is no silver bullet."

Q: Solving corporate compliance issues with software is going to require that the "business side" and the "technology side" of a corporation work closely together and understand what each other does, needs, and is capable of doing. Is that going to be a challenge for a lot of organizations?

Originally CFOs were under pressure to meet the September 15, 2003 FY end deadline for Sarbanes-Oxley Section 404, and rushed to adopt solutions unaware of all available options or consideration of technical issues. With the extension of this deadline to June 15, 2004, IT organizations are now beginning to get involved in the selection of compliance solutions. And with more time to comply, CFO organizations are now seeing that point solutions do not provide the security, version management, workflow, collaboration and other features required for a true enterprise compliance platform that can meet current needs and take them into the future.

By early next year, business users will be grateful for the involvement of IT, which brings another perspective to the table. Taking pause and coming up with the right solutions now will ultimately reduce time, cost and risk long term. When the business users realize the value that IT can add, they will be grateful for their involvement despite some initial resistance.

Q: Software can only do so much. How much of corporate compliance is corporate culture and the processes used by the humans involved in day-to-day operations, and how are companies going about training their people so they can comply with state and federal regulations?

People realize that you cannot automate integrity. It begins and ends with the way people do their work. That said, for Sarbanes-Oxley compliance, the amount of work required for a large, multi-national organization with hundreds or even thousands of controls is staggering. In the short term, organizations must make sure they have an effective set of controls that mitigate risk and are well understood by the business users responsible for implementing controls around business processes, such as revenue recognition.

Once an organization has done this, it can then move to embedding compliance in business processes rather than make it an additional step. The reality is that in business today, people don't have time to do more. Ultimately, integrating with ERP systems will allow organizations to alert business professional as they enter "risk zones" and make them aware of the relevant controls, as needed.

Q: How important is flexibility going to be for software designed to help with corporate compliance issues? In addition to new laws at the federal level, large corporations have to deal with multiple states and countries and their requirements as well.

Flexibility is very important. You must remember that the final Section 404 requirements for auditors have not been defined yet. But rather than waiting, companies have already started to apply controls and are applying good business judgment as guidance. Organizations still need to inventory controls and make sure they are effectively used, and will acquire tools that adapt to their particular business requirements.

Like ERP systems in the past, organizations will increasingly need platforms to help them proactively monitor and manage risk. In this way they will be able to confidently deliver accurate financial information and reduce the chances of restatement.

"Over time, as IT becomes involved in selecting and supporting technology to address compliance issues, they will recognize that it is a content management problem."

Q: Is Documentum finding more companies that are now interested in content management specifically because of corporate compliance and governance issues? Are certain departments in corporations, such as financial departments, now showing an interest in content management when previously they were not?

Yes, in general we see compliance issues driving interest in and demand for our products. As far as department interest in content management as it relates to compliance, the answer depends on who owns the compliance problem. If the CFO's organization still owns it, they don't know what content management is. Over time, as IT becomes involved in selecting and supporting technology to address compliance issues, they will recognize that it is a content management problem. Most organizations are managing business procedures across global enterprises, and this requires capabilities that only an enterprise class system can offer.

Business users tell us they are losing sleep because they are storing controls on shared servers. They have come to the realization they need version control, security, workflow, lifecycle management — which is precisely what content management solutions offer. Companies like Documentum have been providing these types of solutions for years to companies doing business in regulated industries — like life sciences. Now the SEC has created regulations that affect any public company — regardless of industry.

Q: In addition to content management, are corporations looking at compliance issues as a chance to improve or implement technologies in other areas, such as collaboration or storage?

Absolutely. The current compliance issues should incent organizations to consolidate their numerous ERP instances. I know of one company with 150 separate SAP instances — a very costly situation. This only drives up the cost of business, increases risk and causes numerous headaches. Companies may see this as an opportunity to standardize their ERP environment.

That said, content management is only a piece of the solution. As you point out, collaboration and storage are also critical. Suppose for instance, there is an issue around how revenue is being booked, our solution automatically generates an issue resolution workplace and invites the right people to review the appropriate content leading to resolution. Once resolved, this entire interaction with all related content and is stored that in our records management solution with defined retention periods. That's the type of solution that organizations need.