|
|
|
Features
< Back
Sarbanes Oxley : Technology
Understanding the Challenges of Compliance
How Corporate Compliance Technology is a Source for a Competitive Advantage
By
Jeffrey Green
|
|
Jeffrey Green
Director of Compliance for Financial Solutions
Laserfiche Document Management
|
Recent years have seen an increasing emphasis on the duty of organizations to keep accurate, complete, and secure records of their everyday transactions.
Sarbanes-Oxley is one of the most high-profile examples of how records management has become an important part of doing business, but a host of additional voluntary practices, community standards, sector-specific statues and federal laws comprise a multi-regulatory environment into which many organizations often fall. From accepted best practices to legally mandated outcomes, many standards can apply to each phase of the records lifecycle.
This increased focus on accountability, privacy and security compliance has sent public companies scrambling to keep up with the tighter regulations, and many companies are looking for help. In a poll conducted by Boston-based AMR Research, 85 percent of the 60 public companies surveyed said they plan to modify their information technologies systems because of compliance regulations.
The Tower Group estimates that globally, the financial services industry alone will spend a total of almost $320 billion on regulatory compliance in 2005, which is $100 billion more than was spent in 2001.
Effective procedures and tools for records management in this demanding environment must meet high standards in every aspect of their implementation. They must demonstrate due diligence in recordkeeping and provide powerful methods to manage the information contained within those records.
They must track records throughout their entire lifecycle, and allow them to be archived and accessed years or even decades after their original entry into the system. They must be used consistently throughout an organization, without gaps or uneven execution.
Good records management applications share a common set of specific characteristics. If designed and executed properly, a simple, powerful and unified software-based solution can provide organizations not only regulatory compliance, but also significant and valuable competitive advantages.
Records Management: The Rules
The requirements for document and records management derive, of course, from legally mandated rules such as Sarbanes-Oxley, but also from practical considerations specific to a particular organization. In turn, the rules of records management fall into three broad categories: object rules, content rules, and technology rules.
Object rules, mandated by authorities such as the SEC, the NASD, or the federal government, determine the storage and disposition of records themselves. These rules detail retention, archival and disposition, specifying what must be kept and for how long.
While Sarbanes-Oxley requires certain types of records be kept for five to seven years, some organizations have their own rules as to how long records must be kept on file. In many cases, these in-house regulations call for preserving records many times longer than what Sarbanes-Oxley requires.
Content rules deal with the information contained within the records. This information may be entered directly as metadata, or automatically extracted from the records in a database. Once indexed, it is used to comply with Homeland Security regulations such as the PATRIOT Act or ?Know Your Customer? rules. For instance, a customer?s name might be checked against a list of known terrorists or other criminals before creating an account for that customer.
Technology rules outline the requirements for the records management system itself, where compliance requires that it support certain features. The Department of Defense standard for records management applications (RMAs), for instance, details a number of features that an RMA must or should have, including support for versioning, life-cycle management of record series, and security features that prevent unauthorized access to private or classified files.
Other standards and regulations may require audit trails for each record as it passes through the system or support for certain storage methods and media.
To determine compliance with these rules, many individual organizations and regulatory bodies have issued standards for good records management. One of the most widely used and accepted of these standards is the Department of Defense Directive 5015.2. This document outlines stringent rules for a comprehensive records management program.
Adherence to the Department of Defense standard ensures that records management procedures go above and beyond most regulatory requirements, and the best records management applications meet or exceed this standard.
Technical Solutions for Records Management
In order to meet these requirements effectively, a records management application must have a strong technical foundation. It must display technological flexibility that will make it easy to implement and use in any environment, be easily scalable to any size, and maintainable for an indefinite period of time.
A robust technical solution can be centrally administered using thin-client software, making it easy to upgrade or repair. It should be easily configurable, maintaining an open architecture that can integrate into existing infrastructure. It should also archive records in a non-proprietary format that can be read on every operating system, without special software, into the foreseeable future.
The key to a viable technical solution is simplicity. The best programs offer a single unified solution to manage physical, scanned, electronic and e-mail records.
This eliminates the inefficiencies and gaps present in a patchwork solution, making records easily accessible to anyone who needs them. Automated extraction of metadata and implementation of the records lifecycle gives records managers the power to enforce consistent compliance with established rules and systems. Good design builds the principles of records management into the software itself, making compliance simple.
A unified records system can gather captured data from multiple locations into a globally accessible repository; users can enter information into the system or call it up from the central repository from any point. A centrally administered software solution can make use of extensive indexing to provide only the most relevant data, indexing each page of a document to minimize unnecessary network traffic.
This page-by-page format permits users to interact with documents intuitively, just as they would with a physical document or folder. They may add a single page into the middle of a document or call up just one or two pages of information, without fear of burdening the network with large documents.
This centralized, unified system streamlines the process of records management, making it beneficial not only in terms of regulatory compliance, but in improving companywide efficiency and providing a significant competitive advantage.
Using a configurable application to emulate existing procedures minimizes time spent on training and creates an intuitive interface that will be quickly accepted by users.
With a searchable, centralized repository, users can call up any document or record in a matter of seconds, with greatly increased efficiency compared to paper-based or decentralized systems. Open architecture and non-proprietary data formatting ensure that the system can support a broad variety of hardware and remain accessible for years into the future.
The Record Life Cycle
Unification also allows for consistent, total life cycle management and continuous control of records security. A configurable solution tailors security to suit requirements. This allows records managers to give users customized access rights according to their needs. This technological enforcement keeps unauthorized users from gaining accidental or malicious access to private, confidential records.
The life cycle begins with the creation of the record. Creating a new record may involve scanning an existing paper record or creating a document electronically. In the best applications, these functions are smoothly integrated in a single system; even physical records that have not been imaged may be given electronic metadata and entered into the repository.
Once created, the record goes into active use. In this phase users access the record frequently, and may move or edit it without invoking strict rules. Document management systems track the record and keep it easily accessible to anyone who needs it.
The next stage of the records lifecycle is that of storage and maintenance. Here the records management system takes more stringent control. The record becomes part of a record series, subject to strict rules governing modification or movement and controlled by the records manager. After a certain date has passed, or a particular event has occurred, the record is cut off to prevent further changes.
Some software systems incorporate these rules into their structures, giving records managers quick and easy access to view or modify the status of a record series, which is a highly desirable feature.
Once cut off, the record enters the retention phase of its lifecycle. Record series in the retention phase hold information of diminished value to the organization, kept principally for legal, fiscal, or historical reasons. A good records management system must support non-proprietary formats that will remain easily readable over years of storage.
The most advanced systems employ universally accepted, non-proprietary formats. Hardware independence allows archiving to unalterable media as required by the SEC, NASD and many other records management standards.
Detailed rules determine the time of retention and the method of disposition, which may include permanent archival as well as destruction. Disposition, of whatever method, constitutes the final phase of the records lifecycle.
Management of a record throughout its entire lifecycle requires a powerful and well-automated system, which can closely control the record from creation to disposition. The automated extraction of metadata from the document and mandatory metadata acquisition ensures consistent adherence to procedures.
For each records series, rules set up by the records manager in accordance with appropriate procedures determine its life cycle, access rights, and eventual disposition. Automation of the records lifecycle greatly increases the ease of use and decreases the opportunities for human error.
In a comprehensive analysis, compliance, efficiency and usability all prove to have the same solution. A simple, unified records management application presents the user with a consistent, easy-to-master interface for every document management task, streamlining each step from scanning to storage to search and retrieval.
The efficiencies of a centralized and well-automated thin-client solution ensure good compliance at every level, from records managers to IT administrators to end users. With an efficient and unified solution for records management, information is easy to protect from accidental or malicious exposure and tampering, yet still easily accessible to those who need it.
With an advanced and properly configured solution, compliance has a new outcome for organizations: competitive advantage over competing organizations that have not devoted the effort to maximizing the great potential of records management technology.
The Power of Compliance
In much of the current talk about compliance, regulations such as Sarbanes-Oxley are portrayed as daunting chores that must be fulfilled ? at a significant cost ? to ensure that businesses remain operating within the law.
At most, the benefits of compliance are often described as a secure ?insurance policy? for a company should it ever find itself the subject of an internal or external investigation. If all records are in order, current thinking dictates, a company can weather the storm of an investigation and emerge relatively unscathed and able to continue with business as usual.
What often goes overlooked is the fact that compliance will truly ? and radically ? transform businesses and the economy on a worldwide scale. While the basic goals of compliance ? adhering to the law, maintaining transparence, minimizing fraud ? are accomplished, implementing comprehensive electronic compliance solutions will push businesses in virtually every industry to make dramatic organizational and technological advances that will make businesses become smarter, more efficient and more competitive organizations.
Compliance regulations give many organizations the chance to introduce technologies that may have been a challenge to justify in the past. For example, deploying a large-scale electronic document management application throughout a large international organization can be a costly and time-consuming undertaking.
Comparing different products, getting corporate approval, implementing the software and training potentially thousands of end users to use the new program is a long process that consumes large amounts of resources. However, the benefits of installing such an application ? anywhere and anytime access to records, automated workflows and data extraction, the ability to reduce overhead costs as the need for paper record storage space plummets ? are equally significant.
While thousands of executives around the world likely realize the advantages such a system would bring to their companies, many cannot bring their organizations to commit the funds and resources necessary to implement a new records management system. Sarbanes-Oxley and other compliance regulations give businesses the ideal opportunity to justify the initial investment and revolutionize the way they handle records ? and in turn become leaner, smarter organizations.
It?s Happening
Thousands of organizations around the world have already installed electronic records management solutions and have seen positive results almost instantly. Many of these businesses were spurred into action by looming compliance regulation deadlines.
In fact, several major public corporate entities installed document management software as a direct response to Sarbanes-Oxley. The benefits to many of these companies have cut costs and streamlined operations so dramatically that they have insisted on instituting non-disclosure agreements with software manufacturers and vendors so that competitors do not learn of business edge they have gained by streamlining their records management procedures.
As time passes, more organizations will wake up to the benefits of maximizing the full potential of complying with records regulations. In turn, the business landscape will transform, and new benchmarks for records management systems and procedures will become the standard.
Until then, it is the organizations that look at compliance regulations not as a burden, but as a great opportunity to make big advances before the masses, that will truly gain a competitive edge in the young and evolving era of compliance.
Jeffrey Green
Director of Compliance for Financial Solutions
Laserfiche Document Management
Jeffrey Green is Director of Compliance for Financial Solutions at Laserfiche Document Management. Green is responsible for consulting with compliance, document and records management and IT decision-makers around the country on budgetary and legal challenges related to compliance.
As a champion of technology?s role in the contemporary financial services organization, he has worked with thousands of financial services organizations including American Express, ING and Bank of China.
He helped these clients develop well-defined compliance processes and document management systems, preparing them for today?s competitive and compliance pressures as governed by Sarbanes-Oxley, SEC, HIPAA, USA PATRIOT Act and other regulations.
Quoted as an industry expert in such publications as CIO Insight, Mortgage Banking Technology, Wealth Management and the Los Angeles Business Journal, Green has an insider?s view of workplace technology and what?s required to build a valuable competitive
|
|
|
|
|
