|
|
|
Features
< Back
Sarbanes Oxley : Technology : Email
Risky Business
Unstructured Communications in a Regulated World
By
Bo Manning
|
|
Bo Manning
CEO
Orchestria
|
This story was originally published in 2005 and contains several errors. Note that Quattrone?s sentence for obstruction of justice was 18 months ? not the 15 months cited in this story ? and the conviction was overturned on March 20, 2006.
Mr. Quattrone did not write the message "Time to clean up those files,? which was the subject line of a colleague?s email, and did not encourage staff to destroy critical documentation. Rather, Mr. Quattrone encouraged bankers to follow the company?s document retention policy, which required employees to retain certain documents, discard others, and preserve any documents relevant to a subpoena or document request.
Employee use of electronic communications is becoming a compliance minefield, with management lacking visibility and control of what staff are communicating within and outside the company. Bo Manning, President and Chief Executive Officer of Orchestria, explains the risks and examines the potential solutions.
"Time to clean up those files"
Frank Quattrone must be cursing the day he ever sent the above message. The former Credit Suisse First Boston star banker?s cursory email encouraging his staff to destroy critical documentation was the key piece of evidence in the trial that found Quattrone guilty of obstructing a federal investigation, for which he will face 15 months in jail. Forwarding the message may only have taken him seconds, but the consequences will be with Quattrone for the rest of his life.
The Quattrone case is one of the most powerful illustrations to date of the dangers lurking in ?unstructured communications? like email and instant messaging (IM). Business use of these technologies is increasing rapidly. A September 2003 survey sponsored by Oracle Corp. found that 44 percent of business executives in the US and Canada use email almost twice as much as they use the phone. More explosive still is the use among executives of instant messaging platforms like AOL Instant Messenger, with 29 per cent of workers in the US now claiming to use IM in the workplace . Indeed, the use of IM at work is spreading so fast that many organizations are not even aware that their staff are communicating in this way.
A living nightmare
It?s not difficult to understand why the corporate use of email and IM are on the increase. Both technologies are quick and easy to use. With email, the same communication can be addressed to multiple people simultaneously, and unlike the telephone, it preserves a handy record of the conversation. IM offers the immediacy of a telephone call, but is conducted in silence and is therefore ideal for conversations that the user does not want to be overheard.
Business users may be loving them, but for management boards and compliance staff, email and IM are fast becoming a living nightmare. The problem is twofold: the speed and informality with which messaging systems are used by employees to make assertions and promises and to transfer data, and the almost total absence of management visibility and control of the content of such communications.
In the current regulatory climate, not knowing what employees are communicating to each other, to clients, to suppliers and to other contacts is a gigantic risk. Investment bankers may be using email to flout SEC rules that forbid banking staff to attempt to influence the bank?s research arm. They may be using a pseudonym to talk up certain stocks in one of the many online stock chat rooms. They may be illegally passing preferential information to favored clients via the file-transfer capabilities of instant messaging.
Of course, it is not just the banking industry that is affected. The strict Health Insurance Portability and Accountability Act (HIPAA) rules on patient confidentiality can be easily broken by just one careless or misaddressed email. Across all industries, corporate fraud such as auditor collusion may be organized via personal webmail or instant message ? platforms that the perpetrators (often correctly) suspect are not monitored or archived by employers.
In short, the possibilities for compliance breaches to be committed or organized via unmonitored electronic communications are huge. Indeed, my experience is that whenever a company embarks on a project to look for non-compliant communications, what they find is considerably worse than they had imagined. Not only does monitoring bring to light the activities of the tiny minority of deliberate fraudsters, but it also reveals the alarming extent to which employees inadvertently commit compliance breaches simply because they are insufficiently aware of ever-changing regulations, policies and procedures. The 2001 Julius Report into the level of compliance with the UK Banking Code, for example, found that 53 per cent of the British financial institutions surveyed had not adequately trained their employees in the terms of the Code.
Mitigating the risk
However, while the risks of unmonitored electronic communications are becoming daily more evident, the options for dealing with the problems are less well developed. Risk mitigation strategies implemented by companies tend to take one of two forms; non-technical and technical, and fall into two camps; prevention and post-mortem.
Prevention of compliance breaches is usually attempted by non-technical means. Formerly restricted to regulated financial institutions, many companies now have a dedicated compliance officer or at least someone whose job responsibilities include ensuring compliance. The role of this person is generally to liaise with regulatory bodies, define company policy and ensure that the board, workforce, supplier base etc. are apprised of current legal, regulatory and internal policy requirements through regular training and the dissemination of an up to date compliance manual.
On the technological side, most of the solutions available for compliance monitoring are designed to grind into action only after a breach has occurred. For example, the transaction monitoring technologies used in the investment banking industry to spot patterns of suspicious behavior only really start to become useful after the rogue behavior has gone on for long enough to create a pattern.
Similarly, many companies rely on email ?monitoring? technologies whose primary function is actually to archive sent and received emails for later retrieval. In the event of a compliance breach, sent and received emails are sifted and analyzed in order to identify the moment the incident arose, the extent of the impact and the parties involved. Companies that do not have a sufficiently sophisticated system in place to perform this analysis are often forced to hand over their entire email archive to the regulator in the event of an investigation, resulting in vast amounts of company data unnecessarily being transferred to the public domain.
The issue facing companies today is that in between these two approaches there is a huge operational area that is left untouched, and which is fraught with risk. Common preventative strategies rely too heavily on employees being aware of policy requirements and remembering to adhere to them. Post-mortem strategies simply have the effect of locking the stable door after the horse has bolted. Both approaches are useful and necessary, but when added together provide a deeply inadequate solution to policy management.
What is required to combat the misuse of electronic communications is a comprehensive solution for active policy management which can operate twenty-four hours a day, throughout the organization, in real time. Such a solution can only be technological, as user training and informal monitoring would require an unimaginable amount of time and resource to come even close to 100 percent effectiveness. Active policy management software, on the other hand, can easily be installed and configured to monitor all employee email, web, webmail and instant message activity, and to intervene to alert a user to a potential compliance breach before the offending message ever leaves the desktop.
Such a solution represents a quantum leap in effectiveness over older-style systems which can only operate retrospectively, often after the damage has been done. It?s no surprise that the large investment banks are already investing in active policy management software to protect intellectual property, minimise the risk of compliance breaches and prevent the sort of negative publicity that the Quattrone case has provoked.
Nick Bannister, managing director for international affairs and services at the NASD, has likened the role of the corporate compliance function to the Roman Praetorian Guard; a front-line defence force protecting the company?s brand and reputation. If damaging behavior is already occurring on the inside of the company, unseen and unchecked by the compliance Praetors, their role is seriously compromised. Compliance officers are encouraged to investigate the potential of active policy management software before it is too late.
|
|
|
|
