Ensuring compliance through ECM

Computer Technology Review, May, 2004 by Chris Preston

"Large and midsize enterprises will spend $2 billion through 2005 to become compliant with Sarbanes-Oxley legislation. Smart enterprises will use that money to build the beginnings of a compliance platform."

--Gartner, Inc.--

There is a new competitive mountain to climb--compliance. As a result of a number of high-profile cases involving corporate governance and accountability, companies are dealing with a host of new regulations and enforcement initiatives, including the Sarbanes-Oxley Act (SOX), the Securities and Exchange Commission Rule 17-a, the Health Insurance Portability and Accountability Act (HIPAA), Basel II, and the USA Patriot Act, as well as a multitude of environmental and governmental anti-trust regulations.

The Call for Compliance

Leading organizations across a wide range of industries must take swift action to:

* Comply with increasingly stringent state, federal, and local regulations

* Meet the dictates of a growing list of laws and mandates that require increased accountability

* Manage the growing number of complex litigation matters, claims, and cases

To accomplish these objectives, organizations require a solution that enables them to efficiently review all corporate information, including claims, policies, rules, etc., discover what is important, and take the right action to resolve matters.

Financial Services firms must work to comply with document retention and accessibility laws, healthcare organizations must be able to guarantee the security and privacy of patient records, and government organizations must implement measures to securely archive sensitive documents, while making them readily available to the public. Anything less than strict attention to these priorities can potentially lead to stiff legal penalties.

A host of emerging laws and regulations are at the root of this heightened focus on better management of records and enterprise content. For example, the Sarbanes-Oxley Act of 2002 provides penalties of up to 20 years imprisonment for corporate executives found guilty of destroying, altering, or fabricating records in federal investigations or schemes to defraud investors; or for filing false financial statements with the SEC.

Some of the questions executives must ask in the post Sarbanes-Oxley era include:

* How can CEOs and CFOs be sure that the SEC reports they are certifying are "fair and accurate"?

* How can corporate legal departments proactively identify the myriad of other corporate information that might conflict with SEC reports or represent future litigation risks?

* What changes should be made to processes across the enterprise to help identify potential compliance and litigation risks?

Similarly, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the Gramm-Leach-Bliley Act (GLBA) of 1999, may hold public companies accountable for controlling the security of and access to a wide range of personally identifiable information. Furthermore, the Patriot Act of 2001 broadly expands the powers of federal law enforcement agencies investigating cases involving foreign intelligence and international terrorism, particularly their latitude for access to business records.

These emerging regulatory compliance developments, combined with the increasing value placed on corporate records and other intellectual property and the huge costs associated with growing litigation matters, are forcing companies to take a new look at how they protect their content assets and assure their accuracy. Organizations have massive amounts of paper-based and electronically stored data within their organizations, including email, printed documents, images, reports, voice messages, and Web logs, and all must be organized, reviewed, produced, and managed.

Collecting, assessing, and taking protective measures with this information--created by employees, business partners, and vendors--requires a vast number of events, people, and time. This process is not only time-consuming, but it is also very difficult to assess risks and understand the true importance of the data.

While this may seem purely a compliance issue, it is not. Companies must manage organizational content in a secure, centralized environment, while also streamlining the vital processes that drive that content in order to realize improved efficiencies, lowered operating costs, decreased litigation risks, as well as an increased ability to meet the stringent compliance demands.

The Solution to the Compliance Dilemma

By implementing a compliance framework that consists of integrated Enterprise Content Management (ECM) and Business Process Management (BPM), companies can administer the lifecycle of critical documents, enforcing processes for compliance, and responding to audits and inquiries. The framework helps companies address a wide range of current and future legislation and industry requirements while reducing the total cost of compliance and corporate governance initiatives.

Business Process Management (BPM) is the ideal enterprise foundation for corporations looking to address their immediate compliance needs while ensuring that they will have the flexibility to deal with new regulations and changing requirements as they arise. Process description, automation, and monitoring are the heart of any compliance solution, but complex regulatory legislation rarely offers companies a formula or list of ingredients that will ensure compliance. To accommodate probable changes in best practices, solutions must be as flexible as possible. There is a strong case for buying a general-purpose business process management (BPM) tool. BPM is not a simple point solution for regulatory compliance; it is an enterprise process management platform that is capable of effectively automating, enforcing, and monitoring a virtually limitless number of compliance processes. As a result, as new regulatory requirements are introduced or as existing requirements change, organizations can rapidly modify these processes within BPM to effectively respond to legislation and, at the same time, gain greater ROI from their existing compliance platform.