Compliance and the director

Damian Hyland, VP Northern Europe, Open Text UK looks at the issues.

There has been more compliance legislation written into law over the past decade than in the previous century. Compliance operates at three distinct levels:

  1. The type that applies to industry specific sectors.
  2. The broad national or international laws and regulations that apply to everyone.
  3. The internally defined policies and practices that organisations need in order to maintain a sense of order over business management.

Consequently, compliance is everywhere and is increasingly finding its way to the director's door. In the past, compliance would usually be delegated to operational managers as part of their ongoing duties.

Today, that responsibility starts and frequently stops with the directors. There is no mystery as to why this should be the case.

The Enron, Tyco, WorldCom and Parmalat fraud scandals serve to bring compliance to the forefront of boardroom agendas. In each case, there was a clear connection between what the business did and the accounting of those activities.

What is more, the recent wave of regulations affects every aspect of the business. Here I am thinking about both Sarbanes-Oxley and the new International Accounting Standards.

Sarbanes-Oxley is often characterized as a standard that only applies to US companies. However, any company that conducts business or is required to file financial and governance reports in the US will have Sarbanes-Oxley issues.

Therefore, it is no surprise that directors find themselves in the unenviable position of not only being master of the corporate purse strings but also as compliance gatekeepers. This need not be a bad thing.

I believe putting compliance at the heart of the business allows organisations to see corporate governance information as a company asset that should be managed and available to anyone who needs access.

While compliance might be the trigger for considering enterprise content management (ECM), it should be viewed as a natural by-product of a project designed to improve business processes. At a macro level, there are multiple levels of compliance.

While many people will associate compliance with Sarbanes-Oxley, the Financial Services Authority or Basel II, these only represent the tip of a very large iceberg.

For many companies, there are additional, industry specific regulatory measures. For instance, in oil exploration, construction and food manufacturing, there are significant safety and environmental controls.

Internally, large organisations are waking up to the fact that IT compliance is critical. When there is a change in the IT environment for instance, it is essential to ensure those changes are reflective of management policies so it is vitally important that organisations maintain a traceable, auditable document trail. The alternative is unthinkable.

Undocumented change has important consequences for business. First there is the potential for wasted resource. How for instance do you reliably trace related documents? Much more serious is the potential for audit difficulties.

Take an example. Unilever is one of the largest international manufacturers of leading brands in foods, home care, and personal care-brands that are known and trusted by millions of consumers around the world.

Best known for carrying brands such as Knorr, Becel, and Conimex, Unilever Nederland is organised into business units, sourcing units, and a number of corporate departments.

Lyn Williams, VP corporate risk management at Unilever, notes the group has implemented a group wide methodology for meeting Sarbanes-Oxley compliance.

'In 2004,' she says, 'when Unilever performed a dry run of the compliance process, deficiencies were documented on Excel spreadsheets, often in varying formats, there was inconsistency in the application of the central methodology on assessment, and audit trail was not always adequately maintained.

All of this made a group wide aggregation and assessment of deficiencies extremely time consuming and challenging.'

It quickly became apparent the group needed an ECM solution. Using an ECM solution Unilever has achieved a number of benefits:

  • The process is now paperless, provides the businesses around the world with access to standard templates which they are required to use in documenting deficiencies. 
  • The systems ensures the application of the required workflow and methodology, providing the central team immediate visibility of the extent and quality of the assessment process and facilitates both timely and robust reporting of the deficiency data to comply with Sarbanes-Oxley. 
  • Maintenance of robust audit trails is one of the key benefits of using ECM to manage and document a compliance process. It provides clear visibility of user access and activity and facilitates robust version control of the underlying documentation. This is particularly relevant for Sarbanes-Oxley compliance processes which need to be documented to a very high standard and are subject to rigorous review and audit by management, external auditors and eventually the SEC.

Where is the ROI?

IT projects are usually predicated on a defined return on investment. Most ROI exercises concentrate on a financial return with little thought given to the intangible returns. Systems implementation for compliance does not fall into that category.

Conventional wisdom dictates that compliance projects have no ROI because they simply have to be done. They cost money in often budget-constrained circumstances and are viewed as financially painful. But that represents a narrow view.

'While investment behind compliance is generally viewed as a necessary cost burden, Unilever hopes to exploit the deployment of this ECM solution also to derive value for its business for example by analysing the nature of weaknesses in its global financial processes and therefore implementing the necessary process improvements,' says Williams.

But how might ECM deliver direct tangible benefits to the finance department? One example is sports clothing company Reebok, which looked at ways of automating its accounts payable procedures.

At first glance, the obvious answer appeared to be an ERP system designed to smooth AP processes. However, Reebok was a lot smarter. It realised that automating accounting processes would only go so far so it implemented a document imaging and archiving system that dovetails to its SAP AP system.

Invoice payments are processed in conjunction with purchase requisitions and inbound invoices are scanned and handled digitally. Apart from meeting ongoing audit requirements, the system increased AP productivity by 30 per cent. As its AP manager says: 'The system makes us look good.'

The email challenge

While many might think that paper-based documents are the principle target for ECM solutions, fax and email are equal candidates. Email is exploding. It is not unusual to find an individual wrestling with upwards of 200 emails per day.

While many are spurious, it is estimated that 60 per cent of actionable email has some commercial value. Email is problematic. In many organisations, users have created ad-hoc filing systems by creating email folders.

Apart from the sheer volume, users have to decide whether a particular email is transitory – like arranging a meeting – or has a longer term business value, say in relation to a contract. In addition, users are frequently called upon to search for related emails but this is unsatisfactory because email client search technology is crude.

Integrating email into an ECM system allows users to 'tag' documents with meaningful terms. This in turn assists users in discovering all and any documents related to a specific issue. In doing so, it removes the pain and financial costs associated with document discovery.

Email's fleeting nature means it is easy to lose. Hit the delete key in Outlook, close down the Outlook client and deleted email is consigned to the electronic dustbin. When that happens, the electronic paper trail falls apart.

Even archiving from inside email systems doesn't really help because then users have to trace through multiple archives. That translates directly into lost opportunities, confusion among customers and suppliers and damage to reputation. And that is apart from any legal or regulatory considerations.

This has direct consequences for finance departments, especially where personnel are engaged in activities like contract negotiations and debt recovery. An ECM system views email as just another document type so it can prevent email loss and provide a rapid retrieval mechanism.

This has clear implications for administrative efficiency, cash collection and discount retrieval. But, it is in the area of mergers and acquisitions (M&A) that ECM can have an equally profound impact.

M&A activity continues unabated, but is paper heavy. Documents span organisations, cross-national boundaries and are notoriously difficult to maintain in some semblance of order.

Until recently, fax was considered the safest form of communication and it was not unusual to see contract drafts flowing back and forth between different time zones. With the advent of email, fax has become partially redundant.

Nevertheless, document version control in conjunction with email, alongside the ability to track specific documents, takes on enormous significance, especially as a deal reaches the final phase.

It is at this point, when fine detail is being hammered out, tax, compliance and legal experts are contributing input and a continuous re-crunching of the numbers that we get the impression of organised chaos.

It doesn't matter if the company has a defined M&A processes, without ECM, it is almost impossible to know what has been agreed at any point in time.

Once a deal has been struck, organisations then have the problem of bringing all corporate assets together. There is an inevitable duplication of paperwork. In many situations, organisations simply ignore the problem, assuming the acquiring organisation has the most relevant set of documents.

But, what happens when a liability claim arises that has a history before the acquisition? How do you marry post-acquisition events to the pre-acquisition history?

A comprehensive ECM system will allow merged organisations to weed out duplicates, retain a compliant history and preserve vital histories. This can mean the difference between paying out unnecessary damages and successfully defending a lawsuit.

The bottom line

In this article, I have touched upon several examples where ECM makes a positive contribution to the organisation in the context of a compliance-laden environment.

Directors are at the compliance sharp end because they are best qualified to understand the processes that underpin auditable systems. Directors have an instinctive appreciation of document life cycle management from acquisition through actions, onto referencing, and finally disposition.

But this is only the tip of the iceberg. Every organisation generates communications and most will have a value. Anything that has a value is of interest to directors. But equally, compliance has a cost. The question then is how to make compliance a value enabler.

Williams says, 'For example, it gives us the opportunity to identify key weaknesses (and inefficiencies) in our financial processes and therefore focus our resources on driving the required process improvements.

In addition, we are working with our colleagues in finance to embed the annual Sarbanes-Oxley compliance process into day to day activities. Automation of the process through ECM will significantly help us achieve this objective across the globe.'

In effect, Unilever's compliance efforts will be enabled by the automation of best practice processes that become part of the fabric of the business.

Open Text UK is exhibiting at Documation UK, 18-19 October 2006.

This article first appeared in ITNOWextra in September 2006.