Compliance has become an increasingly important topic to senior executives and finance organizations because of Sarbanes-Oxley. Before the subject drifts into the background again, Ventana Research advises companies to look at how they take care of compliance issues. In our judgment, organizations with over 5,000 employees can benefit from rationalizing their compliance enforcement efforts and automating these processes on an end-to-end basis.
Full-featured compliance process automation tools should do four things: 1) help the company define the "5 R's" (Role, Responsibility, Routing, Reporting and Response) of compliance management processes, 2) automate the execution of the process, 3) perform all tests to ensure that system is working, and 4) generate all necessary documentation.
Compliance management software solutions have gained visibility in the United States as corporate scandals have produced new laws and vigorous prosecutions. For senior executives, particularly those in finance, the Sarbanes-Oxley Act of 2002 raised the importance of ensuring the letter of the law is obeyed and made documenting the execution of these efforts mandatory. In the past, the ability to demonstrate consistent adherence to specific regulations was a "business critical" issue only in heavily regulated industries, and until a legal problem arose, it rarely was a high-level management issue. However, the penalties facing senior executives if their company fails to meet the Act's requirements has raised the profile of compliance management at the senior executive and board level -- particularly the audit committee.
Software companies have responded with a variety of "Sarbanes-Oxley software solutions" but the market has not embraced them to any significant degree. In part, this reflects the nature of the initial compliance phase, which is heavily process-oriented. Even so, when asked of their plans for buying software to support the second, ongoing compliance phase of Sarbanes-Oxley, CFOs seem reluctant to invest even here.
Ventana Research advises clients with more than 5,000 employees to automate their ongoing Sarbanes-Oxley compliance efforts. They should leverage this investment by applying this automated approach to other regulatory compliance processes. There are two reasons this investment is justified. First, compliance management systems can reduce the chance of a slip-up in the process. For larger companies, the direct monetary cost of mistakes can be huge; the indirect cost to reputation and careers can be devastating. Second, any manual or semi-automated system is likely to be much more labor-intensive. The impact of expense is largely unseen because it is diffused over time and across individuals and departments, but it gets in the way of doing more important, strategic tasks, and it contributes to the overall task of running the finance function.
New software categories are often confusing because companies are not sure what they need. Even though they have very different capabilities and use different methodologies, vendors' offerings usually sound the same. We advise companies evaluating solutions to assess their ability to deliver both process automation as well as any content.
Full-featured compliance process automation tools should do four things: 1) help the company define the "5 R's" of compliance management processes, 2) automate the execution of the process, 3) perform all tests to ensure that the system is working, and 4) generate all necessary documentation. The 5 R's of compliance management are:
1. Role: defining the function performed by each individual in a specific operation or process
2. Responsibility: listing and assigning the full duties of the individual in a specific operation or process
3. Routing: mapping the complete order of the steps executed in carrying out these duties, including any conditional branching and looping that occurs
4. Reporting: listing the status of each process, the results of the process, and exceptions to the expected condition of either the process state or outcome
5. Response: affirmatively confirming the achievement of the compliance function or launching the appropriate remedial process(es) to achieve compliance
Ventana Research advises companies to evaluate the robustness of the compliance management system in terms of 1) the feature and function set of the software, 2) the content and intellectual property, and 3) how well it integrates with existing software. As to the second point, some systems are purely process-oriented. This may be well suited to the needs of some organizations, but others may want to have the specific requirements of (for example) Sarbanes-Oxley embedded in process definitions and related content 'out of the box.'
Beyond automating parts of compliance procedures, automated compliance management software must monitor the process and close the loop on each individual's responsibility, affirming it was completed and recording what was done by whom and when. For many years 'compliance management software' was not much more than an electronic version of the compliance manual books that companies purchased and distributed throughout their organization. The electronic versions made it possible for every employee with access to a computer to have the most up-to-date version in their possession, and to automate a part of the full process. Even if they recorded some events, they usually did not monitor or complete the full cycle. It is this ongoing monitoring and sign-off that adds value to the system.
Assessment Ventana Research strongly advises corporations with more than 5,000 employees to automate their compliance process. We assert that having an automated compliance management system is better than relying on manual methods because it can significantly reduce corporate exposure to risks associated with manual systems. For finance organizations, it offers this benefit and can cut the amount of time spent managing Sarbanes-Oxley compliance execution. Ordinarily we would expect the 'green eyeshade' types in finance to be reluctant to spend money on compliance software. However, both the senior executives and the outside directors will see the value of reducing their exposure to the consequences of even unintended slips.
Editor's Note: This article first appeared in Intelligent Enterprise, a sibling publication of Insurance & Technology.