Storage Magazine - UK
  Untitled Document

Compliance Part 2 - A box to tick or a new way of life?

From STORAGE Magazine Vol 4 No 03 - June 2004

In this second part of the feature looking at electronic data storage compliance, Ray Smyth explores what all this means on the ground. How should an organisation approach the establishing of compliance and what are the real objectives?

Having looked at regulatory and legislative compliance for the electronic storage of data in the first part of this feature, the genie is well and truly out of the bottle and not going back! Some say that you need only worry about compliance if you are a publicly quoted company. Well that may not be wrong - but it is not strictly speaking true either.

In considering the challenges of compliance overall I think there are three clear groups of organisation. Firstly, Publicly listed companies, who frankly have no option but to create a stable and compliant position for their stakeholders (amongst others). Secondly, there are the regulated organisations such as Pharmaceuticals, Finance, Banking and Defence: in the main these people have it covered. This by the way is not because they have done it all, but because they have been forced to adopt a new way of working and a new culture, over a long period.

The third group is almost everyone else: SMEs and voluntary and not for profit organisations included. Though this group (a generalisation) may not be obliged to act, what if it could be shown that by taking considered action they could create advantage, savings, improved sales or other efficiencies? This leads us to the realisation that compliance in respect of data storage may not be the full picture. To comply with laws and regulations is not optional, but if compliance can be achieved in the context of a business performance improvement strategy then it is much more likely to succeed.

I have already touched upon Corporate Governance, and this is an end in itself. But data doesn't just appear (though it can seem like that) - it is created from the use of applications. To establish compliance, these applications need to be the correct ones, and part of the overall compliance approach. It is as much a fact of life as the use of email - the self-perpetuating growth of spreadsheets. They are used for just about everything and it is likely that in many companies they are used to produce management accounts and other documents that might provide either statuary or otherwise important documents.

Again it is tempting to say that this is a public company problem. Well it is, but company directors have responsibilities and coalescing the accounts (to produce group accounts) is the same problem at departmental or wholly owned subsidiary level - it just scales and gets more complicated.

According to IDC the "Business Performance Management" sector is one of the fastest growing in IT. One of the suppliers to this market, Hyperion, provide software based solutions that provides this group level consolidation. Nigel Youell from Hyperion suggests that organisations that are run on spreadsheets may have a problem. The creation of these spreadsheets has typically been outside of the IT function - the creator may have left the company and they may not be subject to a backup routine. This is but one example that will drive more responsibility towards IT and the storage compliance challenge. This is also a good example of how policy and training can be extremely influential to a successful outcome as opposed to just technology.

Returning to Electronic Data Storage, the key question for most organisations must be how to proceed. Whatever specific actions arise from addressing this, the one thing that is absolutely clear in my view is that change is needed. This is not the latest quality assurance fad that once achieved can be recognised with a plaque in reception: it is a new responsibility and must be properly addressed in an on-going way. Save for a few exceptional situations it is not something that can be addressed without some help either. Bring these two points together and you get the inescapable truth that you cannot duck this one and that however you address it, what you do must be fully supported and embraced at all levels of the organisation.

To be clear, electronic data storage compliance (which should be an IT management function) should form part of an overall Corporate Governance strategy (which should not be owned - though contributed to - by IT).

In the new, business aligned, mature IT function, the storage obligations must be considered as a part of a bigger whole - Corporate Governance. The type of company, its markets and a range of other variables will dictate this top-level strategy. While this may be new to you, there is a growing band of organisations to whom this is bread and butter. It may prove very worthwhile to start by consulting one of these experts. They should be able to help you identify the correct approach for your company and establish a plan that will move you towards compliance.

Gary Simon of Delloite puts it simply that “in year one you should strive to establish compliance" and that in year two, “the goal will be sustained compliance, underwritten by basic improvement and reduced cost". Don't be afraid of the mention of one of the big consulting names. Firstly they have a large client base of small and medium sized organisations and are complimented in the market place with a range of small and highly focused specialists. Choose the one that best suits your needs and, as always, apply heaps of due diligence to your selection.

To summarise, all aspects of compliance are here to stay and developing fast - it is the next evolutionary step in IT based solutions. The IT function is going to play a major role in establishing broad compliance and especially in the area of data storage. It is an opportunity and not a threat, especially for IT professionals. Those who work to establish compliance in these early days will be the experts and advisors of the future - like security was, it is a real career opportunity. It is also a real business opportunity. If you are prepared to consider Business Management Improvement (and why wouldn't you?) the best practices and efficiency measures that will arise will not need much or any adjustment to establish compliance.

Compliance for free? Well not really; it is just so much better for the motivation to improve a business as opposed to adhering to a rule. It is this that will underpin the necessary cultural adoption that will play a crucial part in the long-term success of your organisation.

Mindless creation, storage and destruction of data are coming to an end - it must. Organisations and individuals must have protection from the types of fraudulent activity that has adorned our national and international press of late. IT is struggling into adulthood and will through necessity become much more aligned with the business, shareholders and the customers it serves. These compliance and efficiency measures will become normal and expected practice. Technology (hardware, networks and software) will absolutely help but it must never be allowed to drive and set direction. External expert advice is essential.

Finally, there is latitude as to how best to approach this for your organisation. Use this to secure value and benefit. Remember that if your organisation breaches a regulation and can show that it was due to process failure by (for example) an individual, and that this can be corrected as an isolated incident, it is unlikely to be the end of the world. Take no action and show a breach and the response is guaranteed to be quite different. ST

 

Key considerations that drive compliance.

  • Audit and understand where your organisation currently is. Corral data sources under the process control of IT and know of their existence
  • Establish an overall policy and strategy for the storage of electronic data for your organisation. A boilerplate will help, but your needs are unique
  • Make sure that your storage strategy and policy is constructed as part of your overall IT management and business delivery strategy. It is especially important to consider security implications
  • If necessary, by taking advice, make sure that you know what legislative and regulatory measures apply to your business or perhaps just aspects of your organisation. Don't forget the Data Protection act as this applies universally. Don't forget that if you are a subsidiary of a US organisation that Sarbanes-Oxley compliance will be mandatory as will Basel 2 if you are in the finance sector
  • Be aware of regulations currently in gestation
  • If there is an overall drive to enterprise-wide compliance and corporate governance, work to establish the storage strategy as a component. It will save money and unnecessary over-complication
  • Make sure that your final solution provides you with easy access in realistic time scales
  • Understand your data types and create a life cycle for each. Most data will at some point need to be destroyed and this must form part of the plan
  • Once strategy and policy are established, make sure that you create role-based process to ensure that it is properly enacted. Keep this simple and provide adequate training and re-training
  • Stay in touch. This is a very dynamic area and there are white papers, web sites and statutory information that will help understand this challenge in the context of your organisation. Know what questions to ask.
  • Review and measure effectiveness regularly. There is a strong case for having this done externally to keep objectivity. It is also a good way to keep your organisation updated on changes and new techniques - this is vital
  • Do not set this up as a storage or compliance project with a start and finish. You will need a planning and kick off project, but it must otherwise become a way of life and embedded in the culture
  • Establish a relationship with a trusted advisor. Use the advisor in a way that augments your own organisation - don't hand over responsibility or it will fail
  • Once you have clarity, research how technology can simplify execution and day to day operations. Make sure that you select technology that can cost-effectively scale to meet future (possibly undefined) needs. Don't be persuaded to buy extra storage for the future - buy it as you can see it is needed
  • Look at management products to see if this will simplify or ease complexity. If possible try and have this integrated with your overall IT management solution
  • If it is not mandatory, then don't do it unless it adds value to the business. For example, the drive to compliance will affect share prices (in the case of failure) for public companies. Similarly it will affect valuations at sale for private companies. It is an investment
  • Once you have understood the issues, how to review and manage them and make them work, do consider outsourcing. You will be better positioned to achieve improved value and maintain service levels. It should only be day to day operational activity that you outsource - you keep the responsibility and the ownership!
The products referenced in this site are provided by parties other than BTC. BTC makes no representations regarding either the products or any information about the products. Any questions, complaints, or claims regarding the products must be directed to the appropriate manufacturer or vendor. Click here for usage terms and conditions.

©2006 Business and Technical Communications Ltd. All rights reserved.
No part of this site may be reproduced without written permission of the owners.
For Technical problems with this site contact the Webmaster