Beyond IT Security
New Architectures Must Be Designed to Facilitate Accountability,
Compliance and Risk Management
By George Vinyard, Partner
Sachnoff & Weaver
A Sachnoff & Weaver Thought Leadership Article
As a wise engineer reputedly said, “If your only tool is a hammer, every problem looks like a nail.” When it comes to designing and implementing the next generation of commercial IT infrastructure, it is important to have a full analytic tool box in order to understand and make provisions for the future needs of the enterprise in the areas of accountability, legal and regulatory compliance and information-related risk management. These needs go well beyond the traditional IT concerns with system security, privacy and data integrity.
Over the past three years our firm, Sachnoff & Weaver, Ltd., has sponsored a series of seminars organized around the theme of “Controlling Information” in which we have explored the broader implications of two basic value propositions: (1) that the right information under one’s control can be a valuable asset and/or competitive advantage; and (2) that information that is under the control of others or not subject to any controls can be a liability and/or competitive disadvantage.
Of course, being a product of human activity and easily replicated, manipulated and transmitted, information has always been, by its nature, very difficult to control, despite all manner of technical, economic and legal devices that have been developed for this purpose. In recent times, however, the digital revolution, with its incredible decentralized computing power and storage capacity and worldwide high speed communications networks, has made the exercise of meaningful control over any information even more problematic.
The game has changed dramatically now that it is within the power of nearly everyone associated with a modern enterprise to create, modify, publish (through posting, broadcast or point-to-point transmission), store and retrieve records of all kinds, virtually without limits, economically speaking. Very low or non-existent costs in time and money mean that the other traditional constraints on uncontrolled use or dissemination of information, i.e., technical solutions, legal regulations and behavioral/social norms are more stressed than ever. At the same time, the proliferation and decentralization of records make them that much more expensive to track, retrieve, analyze and authenticate. Consider the bloated E-mail files that exist on every corporate desktop and the recurring nightmare that has come to be known as “electronic discovery” in lawsuits.
At the same time that information has become infinitely more difficult to control, we are seeing a trend toward increasing regulation and elevated expectations regarding compliance and accountability on the part of organizations and the individuals that direct them. Various privacy regulations, regulations affecting electronic solicitations and the various requirements for financial controls and accountability arising out of the Sarbanes-Oxley law are only some of the most prominent examples. Similarly, increasing activity and greater digital sophistication in the areas of private litigation and regulatory investigations are important trends giving rise to the need for comprehensive, economically viable systems and solutions for the storage and retrieval of records of all kinds, in all media, including not only digital but also paper formats.
These developments and trends present significant challenges that can only be dealt with effectively through careful application of the same technologies that give rise to them in the first place. Traditional, essentially manual, systems of records retention, compliance policy administration, and internal controls for non-financial information systems and assets are neither adequate to the task nor economically workable. Unfortunately, these key organizational functions are often given very little consideration, let alone significant priority, in the context of designing and implementing enterprise-level architectural platforms and systems. This is understandable in light of the difficulty and near-term urgency of implementing expensive ERP and financial systems and other IT systems and applications, such as communications, production controls and CRM, that are more directly tied to revenue enhancement or immediate operating cost reductions. But in the longer run, organizations will surely pay dearly if they fail to anticipate and build in the capacity to automate critical legal and regulatory compliance functions and related records retention and retrieval capabilities, as well as appropriate controls and support for accountability (audit trails, etc.) with respect to non-financial (e.g., off-book) asset protection and risk management.
What should an organization do to avoid such pitfalls? The answer involves three key, but of course not easy, steps. First, recognize that, in addition to security, provisions for compliance, accountability and information-based asset controls are essential elements of a sound IT strategy. Second, anticipate and identify the compliance, accountability and intangible asset control issues that are likely to be of strategic importance to the enterprise currently and in the future. Third, design capacity and flexibility into your IT architecture to support these functions. Such capacity should include, at minimum, the ability to generate audit trails and maintain useful, easily accessible archives of records relating to selected non-financial transactions and data.
In addition to the obvious system features designed to detect unauthorized intrusions and track the effectiveness of system security measures (access controls, etc.,) the needed audit and archive capabilities may include creating and maintaining special records relating to compliance with particular laws and regulations, e.g., employment laws, regulations governing financial institutions, safety and quality requirements for certain industries, etc. But they should also be designed to implement new standards of corporate accountability, facilitate sound decision making relating to risk management and quality control matters, support preservation and management of intellectual capital, and enable the enterprise to respond quickly and efficiently to the information discovery requirements that can be anticipated in the areas of private litigation and regulatory enforcement.
This kind of comprehensive planning and design can only be achieved through appropriate involvement by those responsible for the various non-financial business processes and functions that traditionally have not been built into the IT infrastructure of most enterprises. Thus, in addition to those responsible for finance, accounting and network security, the managers responsible for the functions such as the following should be consulted early in the planning and design processes and given a meaningful voice in defining system requirements and functional specifications: (a) treasury; (b) compliance; (c) privacy; (d) legal; (e) intellectual property; (f) records management/archives; (g) contract administration/compliance; and (h) risk management/insurance.