The impact of regulatory compliance on storage: "the compliance landscape is a minefield."--Enterprise Storage Group.Paralleling the more buttoned-down nature of the global business environment, storage management has become a stricter discipline as it responds to the proliferation of no-nonsense regulatory requirements that have been handed down by the federal government. In this harsh environment, senior executives are now being held accountable for certifying that their organizations have the compliance and supervisory policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental in place that will protect them from the draconian penalties that are being meted out Adj. 1. meted out - given out in portions apportioned, dealt out, doled out, parceled out distributed - spread out or scattered about or divided up to violators. As a result of this new emphasis on enforcement, compliance has moved from a back room operation to a boardroom issue. Not surprisingly, these far-reaching regulatory changes have had a big impact on IT organizations, many of which have drastically altered their storage infrastructures in order to comply with regulations that are, at best, vague. What's not vague is the message being sent to corporate America: Your data is an electronic record of your key business transactions, it must be accurately archived and securely retained, and it must be available--now. That all-encompassing range of data includes legal and securities documents, e-mail copies, photographic archives, medical imaging files, consumer check images, media presentations, and even instant messages. Randolph Kahn, Esq., is founder of Kahn Consulting, Inc., a Chicago-based information management consulting Noun 1. management consulting - a service industry that provides advice to those in charge of running a business service industry - an industry that provides services rather than tangible objects firm specializing in the legal, compliance and policy issues of information technology and business records. According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. Kahn, "Whether it is the federal government's record keeping failing to properly manage electronic records, or a stockbroker deleting e-mail in violation of a court order, it is clear that records management has never been more important or challenging than it is now." Is it any surprise that regulatory compliance has become the new financial sheriff in town? It may be too late to rectify the sybaritic syb·a·rit·ic adj. 1. Devoted to or marked by pleasure and luxury. 2. Sybaritic Of or relating to Sybaris or its people. Syb excesses of the recent past, but it is not too late to make sure they don't happen again. That's why the Sarbanes-Oxley Act See SOX. (enacted on July 31. 2002 to govern all public companies) was created. It is also why similar laws were enacted to control such industries as financial services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. (Securities and Exchange Commission [SEC] 17 CFR CFR See: Cost and Freight 240.17a-3&4 for broker dealers, and 17 CFR Parts 270 and 275 for investment companies and advisors), healthcare (Healthcare Insurance Portability and Accountability, or HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, ), life sciences/pharmaceutical (The Food and Drug Administration 21 CFR Part 11) and the federal government (DoD 5015,2). Even privately held companies privately held company A firm whose shares are held within a relatively small circle of owners and are not traded publicly. are feeling the iron grip of compliance. They have to worry about regulatory intervention if their goal is to go public. They also have to protect themselves in case of litigation An action brought in court to enforce a particular right. The act or process of bringing a lawsuit in and of itself; a judicial contest; any dispute. When a person begins a civil lawsuit, the person enters into a process called litigation. . All in all, industry sources estimate that there are between 10,000 and 15,000 U.S. laws addressing records-based information. Clearly, this is not about corporations, it's about organizations. Costs of Compliance, and Non-Compliance According to a study conducted by Hyperion Solutions Hyperion Solutions Corporation is a business performance management software company, located in Santa Clara, California, USA. Many of its products are targeted at the Business Intelligence and Business performance management market. in the November 3 issue of Business Week, 52% of finance executives at large companies say they have not taken steps to comply with the disclosure requirements of Sarbanes-Oxley. In another study of broker-dealers regarding SEC regulation 1784 conducted during 2002, some 80% of the companies surveyed said they were not sure they could pass an audit. A third study took a look at the impact compliance will have on business and IT systems. In this study of 880 chief financial officers and senior information technology executives conducted by PeopleSoft and Business Finance Magazine during July 2003, 40% of respondents reported they will need to upgrade current financial processes and systems to comply with Sarbanes-Oxley. Top initiatives under consideration include: business performance management solutions, internal compliance dashboards/portals, enabling workflow, replacing/upgrading finance systems and consolidating ERP (Enterprise Resource Planning) An integrated information system that serves all departments within an enterprise. Evolving out of the manufacturing industry, ERP implies the use of packaged software rather than proprietary software written by or for one customer. instances. Despite the rigors of developing compliant infrastructures, non-compliance is not an option--not when offending C-level executives are facing huge fines of up to $25 million, and lengthy prison terms of up to 25 years. Make no mistake about it. Sarbanes-Oxley has teeth, and it will become even more exacting and complex when section 404 is phased in on June 15, 2004. Section 404 requires business process audits and documentation to support internal controls and certification. In the meantime Adv. 1. in the meantime - during the intervening time; "meanwhile I will not think about the problem"; "meantime he was attentive to his other interests"; "in the meantime the police were notified" meantime, meanwhile , the Act is already making waves. For example, in one of the first cases of document destruction being brought under the Act's aegis, a former partner at Ernst & Young (who allegedly altered and destroyed audit working papers Audit working papers are the documents which keeping all audit evidences obtained during financial statements auditing. Audit working paper is to be able to support the audit works done in order, sufficient and assurance audit evidences have been obtained and reasonable assurance ) was arrested and charged with obstructing investigations by both the Office of the Comptroller of the Currency The Office of the Comptroller of the Currency (or OCC) was established by the National Currency Act of 1863 and serves to charter, regulate, and supervise all national banks and the federal branches and agencies of foreign banks in the United States. and the SEC. In a separate SEC 17 CFR 240.17a ruling, in December 2002, the SEC, New York Stock Exchange New York Stock Exchange (NYSE) World's largest marketplace for securities. The exchange began as an informal meeting of 24 men in 1792 on what is now Wall Street in New York City. (NYSE NYSE See: New York Stock Exchange ) and National Association of Securities Dealers National Association of Securities Dealers (NASD) Nonprofit organization formed under the joint sponsorship of the investment bankers' conference and the SEC to comply with the Maloney Act, which provides for the regulation of the OTC market. (NASD NASD See: National Association of Securities Dealers NASD See National Association of Securities Dealers (NASD). ) announced joint sanctions against five broker-dealers for violations of record-keeping requirements concerning e-mail. The companies were fined a combined $8.25 million, or $1.65 million per firm. Although the implications of non-compliance are typically framed in terms of legal solutions, there are also operational and competitive ramifications ramifications npl → Auswirkungen pl . For example, most electronic records are archived on unreliable and outmoded technologies. While the upfront costs of compliance development can be steep, compliant systems reduce the costs of maintaining corporate records and enable their companies to be more competitive. Many of those corporate records exist in the form of fixed content. In fact, by the end of next year, most of the data stored by every corporation and the entire U.S. government will be fixed content. Any file requiring storage that isn't changed, updated, or modified when recalled is essentially fixed content, and properly managing it is essential to the success of compliance. What does it take for a large corporation to become compliant? Consider the requirements faced by a large pharmaceutical manufacturer. To satisfy the strictures of the FDA FDA abbr. Food and Drug Administration FDA, n.pr See Food and Drug Administration. FDA, n.pr the abbreviation for the Food and Drug Administration. 21 CFR Part 11 regulations, every comment on every drug study must be saved. Each version of every document evaluating research results must be maintained. The policies and procedures required to do this may be established within software applications, such as enterprise content management systems or e-mail archiving Retaining e-mail messages for historical purposes or to be in compliance with many industry regulations. The file structure of e-mail is different than other data formats, and message archiving software is specialized for e-mail retention and searching. systems that specifically spell out detailed requirements, but the data must ultimately be electronically stored, protected, and managed. Savvy companies ensure that their general counsels and corporate compliance officers are on top of compliance efforts. These companies typically form cross-functional teams that are charged with ensuring that all critical business requirements are baked into ensuing technology architectures. Impact on the Storage Infrastructure A study conducted by Cohasset Associates, a Chicago-based consulting firm Noun 1. consulting firm - a firm of experts providing professional advice to an organization for a fee consulting company business firm, firm, house - the members of a business organization that owns or operates one or more establishments; "he worked for a specializing in document-based information, substantiates the role of IT as the keeper of records management. Seventy-one percent of the records managers that were surveyed by the study thought that IT has the primary responsibility for day-to-day management of electronic records. Even though these IT organizations constantly strive to simplify their operations, compliance with records management regulations is making their lives far more complex. This increasing complexity is evidenced by the following comment from Enterprise Storage Group: "The good news for storage technology vendors in 2003 is that their customers' lives are getting more complex. Storage capacities under management continue to increase rapidly in a down economy, and there is a new wave of complexity coming, one that will impact not only IT departments, but will have equal, if not greater impact on the business professionals within organizations across every industry." Although IT is responsible for the operational efficiency of compliant solutions, it is commonplace for top IT officers not to have their first meetings with their compliance counterparts until both sides are invited to a vendor sales call. This lack of planning and participation before the fact leaves many senior IT executives feeling understandably unprepared and blindsided. No amount of IT input, however, will change the fact that today's storage infrastructures can't keep up with the volume of records being created. Many of these legacy storage infrastructures are simply breaking down under the load. All this leads to situations where 10 or more people have to share a drive if they want to read a record and, even then, they have to be sure that the right tape or platter is loaded at the right time. In a vain attempt to remedy the situation, various robotic techniques have been used to automatically upload tapes. They are all physical techniques, however, and as a result, they tend to break down and require expensive repairs or replacement. In addition, legacy media systems of the past don't automatically verify the integrity of records over their lifecycles. As a result, user companies have to either accept the fact that their records are going to slowly decay to the point where they are unusable, or they have to make multiple copies of records with the hope that at least one of them will be (a) findable, and (b) usable. These records need to be preserved over time. Legacy media-specific technologies such as optical and tape force costly migrations between different formats--there have been six such format changes in the last seven years. Any failure to maintain current compatibility can leave companies without the necessary data access they need to protect themselves against punitive regulatory intervention. Finally, the failure to keep up with the changing compliance landscape can be cost-prohibitive to businesses. The digitization of business data has exponentially accelerated the pace of record creation. Considering e-mail alone, there are currently some 32 billion business e-mails created daily, and that number is expected to grow rapidly. Clearly, there is a need for one, unified system that can handle all regulated records. CAS: A New Category of Storage Content addressed storage A storage technique from EMC for content that is in its final form (fixed content). CAS assigns an identifier to the files so they can be accessed no matter where they are located. (CAS) is a new magnetic disk-based architecture designed to deal with the many forms of fixed content. CAS overcomes the threats posed by the unmanaged, exponential growth Extremely fast growth. On a chart, the line curves up rather than being straight. Contrast with linear. in capacity and number of fixed-content objects. Because it provides the online performance of magnetic disk, CAS delivers content authenticity that matches or exceeds optical technology at a total cost of ownership equal to or better than a tape library. CAS also protects against technology obsolescence--something that optical and tape systems can't do. Consider e-mail, as an example. If a CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. sends a company-wide e-mail to 60,000 employees about new travel guidelines, it is likely to be indefinitely stored on and routinely viewed from a server or a PC drive. As a matter of convenience, employees may save the e-mail for reference. For storage administrators, that e-mail message is now taking up 59,999 times more disk space than necessary. And, because everyone is referring to a copy of the original message, the risk increases that the content could be tampered with and forwarded on. With CAS, instead of sending out thousands of e-mails, an original document can be created, stored in the CAS repository, and receive a digital "claim check" so pointers or links can be sent to direct only authorized employees to the original. Here, the increased efficiency of storage in a CAS-enabled environment becomes evident, and the storage resources optimized by CAS become even greater when that relatively small e-mail is replaced by a large multimedia corporate sales presentation stored and recalled nearly every day. The self-healing nature of CAS makes it possible for one storage administrator to manage over 250 terabytes of data. Robert Williams For other persons of the same name, see Williams (surname). Robert Williams is the name of
Despite its key role, storage is only one component of a complete compliance system. A full solution also requires a documented and enforced set of records creation and retention policies, a layer of software to collect, catalog, and archive records, and a secure storage archive capable of enforcing retention policies and guaranteeing integrity and access over the lifetime of the record. Conclusion Complying with the ever-expanding number of corporate governance Corporate Governance The relationship between all the stakeholders in a company. This includes the shareholders, directors, and management of a company, as defined by the corporate charter, bylaws, formal policy, and rule of law. regulations is putting tremendous pressure on both public and private companies, who are scrambling to update their storage infrastructures in order to avoid the harsh penalties being handed out for non-compliance. New archiving storage technologies developed by cross-functional teams should be a critical piece of that solution/strategy. From a technology perspective, the implementation of magnetic disk-based CAS architectures is critical to these corporate efforts. Through its ability to reliably manage the melange mé·lange also me·lange n. A mixture: "[a] building crowned with a mélange of antennae and satellite dishes" Howard Kaplan. of fixed-content data associated with compliance, CAS and its underlying storage technology provides the first set of tools that can make a true difference in the quest for compliance, and return the current board room issue to a back-room operations process where it belongs. RELATED ARTICLE: IMPLICATIONS OF SARBANES-OXLEY Sarbanes-Oxley contains sweeping provisions affecting some 15,000 publicly traded companies publicly traded company A company whose shares of common stock are held by the public and are available for purchase by investors. The shares of publicly traded firms are bought and sold on the organized exchanges or in the over-the-counter market. in such areas as auditor independence, corporate responsibility, improved financial disclosure, analyst conflict of interest, and accountability for corporate criminal fraud. Among other things, the legislation: * Requires CEOs and CFOs to personally attest to the accuracy of earnings reports and other financial statements * Sharply curtails the kinds of non-auditing consulting services that outside auditors can provide to companies whose books they review * Protects whistle-blowers * Strengthens criminal penalties, including fines and jail terms, for certain misdeeds by executives * Requires investment firms to take steps to take action; to move in a matter. See also: Step to improve the objectivity of reports by securities analysts * Establishes a Public Company Accounting Oversight Board The Public Company Accounting Oversight Board (or PCAOB) (sometimes called "Peekaboo") is a private-sector, non-profit corporation created by the Sarbanes-Oxley Act, a 2002 United States federal law, to oversee the auditors of public companies. to oversee the audits of companies that are subject to securities laws * Bars executives and directors from coercing outside auditors to issue misleading financial statements, and requires them to relinquish any compensation they earned as a result of bogus statements. Roy Sanford is vice president of Markets & Alliances at EMC Corporation (Hopkinton, MA) www.emc.com |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion