Research Paper Template - Commerce

Corporate Governance and Compliance

in the UK–

Delivering Gain

from the Pain

Microsoft’s Solutions

WORKING OUTLINE #6 25-04-05

Written by: / Mike Davis, John Holden – Senior Research Analysts

Published April 2005
© Butler Direct Limited

Important Notice

This report contains data and information up-to-date and correct to the best of our knowledge at the time of preparation. The data and information comes from a variety of sources outside our direct control, therefore Butler Direct Limited cannot give any guarantees relating to the content of this report. Ultimate responsibility for all interpretations of, and use of, data, information and commentary in this report remains with you. Butler Direct Limited will not be liable for any interpretations or decisions made by you.

IntroductioN

Corporate Governance is a heading, it is not a single issue, it is big and varied, and as we learnt with the recent conviction of Bernie Ebbers, the former Chief Executive of the US communications giant Worldcom, wherethere is poor Corporate Governance, the whole organisation can fail.

Good Corporate Governance is about running the organisation in a way that is compliant to the highest standards set both by the appropriate regulators, and by the organisation itself.

Compliance is about having good processes, and the ability to demonstrate to stakeholders that those processes are monitored, and can be reported upon. Compliance is undoubtedly becoming a major pain point for organisations as we see a raft of legislation and regulations that are impacting on the way that they operate, and the levels of reporting they are required to deliver.

Butler Groupdoes not just see compliance as apain.Rather we see it as formalising best business practice, and providing both investors and managers with confidence in the rigour of the business processes. If compliance is addressed in the organisation’s business and IT strategy, it will offer operational and even competitive advantages – there are demonstrable gains.

This White Paper examines Corporate Governance and compliance as it is affectingUK organisations, and how Microsoft-based technologies can beused to support those organisations in addressing their respective pain points. It includes four case studies from different industries that illustrate how the challenge of compliance can be tackled with the assistance good IT systems, andhow addressing compliance can be used to deliver business advantage.

whereis the pain?

In Butler Group’s opinion, compliance is about doing the right thing - operating in a way that gives shareholders, or stakeholders, customers, employees, and external regulators, confidence that the organisation is behaving in a manner that is beyond reproach.

Butler Group defines compliance as: adherence to the legislation, regulation, and standards that apply to organisation in its respective jurisdiction. As the Confederation of British Industry (CBI) and Federation of Small Businesses regularly report, in the UK this appears to be a plethora of ‘red-tape’ that affects organisations of all complexions. A list of the applicable legislation and regulations would easily fill this whole paper, but many are obviously specific to particular vertical sectors or types of organisation.

Examples of relevant legislation include:

For UK-Listed companies – The Companies Act 2004, and the Proceeds of Crime Act 2002. For companies that are also US-listed they will have to be compliant with the US Sarbanes-Oxley (SOX) Act 2002, by July 2006.
For Public Sector organisations - The Freedom of Information (FOI) Act 2000.
For all organisations - The Data Protection Act (DPA) 1998, Health and Safety at Work Act, and various Employment Laws.

Examples of regulations and standards include:

Money Laundering Regulations 2003, and the BS7799/ISO/IEC 17799:2000 IT security standard.

If there is one thing that we can be very certain of it is that there is more to come. For example a UK Small Companies Bill is currently being prepared, and as the European Union continues to harmonise we will increasingly see Directives that drive pan-European standards.

Some pieces of legislation will have a wider impact than just in their original country - although SOX only applies to US listed companies, it is setting the standard for best practice.We are already seeing in the UK a ‘viral’ effect similar to that which happened with the ISO 9000 quality standard, in that large US companies are starting to insist that all organisations in their supply chain are also compliant with SOX.

The priorities in the compliance agenda vary from business to business.Having good corporate governance, and being compliant, requires organisations at board-level to be aware of the legislation and regulations that are relevant to their particular vertical, to prioritise theissues to be addressed,and to implement any solutions within a strategic business and IT framework.

 Information technology requirements

First and foremost there is no ‘one size fits all’ solution compliance, but there are common elements, and using IT to support the addressing of compliance issues requires a strategic view of an organisation’s technology infrastructure.

At its simplest, from an IT perspective, supporting compliance is about the recording, and storing the information that is required for managing, monitoring, or reporting on business processes, and then retrieving such information when required, either operationally, or for a regulator.

The technologies that can support this can be grouped into three types:

1)Information Management technologies - To ensure that information is captured and stored appropriately.That it is retained for the period required, and from creation to destruction any changes are recorded to ensure transparency. This should be automated wherever possible to ensure consistency and minimise the risk of non-compliance.

2)Information Analysis – Enabling the information to be retrieved, not only when requested, but also in a scheduled and automated manner, in the appropriate format required.

3)Information Security – Ensuring that only appropriate and authorised persons can access information, and just as importantly, that appropriate and authorised persons have recorded the information.

Figure 1 shows a list of the technologies that are covered by these headings.

These technology requirements translate into:

Robust and scalable storage for electronic information.
Workflow or Business Process Management (BPM) to automate as many of the tasks as possible.
Effective search and retrieval tools.
Identity and access management for the network and systems.
Effective and tested disaster recovery.

Microsoft’s solutions for compliance

Microsoftdoes not offer any systems for compliance; rather it provides the platform upon which compliance solutions can be built, often by integrating with products from Microsoft’s wide range of partners.

The core elements of any Microsoft-based deployment will be Microsoft Windows Server 2003, Microsoft Active Directory, and the Microsoft SQL Server database. Additional Microsoft products that may form part of the platform for the solutions include: InfoPath, SharePoint Portal Sever, Exchange Server, and Microsoft Analysis Server. As shown in Figure 1, some of these products provide capabilities in more than one area.

SUPPORTING IT REQUIREMENT / MICROSOFT TECHNOLOGY
1) INFORMATION MANAGEMENT
Business Process Management (BPM) / InfoPath
Collaboration / SharePoint Portal
Digital/E-mail Archiving / Exchange Server
Disaster Recovery / Windows Server, Office
Enterprise Content Management inc. E-mail & Records Management / SQL Server, Windows Server, Exchange Server, Content Management Server
2) INFORMATION ANALYSIS
Business Intelligence/Analysis / Analysis Server, Office (Excel)
Corporate Performance Management / Office (Excel)
Search / Discovery / Retrieval / SharePoint, Office
3) INFORMATION SECURITY
Identity Access Management / Active Directory
Network Security / Active Directory
Policy Management / Active Directory
Profiling / SharePoint

Figure 1: Technologies to Support Compliance – Butler Group 2004

Most organisations have quite rightly developed their existing IT infrastructures and deployed appropriate Line Of Business (LOB) applications to meet their operational business needs. For example accounting and payroll systems, customer databases, and stock control systems. These often evolveinto Enterprise Resource Planning (ERP) and Customer Relationship Management (CRM) systems as the organisation matures and expands. They are in general transactional systems where the individual items of data have a very low value. But there are lots of those items, and the structure, and in-built processes of those systems, can ensure a high degree of accuracy and integrity of information stored.

Some of the information required by regulators to meet compliance requests will be stored within the LOB applications, and they are often the core repositories of organisational intelligence. However, this information can normally only be accessed by only a few specialists, thus reporting becomes expensive and another pain point in the compliance process.

Microsoft’s .NET architecture enables the integration of these LOB applications with other Microsoft tools, meaning that organisations can exploit their existing IT investments as part of their compliance solution.

The most important aspect for all organisations is that solutions are accessed through the existing Microsoft Office 2003 interface. This means that employees are utilising the tools they are already familiar with such as Word, Excel, or Outlook, reducing the pain of training and change management. Such solutions also have high levels of automation, eliminating the risks of employee mistakes and thus non-compliance.

For example a document created in Word such as contract, can automatically be declared a record as it is saved, and then stored in a manner that cannot be changed until the time the legal retention requirement is passed.

Similarly information stored in an ERP system can be automatically retrieved into a report without the requirement for specialist skills, with the assurance of the integrity and accuracy of that information.

The Role of Partners

Microsoft’s partners help deliver compliance solutions for organisations by integrating their ownproducts with appropriate core Microsoft elements. These will normally be implemented by the partner, in conjunction with the deploying organisation, and potentially third-parties such as System Integrators (SIs).

Examples of such products include the Enterprise Vault[1]archiving product from Veritas (now part of Symantec). This is extensively used in the financial services sector for the storage, discovery and retrieval of e-mails to meet US Securities and Exchange Commission regulations. Enterprise Vault has also been deployed by the UK supermarket group, Somerfield, to support contract management, and Luton Borough Council to deal with DPA disclosure requests.

The wide range of Microsoft partners includes those with experience of deploying solutions across a variety of businesses, or in specific verticals, such as Public Sector, Legal, Retail Banking, and Insurance.

For example partners in the financial services arena help companies implement Microsoft Business Solutions such as Axapta,Great Plains, Navision, Solomon, EnterpriseReporting, and Forecaster, to support their respective compliance requirements.

delivering business benefit from a compliance solution

The fast and comprehensive retrieval of information when it is required for regulators, or even customers, is both a challenge and a pain-point. Examples include training records in relation to Health and Safety issues, a Subject Access Request under the DPA, or a disclosure under the FOI from a public-sector body. It is likely that in all these instances the required information will be across a number of electronic systems, and even in physical documents.

Such retrieval ability is also increasingly necessary for customer-facing functions. For example in a call-centre environment, whether that of a local authority or a bank, where a rapid and comprehensive ‘view’ of the customer/client, can both improve the perception and delivery of service.

An Electronic Document and Records Management (EDRM) system can provide a single point from which all required information can be accessed, with the confidence that it is complete, and accurate, with any changes to the data contained tracked, and the author identified.

An EDRM system can be combined with workflow or Business Process Management, to automate the retrieval, and any steps in authorisation required. It is doubtful whether any public sector organisation which has records on more than one site could address the DPA or FOI without EDRM.

case studies

The following four case studies show how compliance solutions can be built that addresses the pain of their respective compliance issues using solutions based upon Microsoft technologies.[2]

Statoil Case Study

Statoil is a major integrated oil and gas company with its headquarters in Norway. It operates in 29 countries and employs about 25,000 people, almost half working outside Norway. The company was founded over 30 years ago and it has grown both organically, and through acquisition since that time. In 2001, Statoil shares were listed on the Oslo Stock Exchange, and the company is currently enjoying strong growth in its international production, and retails petrol and oil in Scandinavia, Ireland, Poland,and the Baltic states. It is one of the major suppliers of natural gas to the European market, and one of the world’s biggest sellers of crude oil.

The company recognised that there was a critical requirement for it to be able to supply detailed audit information to satisfy both financial and accounting disclosure needs. Statoil started a programme called Collaboration@Statoil covering all its locations and employees, with the intention being to ensure compliance with legal and statutory requirements such as the Sarbanes-Oxley Act, and to establish best practice for collaboration and information sharing in the enterprise.

This is built on a technology architecture that enables document tracing and secure access to information throughout its lifecycle. The company understood that it required an extensive audit trail that could be accessed by drill-down and drill-around functionality. Importantly, Collaboration@Statoil allows staff to use Web-based IT tools, which automatically tag documents when they are produced.

These tools are ideal for improving processes for the production and sharing of information among a wide range of work groups. Project teams collaborate within an electronic workplace, which utilises documents, tasks, activities, charts and presentations. Automatic identification of documents helps Statoil to eliminate duplicates.

The company says that it produces over 300,000 information objects in a month within Collaboration@Statoil, excluding e-mail messages. Stored data is classified by project numbers, activities, and process ownership.

The Collaboration@Statoil system has been developed incorporating technologies from a number of suppliers. At the heart are the Microsoft technologies, including Microsoft Office 2003, Microsoft Exchange Server 2003, Live Communications Server 2005, SQL Server 2000, and Microsoft Share Point Portal Server 2003.

The end user portal is supplied by SAP, and Meridio provides electronic records management technology.

Technology Type / Microsoft products
Info. Mgt. / SQL Server, Exchange Server, Content Management Server.
Info. Analysis / Office, SharePoint, Live Communications Server
Info. Security / Active Directory, Windows Server

Search engine technology is deployed with both Fast ESP and the Stratify Discovery System, which can continuously search through millions of documents, and provide a comprehensive view of Statoil’s global data.

Statoil plans to roll out the system to its Corporate Services division during 2005, and this will be followed by the sequential implementation in its other divisions including International Exploration and Production, Technology and Projects, Natural Gas, Manufacturing and Marketing, and Exploration and Production. The roll out over the whole of Statoil is expected to be complete by 2006.

Ole Jørgensen, Statoil’s Senior Vice President – Information and Communication Technology, said that the amount of integration that Statoil had to contribute between products from different suppliers had proved to be greater than expected, but that the challenges faced by them in setting up the project were largely related to people and processes, rather than technology. He said that this was exacerbated by the many types of users that they had to accommodate, ranging from knowledge workers to engineers.

MOD Case Study

The U.K. government’s Ministry of Defence (MoD) employs approximately 300,000 people. It receives and generates an enormous amount of data that can be regarded as “records”. The MoD possessed a number of legacy electronic records management solutions, but these were rarely used because of their complexity. As a result, archiving its huge volumes of information, and retrieving it, had essentially become physical processes. Then the MoD came to face a major challenge; the need to comply with a large amount of statutory legislation, including the Freedom of Information Act 2000, and managing records to UK The National Archives 2002 standards. To comply with the legislation through existing processes would have placed an unacceptable administrative burden on civil service and military personnel.

Towards the end of 2003, Microsoft began working on a proof of concept project that was demonstrated to the MoD in November of that year. The MoD was impressed with the simplicity and capabilities of the Microsoft platform, and it asked the company to work with the MoD and its partners, Fujitsu, to deliver this. It required an easy-to-use solution with document creation, search, and retrieval functionality, closely coupled with records management.

A team was set up consisting of people from the MoD, Fujitsu, SourceCode, and Microsoft, and in ninety days it developed a robust and scalable solution. This was based on Microsoft technologies, comprising Microsoft Office Standard Edition 2003, Microsoft SharePoint Portal Server 2003, Microsoft SQL Server 2000, and Microsoft Exchange Server 2003. Meridio, a key Microsoft partner, provided the records management functionality, and SourceCode Technology Holdings supplied K2 .NET 2003.