The software side of compliance

With an increase in the number and complexity of regulations, vendors are moving in to address the market for software compliance tools. Shivani Shinde reports

Indian multinationals have to comply with various international laws and regulations in addition to guidelines laid down by the RBI and SEBI. These rules apply to companies across the spectrum—be they car makers, pharmaceutical companies, BPOs or any other business.

Compliance is a management function. Managers have to ensure that rules and regulations are followed whether they are general or industry-specific. But increasingly, solution providers realise the business potential and have started incorporating compliance tools in applications.

Important regulations in the BFSI segment are the Sarbanes-Oxley Act, Basel II, anti-money laundering and Clause 49 from SEBI. A pharmaceutical manufacturer is required to comply with 21 CFR part 11, while a healthcare organisation is bound by the Health Insurance Portability and Accountability Act (HIPAA) regulation.

Vendor perspective

Rajendra Dhavale, Consulting Director, CA India and SAARC says, “Although compliance is seen as a diversion of capital and a drain on a customer’s productive assets, how an organisation responds to regulations can actually enhance its business processes and IT operations.”

Compliance and IT go hand-in-hand especially when the mandate is to meet a growing number of global business regulations and regulatory directives. Real-time compliance with regulatory norms demands the ability to scan unusual or suspicious transactions and report these immediately. Risk capital allocation requires the ability to pull data into a data-warehouse from various internal and external data sources, and be able to generate structured reports from the information stored in the data warehouse.

For all these issues, believes Sharat Bansal, Country Leader, IBM Business Consulting Services India, the ability to integrate multiple applications and tools to support compliance is critical. Thus, solution providers, driven by customer requirements, constantly upgrade solutions to meet changing regulatory compliance requirements.

Many vendors feel that compliance does not have a one-stop solution but organisations need to work continuously to achieve the desired results. More than the applications or software it is the approach that matters. “Compliance is often perceived as a combination of people and processes. More often than not, organisations forget the role of technology in ensuring compliance. An organisation can have skilled people and good processes in place. However, does the technology at the back-end ensure that even in case of a malicious attempt, no existing data can be modified or prematurely deleted?” asks Manish Bapat, Business Manager, NAS & SAN Technologies, EMC India and SAARC.

“Compliance is about laws and regulations that various governing bodies and regulatory authorities come up with for participating organisations to adhere to. Standards on the other hand are driven by consensus amongst industry bodies. When you talk of solutions, tools and applications, they can just enable the collection of these sets of information and present it in an automated fashion. There is ample security and quality checks built into most of the COTS applications to take care of the integrity of data,” explains Bithin Talukdar, Market Development and Alliances Manager, HP Software.

Compliance features

"Vendors need to build compliance-related features in their products. If they do not, the chances of them getting selected by organisations are slim" - Anil Menon CEO SecureSynergy

So does a vendor need to incorporate compliance-related features in the application software? Anil Menon, CEO of SecureSynergy believes that they should. He says, “Vendors need to build compliance features in their products. If they do not, the chances of them getting selected by organisations are slim. But again, a vendor can have general features relating to compliance with regulations, and it is up to the organisations to decide the level of features they want to incorporate.”

As organisations take third-party assistance in following regulations, Menon feels that vendors too are taking advice from consultants. Says Dhavale, “Partnering with security consulting organisations like PWC, Deloitte and E&Y ensures that customers’ requirements for achieving compliance has been mapped to the solutions on offer.”

"At Symantec we work not just with strategic security, strategic IT and functional IT departments, but also with functional business departments that include auditors" - Jeffrey Hoo Services & Management System Field Director Regional Product Marketing Symantec

Similarly, Serena Software, a change management software maker, works with various parties, including auditing firms, system integrators and consultancy firms. “We also work with certification bodies like the Pink Elephant which does ITIL certification,” remarks Keshav Prakash, Serena’s Country Manager for India.

Vendors are getting proactive in including compliance issues in their partner education programmes. For instance, Serena recently added to their compliance solution portfolio the Authorised Compliance Partner Programme—a new ecosystem of partners that provides domain expertise in specific areas across the compliance spectrum. The programme is designed to help customers minimise the time and cost of achieving compliance with Sarbanes-Oxley, HIPAA and others by coupling Serena’s technology with industry best practices to automate and streamline the compliance process.

Jeffrey Hoo, Services and Management System Field Director, Regional Product Marketing, Symantec feels that it is important for vendors to work with third-party experts. “At Symantec we work not just with the strategic security, strategic IT and functional IT departments, but also with functional business departments that include auditors. In addition, Symantec also works closely with the Big Four through our global strategic alliances.”

Compliance is about processes, people and IT. In future there would be new compliance issues that companies would have to adhere to, and here again the role of the vendors kicks in as they need to work closely with organisations. But more significantly, the role of CIO/CFOs comes into play, and how they perceive compliance in the organisation is also important.

"Although compliance is seen as a diversion of capital and a drain on a customer’s productive assets, how an organisation responds to regulations can actually enhance its business processes and IT operations" - Rajendra Dhavale Consulting Director CA India & SAARC

Dhavale feels that IT managers need to understand that they can’t rest after ensuring that their companies comply with a certain section, say Section 404 of the Sarbanes-Oxley Act or any other new regulation. Most new regulations are about increasing visibility into operating processes and maintaining control over data.

Eventually, there is duplication of effort in many areas which leads to fragmented processes and lack of control, visibility and oversight. But this approach often leads to expensive, redundant initiatives that require constant re-tooling. “A better approach for CIOs would be to embrace a holistic view of corporate compliance and maintain a set of processes that are built on best practice frameworks like the Committee of Sponsoring Organisations (COSO) and COBIT, among others, and in turn on a set of operational best practices like ITIL for services and BS7799 for security,” adds Dhavale.

Bapat believes that by approaching compliance as a part of Information Lifecycle Management—the discipline of managing the data lifecycle to meet financial, competitive and regulatory goals—organisations can build an information infrastructure and deploy best practices that enable information integrity, confidentiality and accessibility at every stage of the information lifecycle. As a result, organisations can enhance their ability to comply with a broad range of information requirements while also gaining operational, business and financial benefits beyond compliance.

Compliance and workflow

Compliance is something which needs to be worked according to the needs of the user. Vendors need to address this issue differently with each organisation as compliance affects users differently. Integrating compliance into the workflow such as an ERP system or messaging solution requires customisation.

“This is best achieved by the use of Internal Control Frameworks. These are the activities within a business process—in whatever area of the business and at whatever level—designed to manage or mitigate risk. Controls may be preventive or fire-up on detection, and may be either manual or automated. IT controls apply across IT and its governance structure,” explains Dhavale.

According to Bansal, enterprise risk management (ERM) goes beyond controls. It means understanding inherent and residual risks that exist after controls are put in place, and managing their collective impact. Leading ERM adopters are moving towards real-time risk allocation and transfer across their entire portfolio and enterprise, a strategy that can translate into more accurate product pricing and effective packaging of services. “The workflow solutions, including ERP, provide multiple configuration options and may even need some customisation. The managers and other users do need to ensure that the solution is configured for regulatory compliance,” he further adds.

"The software industry is now offering various products to help the customer automate governance, risk and compliance management" - Sai Gundavelli CEO Solix Technologies

Agrees Sai Gundavelli, CEO of Solix Technologies, “The software industry is now offering various products to help the customer automate governance, risk and compliance management. Well-planned and automated policies built into these products ensure secure availability and access to information with the right control and audit points to comply with regulations.”

Vendors have been quick to address the market by developing compliance tools that let organisations integrate regulatory policies in the processes. For instance, HP’s OpenView provides a broad range of solutions that directly and indirectly support the internal controls outlined by COSO and required by Sarbanes-Oxley’s Section 404. Talukdar says that HP OpenView directly supports industry-recommended control frameworks such as COBIT, ITIL and SysTrust to aid in Sarbanes-Oxley compliance.

Similarly, ISGN has introduced its Risk Management Compass (RMC) that allows organisations to comply with regulatory issues. “RMC captures documentation at entity and process level, and provides the ability for validation, review, reporting and audit via a Web interface. It helps companies to identify the key risks and control points, and to communicate to employees their roles and responsibilities in ensuring that the organisation is committed to effective internal control,” explains Malli Sivakumar, VP, Market and Business Development, ISGN.

While compliance measures have to be implemented by the users, the role of vendors in providing solutions that enable this is gaining currency. As Menon points out, for CIOs/CFOs it is part of their processes, but for vendors it’s a great business opportunity.

shivani@expresscomputeronline.com