Delivering Competitive Advantage Through Compliance Programs
White Paper - Draft
September 2006
The PeopleReady Business
Inside your company is a powerful force:
a force that can cut costs, win customers,
and find innovative new business opportunities
all over the world.
It’s your people. Are they ready?
Executive summary
Althoughsome organizations see compliance as a burden, others see it as an opportunity. A study sponsored by Capgemini[1] found that forward-thinking chief financial officers (CFOs) are taking calculated risks to ensure that their compliance policies, processes and controls are enhanced and reinforced to withstand the test of time. They plan not only to meet today’s compliance needs but to go beyond them and in doing so create genuine competitive advantages for their organizations.
These CFOs view regulatory compliance as a long-term concern and also as a catalyst for change. This view contrasts with other CFOs who spend their time and resources by simply addressing today’s audit or legal challengesusing a tactical approach. A study by IDC[2]found thatthe average company with revenue over $1 billion spends and average of $3.70 million annually to meet their Sarbanes-Oxley requirements. These CFOs tend to view legislation like BASEL II as a “tax” – an unavoidable and incremental finance cost. They seem to hope that it will soon pass.
However, leading CFOsare investigating what they can do to strengthen their compliance activities while working to offset the incremental cost of compliance. They recognize this as an opportunity to partner with other areas of the business to lower operating costs and improve business performance by streamlining processes, standardizing reporting, and integrating technologies, while delivering the organization’s compliance status at any time.
Microsoft and Capgemini believe competitive advantage is achieved through benefit-driven activities that embed compliance in the ‘business as usual’ operations of an organization. Capgemini has created a transformational journey from compliance to competitive advantage. There are four steps on this journey:Compliant, Cost Effective, Collaborative and Competitive Advantage. Each step of the journey has five consistent pillars: Culture, Governance, Business Processes,Information Management and Enabling IT. These pillars of activities deliver the transformational benefits required to be competitive and deliver tangible savings and returns through compliance transformation.
Microsoft believes that to achieve the competitive advantage journey vision, an organization should have technologiesthatenable its people andbecome “People Ready.”Delivered through the ‘Enabling IT’ pillar, thetechnologies must be scaleable, security-enhanced, and above all intuitive to the people within the organization. These“enterprise contentmanagement” technologies provided by Microsoft can help deliver the results and information your people require to win business, create new products, and become compliant. Microsofttechnologies provide a familiar,easy-to-use interface through the Microsoft® Office system, with security technologies, enterprise architecture, and anIT-compliant framework thatan organization’s people can adopt with minimal training and that leveragesthe organization’s software investment.
Microsoft’s value chain of partners helps deliver solutions thatenable global businesses such as Del Monte and Paradigm Health to become compliant and more collaborative. Microsoft can deliver solutions thatmeet the vision for competitive advantageand compliance requirements, and that enable your vision.
Isn’t it time you considered leveraging your investment and delivering tangible results?
Dealing with the myriad of compliance requirements
Over the last few years, high profile global organizations have been fined for non-compliance, breach of legislation or regulations, and for missing deadlines to comply with regulations. Additionally, there has been significant negative media focus on organizations with poor compliance standing and questions about whether their share price truly reflects the organizational value.
Organizations have typically responded by introducing tactical technical solutions; however these “band-aids” are increasing unable to cover the myriad number of compliance drivers and controls, for example COBIT. These controls can provide better visibility of the processes and activities across the organization. The cost of these tactical solutions has only been recently understood: the average cost of implementing a BASEL II framework is $9.2 billion for 5 years.[IDC][3].
The increasing number of regulations highlightsthe importance of existing internal governance policies and procedures. Embedded internal regulations such as procurement, quality assurance, and recruitment are now also being reviewed to look for commonality and improved efficiency in cost and time.
There is typically a high degree of commonality between these rules and regulations, in terms of processes, policies, controls and technology enablement, which is beginning to be recognized by forward thinking CXO’s. These common areas require centralized information zones, strict controls, and enterprise-wide business process management discipline. The common areas also require technologies to enable the people to win business, be creative, and improve customer service. An approach that deals with the commonality of processes, policies, controls, and technologies is the foundation for the transformation journey to competitive advantage.
Moving away from tactical solutions
Tactical solutions to meet the wide range of compliance requirements are no longer cost-efficient for a global, competitive organization.
The increasing volume of global, country-specific, and industry-specific regulations is proving to be a considerable expense and concern for the responsible individuals. An example of this comes from the United Kingdom: any organization governed by the UK Financial Services Authority (FSA) receives a yearly report (International Regulatory Outlook) with typically over 60 pages of new legislations and EU directives. This report is not aimed at the lawyers but at the individuals responsible for the organization and ultimately the ones who can be fined or imprisoned. These individuals are accountable not only to the employees, but also to shareholders, and therefore the stock exchanges are looking for better returns on the investment. Dealing with these new regulations with a tactical or silo-based approach is costly, prone to error, and will not deliver the ROI required for a competitive organization.
Tactical solutions are typically technology-based, unlike a silo approach which is both business and technical. Tactical solutions for compliance programs have typically been providedby technology vendors to address specific regulations and legislation. These solutions have also required little investment in changing the culture of the organization,even though that investment is essential for success. As cited in a Gartner, Inc. press release[4],“Enterprises that choose one-off solutions for each regulatory challenge they face will spend 10 times more on compliance projects than their counterparts that take a proactive approach.”
A silo or reactive approach—dealing with each regulation and legislation in isolation from business process, policies, and control perspective—will fail to produce a common approach and will not gain user adoption. A silo approach is difficult to deal with when the organization operates in countries that have conflicting regulations. An example of this is the European Data Protection Directive (EUDPD), which is very difficult to enforce because it has widely different interpretations and precedents by country.
Journey to competitive advantage
To be successful in a compliance-oriented world,a well-runorganization should demand a sustainable, benefit-driven approach. Strategic benefits can accrue from a well-designed, holistic compliance strategy. For example,an organization required to meet Sarbanes-Oxley needs to have a robust and controls-based approach, such as COBIT. A tacticaland silo “regulation and legislation driven” approach can compromise the future ability of the organizationto meet and benefit from compliance initiatives.
Microsoft and its partners believe technologies can enable the transformational journey to competitive advantage.
The start of a compliance journey is often an assessment, conducted by auditors, of the legislation and regulations with which the organization must comply, and the conflicts between them.
After this audit, the organization needs to understand how current policies, procedures, local regulations are affected and the organization needs to design a benefit-driven strategy to address these points.This process is typically conducted by a Microsoft partner, such as Capgemini. The organization also needs to understand how the results of the audit affect the technologies the company utilizes and will eventually require. A compliance solution platform based on Microsoft products enables the pillars—culture, governance, information management, processes—through an integrated enterprise platform. Microsoft provides tools to capture, document, collaborate and record the processes, actions, collaboration, and so on in an easy-to-use environment.
Before the organization commences its journey to competitive advantage, it needs to fully commit and adopt all the activities in order to deliver competitive advantage. This vision is met by the four pillar approach.
Fivepillars of activities to deliver competitive advantage
There are significant profitable opportunities for companies that adopt a holistic, strategic approach (rather than a tactical approach) to addressing their current and futureregulatory compliance requirements. The success of the compliance journey depends on the five pillars: the organization’s culture, governance, processes, information management, and an enabling IT platform.
Moving from becoming compliant to achieving competitive advantage is the new modelfor compliance programs. Compliance is no longer an add-on to the business but ‘business as usual,’ ideally totally embedded across all areas, activities, and regions. These new practices need to provide sustainable business value across multiple areas of the business; for example: culture, information management, governance, business processes and an enabling IT platform.
The experience of Capgemini and Microsoft in delivering benefit-driven programs to global organizations has demonstrated that a competitive advantage can be achieved if the vision is agreed by stakeholders and the people, and if the pillars are followed. To achieve the vision of competitive advantage, all pillars of the approach need to be considered and enforced.
The IT platform has traditionally been seen as the starting point when compliance is viewed from a tactical perspective. However, to ensure that business processes and strategy are clearly understood, achievable, and will deliver tangible benefits, the technology should be the last pillar, the enabler.
Microsoft and its partners have worked with clients through this process to achieve tangible business value through the Microsoft value-add approach. Microsoft has worked with global leaders to address their information management requirements, including compliance and delivering long-term tangible benefits.
Business process analysis is fundamental to compliance programs
The process pillar identifies the controls, processes, and standards that need to be introduced, adapted, and adopted by the organization for all compliance requirements. These findings and recommendations are based upon the auditor recommendations and the compliance strategy.
These new activities are typically at an extremely low level of granularity and often take considerable resource and time to understand, validate, document, and enforce. However, these controls, processes and standards are the foundation for the entire compliance program and cannot be underestimated nor removed. Instead, engineer them prior to implementing a technology solution to accelerate the delivery and milestone deliverables. The information generated by these controls, processes, and standards needs to be reported for compliance and leveraged to provide greater benefit and for the next stage, governance.
Governance of information and compliance requirements is essential for success
To ensure sustainable success across all pillars of the compliance approach, a strict governance model is essential. The governance model is generally not visible to most of the user community but it is the backbone for adherence to policies required by the auditors. Governance directs and monitors the new or adapted controls, processes, and standards to ensure consistency, compliance, adoption, and efficiency.
The governance pillar should also merge similar initiatives to gain efficiency and to reduce compliance risks. Often there are similar information management initiatives within the organization that can be condensed to gain immediate benefits, for example internal news activities, team sharing processes, and country-specific compliance teams.
Gaining acceptance through changing the culture of the organization
Traditional records management and compliance programs have focused upon compliance officer roles and specific business processes. These programs have also traditionally focused upon providing tactical technology solutions. A tactical or silo-based approach often results in the utmost frustration for management and users due to the constant changes of technologies and day-to-day tasks.
The new, competitive advantage era of compliance programs requires the programs to deliver sustainable benefits; this can only be achieved through analysis, change and introduction of the five pillars, as discussed above. The culture pillar is essential to success and is a constant activity during previous and future pillars.
To help ensure that the user community accepts the new ways of working and can see real benefits, the significant culture change must be addressed. If the users do not accept all of the new, end-to-end processes, policies, controls and technologies, the program will have a higher chance of failure and the organization will be more prone to missing its compliance requirements.
Ensuring the Information Management across the business flows and supports the business vision
The information management (IM)pillar is perhaps the most complex and rapidly changing area, due to accelerating technology advancements such as instant messaging, PDA’s, and so on. This pillar ties together the enabler (technology) and the business (governance, culture, and process) using IM and enterprise content management (ECM). It looks at how the requirements of the business affect the users and their day-to-day life. In addition, it ensures that all the information is controlled and processed in a manner which meets the auditors’ requirements.
This area provides the policies, procedures, controls, guidance and training for the entire lifecycle of all information in the organization. IM provides and governs the compliance activities required to ensure information is correctly created, maintained, reviewed and disposed of. These activities are critical to demonstrate accountability and traceability for auditing. The IM and ECM solution must also ensure the user is provided with an easy-to-use technical environment and it must support the tasks the user needs to perform.
A risk management approach is now a common element of the IM activities in the majority of organizations. This approach has a key element: a controls-based framework. This framework is often based on industry-specific standards such as COBIT is the basis for the Financial Services industry and key to the European MIFID legislation. Microsoft has recently announced guidelines to enable these approaches from a technology perspective.
Enabling Microsoft technologies can help achieve the business vision
Technology is the enabler of business processes, governance, culture, and information management. The Enabling IT platform should provide an enterprise-wide solution to meet these requirements. The platform should be designed in a manner that is scaleable, secure, integrate-able, and above all intuitive to the user community.
Over the past few years multiple niche solutions have come to market that provide a solution specific to one legislation or regulation. Demand has also risen for ECM solutions that provide content, compliance, workflow, search, and document composition features.
Organizations now need a solution that addresses of legislation and regulations in a sensible, cost-effective and future-proof manner. Microsoft believes a strategic approach to compliance requires an enterprise-wide, standardized, easy-to-use platform based on ECM. This platform providesan accurate, security-enhanced view of the status of the organization.
This platform offers familiar and easy-to-use interfaces, a control-based framework, ECM, and a security-enhanced architecture. Microsoft solutions can enable organizations to view all of their information, such as customer relationship management (CRM), business intelligence (BI), and ECM, as well as compliance status, in an intuitive environment.
Organizations rarely have only one application on their desktop or only one supplier of Line of Business (LOB) applications, so a global ECM solution must talk to many applications and provide updated information to the user as quickly as possible. The solution must address both the people requirements and business needs through strong application functionality, tight integration, leverageddata repositories, and a security-enhanced and infrastructure (as shown above).
The Microsoft solutions are designed to meet compliance and collaborative requirements ranging from the demands of the infrastructure to those of the people in a cost effective manner. Users interact with Microsoft ECM solutions through the familiar environment of Microsoft Office products, web browsers, and even LOB applications. The solution platform can provide one view of all information from multiple sources.