March 7, 2005

Today was the official launch of the CMEI (Compliance and Management of Electronic Information), which works with the ILPF (Internet Law & Policy Forum), and consists of B2B & e-business vendors Oracle, Open Text, Hewlett-Packard, Sun, Hitachi Data Systems, Veritas, Plasmon and Network Appliance.

These companies have an interest in the issue of compliance, particularly that version dictated by the Sarbanes-Oxley Act (SOX), because, as vendors of content management, storage, security, and controls products, they provide much of the technological underpinning needed to turn SOX into reality.

Broadly speaking, SOX can be said to have two components: visibility and accountability. The visibility requirement is of immense complexity, especially when a large public enterprise is involved. Take a look at this transcript of the following televised exchange between Larry King and Kenneth Lay, CEO of Enron, the company whose collapse inspired SOX:

Larry King: How much does a CEO know? In other words, in the involvements of a huge company, were you a hands-on guy?

Kenneth Lay: It depends how you want to define hands on.... But, now, keep it in mind that Enron was a company with about 30,000 employees in about 30 different countries around the world. We had 500 plus employees [who] were vice president and above. We had a management committee that was made up of about 24, 25 of the most senior officers in the company, which, in fact, ran and were responsible for each of the major staff functions...I do think, just like any large company, you have to delegate quite a bit of authority to your lieutenants, to your senior officers, and they have to delegate quite a bit of authority on down...a number of our safeguards failed us, too.

Keeping track of the workflows involved in some kinds of delegation, and the extensive paper trail (say, old e-mails) that is part of any resulting financial decision or action, has always been recognized as an issue for technology vendors.

It's just that, because of the high levels of expenditure and complexity involved in becoming compliant, public companies have staggered their initiatives so as to tackle process before system, says Harald Collet, chairman of the CMEI Working Group and product manager of records management and compliance support within Oracle.

"2004 was about a lot of manual steps and processes," he says. "In 2005, companies are looking to rationalize. Compliance is a fact of life and must be addressed by a long-term framework."

Unfortunately for those chasing compliance, putting together this framework is not easy; certainly not as easy as taking the relatively simple and inexpensive step of appointing a compliance officer, for example. "There's no widget," says Collet, alluding to the possible roles that enterprise resource planning (ERP), databases, content management, and other specialty systems can have as part of a compliance strategy.

CMEI Working Group is adding value one level before companies have to make specific technology decisions, specifically by providing free "guidance, actionable documents like best practices documents, checklists, and summaries of legal requirements," says Collet.

By making this information available via the Web and directly to decision-makers, these tier one e-business vendors are engaging in a bit of enlightened self-interest in order to make companies aware of why they have to spend their compliance money on technology; later on, their sales and marketing organizations can address the how. "We're growing the pie," concludes Collet.

Source: Line 56