Making Sarbanes-Oxley Act (SOX) compliance happen in a large, geographically dispersed enterprise is not a trivial matter. In fact it's probably the biggest unsolicited project to hit businesses and IT departments since Y2K and the introduction of the Euro. However, unlike Y2K and the Euro there's no simple technology fix. You can't just change some code or go and buy a new ERP system. SOX compliance reaches deep into the bowels of an organization, affecting large numbers of people and processes.
In a large enterprise, a SOX project can involve hundreds of stakeholders directly and thousands indirectly. Viewed as a cultural change management project, SOX compliance involves the whole organization. A lot of people are touched by it: both internal employees and external business partners in the form of consultants, auditors, and IT suppliers. A SOX project can also draw attention to hundreds of business processes and potentially thousands of individual activities within those processes.
A project of this nature is bound to be costly. AMR Research, the Financial Executives Institute (FEI), and similar market trend analysis firms estimate annual SOX compliance costs to be in the range of $2 to $5 million for large organizations. Such costs are a financial burden every business subject to SOX has to bear — and they aren't expected to go away anytime soon. Failure to comply will be punished perhaps most of all through lost reputation in the marketplace. Yet, it's by no means clear that effective compliance will return proportionately equal positive rewards.
SOX projects also have regulatory deadlines that are difficult to ignore. SOX project milestones — and there are a lot of them — must be met; any slippage must be controlled ruthlessly to avoid missing demanding quarterly and annual reporting deadlines. Time is certainly of the essence. Even more than time constraints, however, SOX compliance teams are under pressure because experienced SOX resources are thin on the ground and expensive to acquire.
SOX compliance teams have largely come to grips with understanding and defining the new compliance taxonomy. To address process oversight and documentation, teams are implementing new processes and technology. The focus is now beginning to turn toward how to improve the performance of SOX projects to make them happen faster, cheaper, and better. This is where compliance event management (CEM) and real-time collaboration (RTC) technology come into play.
TABLE 1 Compliance issue resolution scenarios.
CEM is about resolving issues that arise during work on SOX compliance projects as quickly and cost-effectively as possible. And you can expect plenty of compliance "events" to surface in environments where regulations are changing, taxonomies aren't fully defined, people don't have strong experience in compliance processes, and organizations haven't had enough time to firm up complete sets of SOX best practices, let alone understand and implement them.
A compliance event may take the form of one of the following:
For some specific examples of typical compliance event scenarios, see Table 1.
It's often not possible to handle these compliance events in conventional ways (for example, by face-to-face meetings, email, or via online portals). Travel costs and email response delays leading to generally extended latency between events and actions all come into play. These delays lead to project cost escalation, milestone slippage, and the eventual possibility of some kind of "material" or "significant" event occurring that may trigger a SOX investigation or even a fine.
Adding RTC capabilities into the technology stack can help alleviate certain costs and reduce time latency in resolving compliance events. For RTC to help in this way it has to deliver presence awareness, desktop application integration, and specific RTC applications, including Web conferencing and instant messaging (IM).
RTC is all about information immediacy; that is, conversing and collaborating online — seeing and hearing rather than reading and sharing documents or process context by sharing your desktop online.
Presence awareness means knowing who's online at a given point in time: Which SOX team members are online now and available to collaborate? By detecting a team member online, you can initiate a dialog through IM or a similar service and invite the individual to participate in some form of immediate collaboration.
With presence awareness a visible part of other applications, SOX team members have the opportunity to initiate collaboration from within a specific area, such as a document, spreadsheet, or portal page. In this way, RTC enables users to share their current context, reducing the time needed to bring other collaborators up to speed. RTC allows teams to literally make sure everyone is on the same page from the point of collaboration.
IM is the preferred method of communication for real-time collaborators because it's more immediate, more conversational than email, and doesn't depend on recipients having to monitor their inboxes. Web conferencing provides a way to structure and deliver text, video, and audio content over the Internet within a formalized meeting or conference structure. Usually, a team can record a Web conference and archive it for replay and reuse later by people who were unable to attend the original Webcast or in order to help recruit and train new members to the compliance team.
Naturally, RTC can't force people to collaborate; RTC may be too intrusive for people who prefer to manage their own processes undisturbed. But for everyone else, the RTC stack layer helps resolve compliance issues faster; resolve them better by means of a potentially a wider and more engaged set of participants; and resolve them cheaper because you can replace face-to-face meetings by Web conferences and compliance training material delivered online.
Both Microsoft and IBM have significant RTC solutions that can also enhance their SOX-specific offerings. The universe of RTC vendors also includes many that offer alternatives for Web conferencing and IM either as desktop applications, online services, or both.
The core of Microsoft's RTC offering is Live Communication Server (LCS), which provides presence detection, IM support, and video and audio streaming. LCS is part of the foundation for delivering RTC capabilities and integrating these capabilities into Microsoft Office applications, including Excel, OneNote, PowerPoint, SharePoint, and Word. With LCS in place, the SharePoint portal can invoke presence detection, messaging, and desktop sharing. SharePoint portal forms the core of Microsoft Office Sarbanes-Oxley Solution Accelerator.
Microsoft LiveMeeting is a Web conferencing offering (formerly known as PlaceWare) that offers desktop sharing, video, and audio support and the ability to archive meeting content. Microsoft offers three IM clients: MS Windows Messenger (part of Windows XP), MSN Messenger, and the MS Exchange IM Client. To deliver enterprise-strength IM in MSN Messenger Connect for Enterprises, Microsoft has a partnership with Akonix to provide additional features such as message security, message logging, and improved user identity control.
IBM's core offering is IBM Lotus Instant Messaging and Web Conferencing (formerly known as Sametime), which does what its name suggests. The offering can also extend presence awareness and IM to Web-enabled handheld devices, such as mobile phones and PDAs. IBM's WebSphere portal is also presence aware, which is handy because the portal is such an important component of IBM's SOX compliance solution, called the IBM Lotus Workplace for Business Controls and Reporting.
One of the leading independent players in Web conferencing is WebEx. And certainly, many other online service offerings are available for running compliance meetings and training, such as Citrix GoToMeeting, and eZmeeting. Jabber is also integrating Webex into its presence awareness and IM platform, which is focused on streaming XML data using Extensible Messaging and Presence Protocol (XMPP). From a CEM perspective, these point solutions are useful; however, the key is to integrate RTC into the applications that you use to manage SOX compliance process workflows and documentation — which gives IBM and Microsoft a distinct advantage.
CEM using RTC has the potential to reduce compliance costs, resolve compliance issues faster, and improve the overall process of complying with similar regulatory controls that are drawing so much attention in financial management and, ultimately, throughout organizations and their networks of partners. RTC technology is available today and offers many other benefits outside of faster, cheaper, and better regulatory compliance. It's unlikely that RTC will be first on your list of technology buys to support compliance, but it deserves a review by your SOX compliance team, especially if CEM is already consuming time and sapping your project bandwidth.
Stewart McKie is an independent consultant and technology writer specializing in performance management processes and applications. Reach him via his Web site at www.cfoinfo.com.