Compliance and the Director

By | December 20, 2006

There has been more compliance legislation written into law over the past decade than in the previous century. Compliance operates at three distinct levels: The type that applies to industry specific sectors; The broad national or international laws and regulations that apply to everyone; The internally defined policies and practices that organisations need in order to maintain a sense of order over business management.

Consequently, compliance is everywhere and is increasingly finding its way to the Director’s door. In the past, compliance would usually be delegated to operational managers as part of their ongoing duties.

Today, that responsibility starts and frequently stops with the Directors. There is no mystery as to why this should be the case. The Enron, Tyco, WorldCom and Parmalat fraud scandals serve to bring compliance to the forefront of boardroom agendas. In each case, there was a clear connection between what the business did and the accounting of those activities. What is more, the recent wave of regulations affects every aspect of the business. Here I am thinking about both Sarbanes-Oxley and the new International Accounting Standards.

Sarbanes-Oxley is often characterised as a standard that only applies to US companies. However, any company that conducts business or is required to file financial and governance reports in the US will have Sarbanes-Oxley issues. Therefore, it is no surprise that Directors find themselves in the unenviable position of not only being master of the corporate purse strings but also as compliance gatekeepers. This need not be a bad thing.

I believe putting compliance at the heart of the business allows organisations to see corporate governance information as a company asset that should be managed and available to anyone who needs access.

While compliance might be the trigger for considering Enterprise Content Management (ECM), it should be viewed as a natural by-product of a project designed to improve business processes. At a macro level, there are multiple levels of compliance. While many people will associate compliance with Sarbanes-Oxley, the Financial Services Authority or Basel II, these only represent the tip of a very large iceberg.

For many companies, there are additional, industry specific regulatory measures. For instance, in oil exploration, construction and food manufacturing, there are significant safety and environmental controls. Internally, large organisations are waking up to the fact that IT compliance is critical. When there is a change in the IT environment for instance, it is essential to ensure those changes are reflective of management policies so it is vitally important that organisations maintain a traceable, auditable document trail. The alternative is unthinkable. Undocumented change has important consequences for business. First there is the potential for wasted resource. How for instance do you reliably trace related documents? Much more serious is the potential for audit difficulties.

Unilever is one of the largest international manufacturers of leading brands in foods, home care, and personal care-brands that are known and trusted by millions of consumers around the world. Best known for carrying brands such as Knorr, Becel, and Conimex, Unilever Nederland is organized into business units, sourcing units, and a number of corporate departments.

Lyn Williams VP Corporate Risk Management at Unilever notes the group has implemented a group wide methodology for meeting Sarbanes-Oxley compliance.

But: “In 2004, when Unilever performed a dry run of the compliance process, deficiencies were documented on excel spreadsheets, often in varying formats, there was inconsistency in the application of the central methodology on assessment, and audit trail was not always adequately maintained. All of this made a group wide aggregation and assessment of deficiencies extremely time consuming and challenging.”

It quickly became apparent the group needed an ECM solution. Using OpenText ECM Unilever has achieved a number of benefits:

• The process is now paperless, provides the businesses around the world with access to standard templates which they are required to use in documenting deficiencies

• The systems ensures the application of the required workflow and methodology, providing the central team immediate visibility of the extent and quality of the assessment process and

• Facilitates both timely and robust reporting of the deficiency data to comply with Sarbanes-Oxley.

• Maintenance of robust audit trails is one of the key benefits of using ECM to manage and document a compliance process. It provides clear visibility of user access and activity and facilitates robust version control of the underlying documentation. This is particularly relevant for Sarbanes-Oxley compliance processes which need to be documented to a very high standard and are subject to rigorous review and audit by management, external auditors and eventually the SEC.

Where is the ROI?

IT projects are usually predicated on a defined return on investment. Most ROI exercises concentrate on a financial return with little thought given to the intangible returns. Systems implementation for compliance does not fall into that category. Conventional wisdom dictates that compliance projects have no ROI because they simply have to be done. They cost money in often budget-constrained circumstances and are viewed as financially painful. But that represents a narrow view.

Leave a Reply