Compliance @ India Inc

To maintain enforcement levels and comply with evolving requirements at a reasonable cost, businesses need a flexible, end-to-end approach to governance and compliance management that can support many different compliance initiatives. Vendors are tapping this opportunity with a slew of solutions. By Faiz Askari

Organizations have taken several initiatives to protect themselves from external intrusions but they have yet to deal with internal attacks. This despite the fact that we have heard about several instances of data theft by employees. Since then organizations in the IT/ITES segments have taken steps to ensure that their digital data is protected from internal intrusions as well.

Further to this, companies are increasingly challenged by the rising number of regulations both from a geographical standpoint (different countries have different regulations and companies that do business in said countries have to toe the line) as well as industry sectors. If they do not comply, in the worst case scenario, companies run the risk of being closed down or being excluded from a market.

The risk and exposure to fines and penalties have grown as businesses face increasing scrutiny from government regulators and legal entities. The role of IT to provide tools and systems needed to meet this new business reality has become crucial as an ever increasing number of records and information are created, distributed, and stored digitally. Not only is IT responsible for storing and protecting information for long periods, it is also most likely that an organization is responsible for producing records in response to an audit or legal discovery.

Emphasizing the criticality of rights management, Kaustubh Dhavse, Program Manager, ICT Practice, Frost & Sullivan, South Asia & Middle East said, “Enterprise Digital Rights Management is going to be a thrust area in the future. As organizations connect with global businesses and handle critical data in various verticals, internal data safeguarding will gather momentum. EDRM products and solutions address this issue and organizations are evaluating the best approach to implement the same.”

“Indian organizations have started recognizing compliance as a serious issue. We have seen increased interest and adoption. However, the adoption rate is slow and is likely to pick up going forward,” said Manish Bapat, Senior Product Marketing Manager - South Asia at EMC.

Is it a challenge?

In order to address these issues organizations must look to new technology solutions that simplify the processes required for compliance. Companies need to be able to prove the authenticity of digital records, provide assurances that they have not been altered and have the ability to retain records in a protective storage environment over a period of months, years, even decades.

Suggesting a solution, Keshav Prakash, Country Manager - India, Serena Software said, “Re-engineering a company in terms of processes and procedures is unavoidable as a result, but if the company takes on a more strategic approach and uses this as a catalyst for change, and takes advantage of these investments to bring about greater transparency, productivity, accountability, auditability, management control and decision-making, then greater business benefits can be gained.” This realization has led many companies to look at maximizing their compliance investments to bring about additional business advantages.

Regulations of all kinds, be they international, country-specific or industry-specific, are posing a major challenge today. Shekhar Das Gupta, COO, Solix Technologies said, “The first challenge is [to gain] a thorough legal and financial understanding of each of these regulations, and their implications from a business operations standpoint. Sometimes, the different regulations governing a company impose different guidelines. For example in the US, SOX suggests data retention for seven years, while HIPAA mandates thirty years.”

However, in organizations that follow best practices, Legal Counsels, CFOs, CIOs and Chief Security Officers, with support from their CEOs and Boards, have incorporated a system of continuous education and communication among all employees regarding these regulations and a system of discipline through proper IT systems and approval chains to ensure adherence and compliance with best practices for corporate governance. Independent Directors on the Board and Audit Committees are expected to provide the checks and balances required for sound corporate governance.

Manish Balooja, Technical Director, Hitachi Data Systems India said, “The current business environment poses increasing challenges to organizations as they work to comply with regulatory and corporate governance requirements. While these are key elements with regard to compliance, the capability to easily search for, restore and retrieve information that may be stored in a number of locations across various media types, e.g. disk, tape and/or optical, are also critical to ensuring regulatory compliance.”

The Indian regulatory environment

Information is the most critical asset that any organization possesses today. Managing information in terms of security, compliance, privacy and reliability and doing so efficiently is what it takes to succeed and grow. Today’s IT infrastructures have not been designed to deal with the security and privacy challenges that exist today or the need to store, manage, protect, leverage and retrieve critical information. Therefore, the organizations will need to redesign their IT strategy putting information at the heart of it. Bapat added, “As organizations in India prepare themselves to compete in the global economy, they will have to focus on building intelligent information infrastructures to extract the maximum business value from their information assets, improve service levels, position their organizations for growth and change, comply with regulations, protect key information assets and attain newer benchmarks of efficiency, security and productivity.”

Large MNCs spend more than 50% of their capital investment dollars on IT, yet few have compliance structures or procedures to inform their IT strategies (according to Gartner Group). IT has changed the way in which companies operate. It is no longer a peripheral function, IT is often a core activity at a business.

According to a survey commissioned by Serena Software this year, companies in India are lagging the rest of Asia Pacific with regard to the implementation of regulatory compliance programs. Prakash said, “Less than a fifth (18%) of companies in India have implemented regulatory compliance programs, compared to the current Asia Pacific average of 42%. Future uptake is more promising though, with 46% of India companies indicating that they will implement compliance programs by end 2008.”

Regulatory compliance also involves the information systems being compliant. Prakash added, “Especially with the proliferation of international business, online transactions, and the move to Web Services to build new customer-facing applications, the need for robust security of assets is paramount.”

Corporate governance in India has been around for fifty years now from the Companies Act, 1957 onwards. The recent Clause 49 only supplements what we have had for nearly as long as we have been an independent nation. Privacy laws in India, however, are still new and have not been well understood by most companies. An individual victim in India rarely takes recourse to legal protection, given that judicial process takes years. Ignorance of the laws, a slow judicial process and lack of awareness of the long term as well as global implications of not following them are compounding the general atmosphere of disdain for such laws and flouting these is considered a white-collar crime. Gupta added, “Unless there is strict enforcement without hope of an escape route through corrupt enforcement officials and there is a big penalty, we do not see companies embracing corporate governance.

“The change agent will be the impact of globalization, and not the laws per se. As mentioned before, a few Indian global companies are proving to be harbingers of change and they were following compliance norms as they were answerable to the international community. The trickle-down effect will be inevitable as we would expect regulatory bodies like SEBI, RBI and Department of Company Affairs to come down heavily on violators.”

IT compliance is important because it is used to plan information technology changes. IT governance involves creating policies, roles, and procedures for performing IT change, and it includes tools for planning and coordinating IT change processes. Basically, companies are using technology to track everything that takes place in their environment, using it to manage and consolidate all of their internal processes and systems.

Bapat said, “EMC recently commissioned a study by IDC, The Expanding Digital Universe: A Forecast of Worldwide Information Growth Through 2010. As per IDC report; information that is created or captured and replicated in digital form amounted to 161 exabytes in 2006 and is forecasted to touch 988 exabytes mark by 2010, representing a CAGR of 57%. Just to get a fair idea of this volume, it is equivalent to approximately three million times the information in all the books ever written or the equivalent of 12 stacks of books, each extending more than 93 million miles from the earth to the sun. If one prints the total amount of information created in 2006, into typewritten pages, one will have enough paper to wrap planet Earth four times over. 30% of information today is potentially subject to security applications and 20% is subject to compliance regulations.”

Asia Pacific excluding Japan will contribute 30 to 40% more to this volume as compared to mature economies. As per the report, while nearly 70% of the digital universe will be generated by individuals by 2010, most of this content will be touched by an organization along the way—on a network, in a data center, at a hosting site, at a telephone or Internet switch, or in a backup system. The startling fact is that organizations—including businesses of all sizes, agencies, governments, and associations—will be responsible for the security, privacy, reliability and compliance of at least 85% of this information.

As per IDC, spending on just the hardware, software, and computer services to develop an IT infrastructure to support compliance initiatives is expected to double from 2006 to 2010 to $21.4 billion worldwide.

Defining the status of compliance in India, Aldrin D’Souza, Country Manager, Tivoli, Software Group, IBM India said, “As government and industry groups impose an increasing number of regulatory demands related to data privacy, security and business resilience, organizations are realizing that it is critical to effectively implement IT governance mandates, outlining IT performance objectives and implementing risk management strategies to limit the impact of security threats and improve business resilience. IT governance and risk management is quickly rising to the top of the agenda for global business leaders. A recent IBM survey reveals that 79% of CFOs indicated they will adopt governance structures to integrate information and deliver business insight within the next three years, while 64% of CIOs see security compliance and data protection as one of the most significant challenges facing IT organizations”.

Compliance @ the enterprise

Compliance requires organizations to look at information across its entire lifecycle and it impacts all aspects right from retention period, to retention policy to data authenticity. Bapat added, “There is a need to proactively adopt a company-wide information infrastructure to manage these aspects and support compliance. If a organization is struggling with these questions then it must reconsider the information management practices and implement governance strategies that work across the entire enterprise.”

With the recent legislations of data protection such as HIPAA and the Sarbanes-Oxley Act, any good data archiving solution should enable simple long-term retention and recall of data such as e-mail messages to comply with legal discovery requirements, corporate policies, and government legislation. In addition to this, Balooja said, “The archiving solution should be tightly integrated with e-mail servers such as Microsoft Exchange, and allow administrators to monitor inbound and outbound e-mail messages easily, store them reliably and automatically, and retrieve them rapidly to ensure compliance. By using a unified platform, the long-term data archiving process can be merged into the overall data management strategy, resulting in a great reduction of costs and business risk.”

To maintain enforcement levels and to help comply with evolving requirements at a reasonable cost, Dhavse said, “Businesses need a flexible, end-to-end approach to governance and compliance management that can support many different compliance initiatives. An automated compliance management system that offers a centralized view of performance can help you enforce policies consistently across all departments while optimizing operational costs and efficiencies.”

Some key benefits

Highlighting some of the core benefits of IT governance, D’souza said, “Successfully implementing IT governance and risk management as a lifecycle is critical as businesses today are facing increasing globalization, staggering regulatory complexity and an ever-evolving security threat landscape. IBM provides leadership in self-managing autonomic technology combined with an experience-based approach and methodology that enables clients to run resilient, high performance, compliant businesses. “

According to Dhavse, “If you wish to do business today then it has to be designed to deal with change, which is the inevitable reality for all businesses.

“These changes are far reaching and happen faster than ever before. An integrated information infrastructure helps organizations to respond rapidly and flexibly to new opportunities in the marketplace, new customer demands and new competitive threats.”

A business that does not know how to enable its employees to develop insights by providing them with access to all the content that they need cannot make crucial, dynamic, information-based decisions, or deliver high-quality service to its customers and partners. Dhavse added, “Businesses that can make this connection have an enormous competitive advantage. Effective information management and a comprehensive information infrastructure provide the foundation for this advantage. These capabilities integrate all of your business’s information assets into one secure environment leveraging existing information, applications and skills.”

Reducing Risk through Corporate Governance

Besides tackling fraudulent behaviors and raising compliance standards, having good corporate governance practices also benefits a company in terms of its reputation in the stock market, which if it is a listed company, influences its share price.

In India, companies have to comply with an ever increasing panoply of regulations and they would be better off taking advantage of this necessity as a catalyst for greater business advantage.

By taking a strategic approach, investments would be relative to the gains that they would bring, in terms of greater transparency, accountability, productivity, better management control and decision-making, etc. Prakash added, “With corporate governance practices, it is about having tools to enable and enforce transparency, improve efficiencies, and control to make better management decision-making and risk management, as it reduces regulatory scrutiny and litigation expenses, inefficiencies and cost exposures. It is only when you abandon the traditional view of corporate governance as a regulatory burden that you can easily understanding its value as a fundamental risk management activity.”

Challenges ahead for compliance

While challenges crop up every day for organizations, many of these problems have clearly defined resolutions. If you want to protect your data in the event of unexpected outages, for example, you can implement a backup and recovery solution. Establishing the best way to respond to requirements, however, is not always clear. Compliance management presents unique challenges, including the following:

• Requirements are often vague and do not specify the exact steps needed to comply
• Compliance measures have an increasing impact on IT systems

Dhavse said, “Organizations large and small are reevaluating their current compliance strategies and turning to IT Service Management (ITSM). Many IT managers are structuring compliance management activities into an IT process that integrates across the enterprise and its heterogeneous systems, which are designed for specific lines of business and regions.”

Further advocating a service-oriented approach to compliance, Dhavse added, “It also helps organizations integrate compliance with other critical IT functions such as management of software assets, identity and access, storage and availability. Addressing these challenges through manual spreadsheets, checklists or point solutions can increase complexity and cost over time. In contrast, an automated, service-oriented compliance strategy helps optimize manageability and cost-efficiency while aligning IT systems and information with your business objectives.”

faiz.askari@expressindia.com