Finders Keepers

The immediate focus may be on meeting the initial deadlines and completing the audits, but over the long term it is information storage that will attract the attention and the spending. No company today has enough storage capacity to store all the e-mails and instant messaging and documents generated every day that are germane to the business. "Yes, companies are going to need new infrastructure eventually," says Lee Dittmar, principal, Deloitte Consulting.
The amount of storage organizations will require to meet the various mandates is staggering. E-mail alone is enough to swamp corporate storage infrastructures. According to published reports, IDC estimated that corporate e-mail users in the U.S. sent 3.4 billion e-mail messages every day in 2003, a figure it expected to increase to 9.3 billion this year (IDC's "E-mail Usage Forecast and Analysis, 2000–2005"). Others estimated that the size of e-mail messages per user per day hit 4.2 Mb in 2003.

Elsewhere, Gartner reportedly estimates that 75 percent of the total knowledge exchange occurring via e-mail contains proprietary intellectual property and, therefore, must be protected as a valuable corporate asset. Add in the growing amounts of business-related instant messaging traffic and business-oriented weblogs (blogging), as well as conventional data and files — much of it data, like e-mail, that must be protected — and the compliance storage problem becomes mind numbing.

And then there is the problem of voice mail. Today, investment firms are saving voice mail from the trading floor. If companies have to start saving voice mail on a widespread basis, the technology infrastructure requirements for storing, searching, retrieving, and archiving voice mail would be tremendous. "Over time, voice mail will likely be included, but right now nobody wants to push the issue," says Christopher Hamilton, senior vice president and managing director at BearingPoint.

In general, there is a debate raging between the legal groups and the business units within companies about whether companies are storing too much or too little data. Although the issue hasn't been definitively settled, "there is a trend toward wanting to restrict the number of documents to be stored," says Hamilton. Early indications, however, suggest that companies will err on the side of caution and save too much, probably far too much.
Regardless of the outcome of the save more–save less debate, the exception is e-mail. Although voice mail may have been shoved to the back burner, companies are saving e-mail without reservation after observing the various Wall Street investigations.

Firms feel that they can't wait until those issues are fully resolved. Instead, they are rushing to acquire specialized products that can address an immediate Sarbanes-Oxley problem today. "There is a frenzy out there, and companies are buying point solutions as if this were a one-time event," says Alan Stuart, chief strategist at IBM Compliance and Data Retention Solutions group.
The truth, however, is that compliance is with us for the long term. This requires that companies start to think about revamping their infrastructure to support compliance indefinitely. "Compliance will become another facet of IT. It will be part of the way you deploy and manage technology," Stuart continues. In that case, "purchasing point solutions today will prove to be very costly," he adds.

Stuart's recommendation is to deploy a much more robust technology infrastructure built around a policy-driven content management and data retention system. This new infrastructure must be able to scale in terms of volumes of data as well as handle many different kinds of information — e-mail, instant messages, images, voice, documents, whatever comes along in the future. It must also be able to integrate with the rest of the organization's applications and federate requests for information across a wide range of systems. In that way, when the auditors, regulators, or litigators demand, say, to see everything pertaining to customer Smith, the system can pull it from many different systems because it is unlikely to be all in one place. Not surprisingly, IBM has already assembled a set of technologies that will do just that, and it offers storage systems that can scale up well into terabytes.

Along with Deloitte and IBM, all the large consulting firms that handled IT consulting are jumping onto the compliance bandwagon. Capgemini, formerly Cap Gemini Ernst & Young, for example, advises clients to focus on five systems areas: financial systems platforms, systems infrastructure (servers, networks, storage, databases), information security, enterprise data management, and IT processes.
In terms of storage, "compliance puts a lot of pressure on companies to archive data and to retrieve it," says Stewart Bloom, Capgemini vice president, Americas Technology Solutions. Beyond simply storing the data, however, companies will need a corresponding data management strategy. "You need to tie the data to a governance model," he continues. That model defines ownership and control of the data and establishes policies for access and retention.
Another part of Sarbanes-Oxley, Section 404, will result in yet more pressure on IT. Under this section, companies "must include in their annual reports a report on the company's internal control over financial reporting. The internal control report must include … an attestation report on management's assessment of the company's internal control." With financial control and management reporting so tightly intertwined with IT systems, management invariably will hold IT responsible for verifying the integrity of the systems that collect, process, and store financial data and being able to prove it, in court if necessary.

The solution in this case, suggests Dittmar, is not necessarily more technology infrastructure but "software to enable compliance with Section 404." That software will likely include a repository for internal control data, workflow software to manage the reporting process, and software that maintains an audit trail.
With so much systems infrastructure work to do around Sarbanes-Oxley, it is not surprising that consulting firms are ramping up their compliance technology practices. "Compliance is becoming the driver of a lot of new decisions," notes Bloom. Today, the consulting firm generates about 5 percent of its revenue from Sarbanes-Oxley–related engagements. By next year, he expects that will grow to 20 percent. The IT component, which initially appeared to be a small piece of the total compliance expenditure, will grow substantially in the future "as clients see the full compliance and IT blueprint," he adds. Over the long run, compliance will drive wholesale change in IT, touching everything from how data is handled and stored to security to the way applications are written.

Similarly, BearingPoint currently works with clients mainly on designing the governance structure, laying out the requirements, and designing the architecture. From there, it will work with clients as needed to build whatever technology infrastructure is required. "Our view is that you have storage at one end and a portal for user access at the other. The hard work, however, is the workflow in the middle," says Hamilton. This will consist of creating the policies to manage storage and retention; defining the approval process and how information rolls up through the hierarchy; specifying when, how, and who is to be alerted when significant events occur; and establishing an audit trail.

From a technology infrastructure standpoint, companies are still at the very earliest stages of the compliance game. In a recent survey by an IT trade publication, 59 percent of managers expected company spending on compliance to rise. Given the potential magnitude of the task and all that is at stake, this figure may even seem low. You could easily expect it to go higher in the future. "All the lightbulbs haven't gone on yet about this," says Dittmar.

When they do, more companies may find themselves having to spend more than they anticipated. Then the challenge will become getting more for their compliance buck than just keeping the feds off their backs.

Sidebar: Storage's Big Eaters

The Sarbanes-Oxley Act

Requires the retention of financial accounting and auditing records for four years after an audit.
Sec. 17a-3 and Sec. 17a-4 Requires the retention of broker/dealer electronic and written communications with clients, including e-mail and instant messaging, for a variety of life spans (six to ten years, depending on the document).

The Health Insurance Portability and Accountability Act (HIPAA)

Requires retention and protection of medical records for varying periods (21 years for minors, two years after a death, and five years for other records).
21 CFR, Part 11 Requires retention of clinical trials and data on manufacturing of products (typically for five years or more).