Title: Addressing Compliance, Litigation and Audit Risk through Automation
1MSI Software Conference
- Addressing Compliance, Litigation and Audit Risk
through Automation
2Is Compliance Your Concern?
- AIG Is Probed for Alleged Violations of Federal
Securities Law 10/1/04 At a time when most
companies are trying to regain investor
confidence, and regulators have begun keeping a
sharper eye on companies to prevent fraudulent
activity and ensure that investors rights are
protected, another "Wells Notice" has been
served. This time insurance and financial
services giant, AIG is on the receiving end. The
SEC and Justice Department have stepped up their
investigation of AIG and its subsidiary AIG
Financial Products Corp. for allegedly violating
federal securities laws.
SEC Charges Siebel With Violating Fair Disclosure
Rule--Again, 6/29/04 - The agency is seeking
unspecified civil fines and permanent injunctions
against Siebel Goldman, who is the company's
chief financial officer and Hanson, Siebel's
former director of investor relations.
SEC files charges against five former Homestore
executives and the former CEO and CFO of a
Homestore vendor for engaging in fraudulent
round-trip transactions 9/18/03
Shortly after the promulgation of Rule 17a-8, the
SEC prosecuted three major broker dealers for
violations of the Rule Dean Witter Reynolds -
the SEC censured the firm when it found that the
broker dealer failed to record and report
1,062,234 in cash. E.F. Hutton Company -
the firm was censured for supervisory failures
whereby a branch manager and an employee took a
customers cash and structured its intake over a
period of one year to launder approximately 1.2
million dollars. The branch manager was suspended
for 30 days. Flagship Securities, Inc. - a
broker dealer and its principal officers
consented to an injunction permanently enjoining
them from violating Rule 17a-8. The firm
undertook to adopt preventive procedures and
period review by an independent accountant. The
individuals involved were barred from the
industry for six months.
3Is Regulatory Compliance Affecting your Business?
- Improved processes
- Improved BCP
- Improved info availability
- less risk
- Difficult adoption
- Too much data
- Too hard to classify
- Risk perception does not justify effort
Nov 17, 2003
4 CIO CTO Priority for Compliance
Oct 06, 2003
5Current Issues Driving Compliance
- There are numerous regulatory, and shareholder
issues requiring firms to re-evaluate their
current compliance management processes.
SEC/NASD Basel II Sarbanes-Oxley HIPAAPatriot
Act Gramm Leach-Bliley ACORD Tread
Act 21CFR11 OSHA DoD 5015.2 PRO
6Compliance is a Business Issue
- Compliance deals with business
- Policy
- Practice
- People/Process
- Programs
Automation begins here
Dont automate bad process Understand how
business information, processes, and programs
work to deliver compliance.
7ECM Education
- Enterprise Content Management (ECM) as a business
term encompasses the business business policies,
practices, and processes that deal with
unstructured corporate information and
communication (e.g. paper, email, word processing
documents, spreadsheets, web pages, phone calls). -
- Enterprise Content Management (ECM) as a
technical term encompasses hardware and software
systems that automate those business policies,
practices, and processes that deal with
unstructured corporate information and
communication. ECM platforms create, manage,
integrate, web-enable, and deliver unstructured
digital content across the enterprise and beyond
- to customers, vendors, and partners - creating
real business value.
Every business has ECM operations and
technologies. The question is to what degree is
the business operating with maximum
effectiveness, optimal efficiency, and lowest
TCO. File cabinet technology has a higher
operating cost than image storage technology.
8ECM Education
- "Most of the information that exists in
organizations is unstructured and there is an
ever-growing imperative to manage this
unstructured content. This market is growing at
such a steady pace because of increasing user
requirements for better integrated, easier to
use, and more scalable technology. Demand is
increasing as users seek new ways to create and
consume content through multiple formats,
channels, devices, and applications. - - Gartner Group
- The amount of information printed on paper is
still increasing with the vast majority of
original paper-based information produced by
individuals in office documents and postal mail.
Paper use for office documents increased 43 from
1999 to 2002. - Content Type 2002 WW 2002 US
- Paper 1,400 TB 560 TB
- Email 400,000 TB 160,000 TB
- Instant Msg 274 TB 110 TB
- Phone Calls 17,300,000 TB 6,900,000 TB
- Web Content 160-91,000 TB 64-36,400 TB -
How Much Information 2003
9ECM Solution
10Business Content Issues
- Capture/Transform
- Images, Files, Data
- Process Integrate
- Policy
- Practice
- People
- Programs
- Publish/Distribute/Transform
- Manage
- Secure, Easy Access, Annotate
- Life Cycle Management
- Versioning
- Audit
- Administer
- Business Continuity
11Automating Compliance - Examples
SOLUTION DB2 Content Manager
for Message Monitoring Retention DB2 Content
Manager for Research Compliance Lotus Workplace
for Business Controls Reporting DB2 Records
Manager Document Manager
TARGETED REGULATION SEC 17-a-4 / NASD
3010, 3110 NASD 2711 / NYSE 472 Sarbanes-Oxl
ey Data Retention Records Management
Capture and preserve all correspondence (Incoming
and outgoing mail paper and electronic, Audio
and Video Web content) involved in investment
trading between Brokers, Traders, and Dealers and
their customers
Enables customer to capture, analyze, discover,
monitor, and apply retention as appropriate to
message communications regarding investment
transactions.
Compliance with government regulations around the
area of dissemination and reuse of financial
research.
Ingests financial information from sources, and
makes it available to analysts for reuse and
republishing in a controlled and auditable
process to ensure fair distribution.
Management must be able to specify and assess
internal controls by fiscal year end 2004.
Requires monitoring and archiving of electronic
communications between Management and Board
Members
Enables the documentation evaluation of
business processes that contribute to the
financial statements.
Enables the capture and classification of records
and the application of formal, structured
retention and disposition rules to the
organizations business information. These rules
can be based on any combination of time and/or
event.
Must meet Regulatory, Legal, and Business Driven
Records Retention Requirements
12eMail Management and Monitoring
Firm Preservation / Sarbanes / Graham-Leach
Compliance
Regulatory Compliance, Audit, and Litigation
Support
Audit, Discovery, and Litigation Support
Security / OFAC, Patriot Act Compliance
Confidentiality / HIPAA Compliance
SEC / NYSE Compliance
High
Active Monitoring and Policy Enforcement
Enterprise-level Active Surveillance (Code of
Conduct, Confidentiality, Trade Secrets,
Restricted Issues, HR, Digital Signing and
Encryption Policies, Watch List Examination, All
Users Inspection)
Growth in User Base
Message Markup and Indexing
Message Markup, Intelligent Indexing, Advanced
Search and Retrieval
Value Proposition
Mailbox Size Management and Administration Reducti
on / Elimination of .pst files Reduced size of
Information Store Reduced number of servers,
backup, maintenance and management costs
Management, Admin, Performance and Reporting
Message Archive and Simple Search
Enterprise Message Archive with search engine
Low
Enterprise
Departmental
Size of User Base
13CM for Research Compliance
Help corporations comply with appropriate
handling and dissemination of financial
information
- Research
- Market Vendors
- Internal
XML Ingestion Output Workflow
Information Consolidation Cleansing
DB2 Content Manager
14Workplace Business Controls Reporting
WebSphere Portal Server (User Interface)
Lotus Assessment Template (Scope / Document /
Evaluate)
Workplace Business Controls Reporting
Workplace Business Controls Reporting
DB2 Content Manager (Repository)
Crystal Reporting (Reporting Format)
DB2 (Database Driver)
15The Regulatory Perfect Storm
- Privacy
- Protection
- Retention
16Titanic 2020
Problems of Records Migration and Systems
Integration
More records have been generated in the past
10 years than in all prior human history -
Luciana Duranti
17What is e-Records Management?
- Records Management is different than Content
Management! - ECM helps organizations capture, manage, and
store content - Records Management is all about...CONTROL
- Preservation (retention)
- How long you keep something
- Deletion (disposition)
- Ensuring destruction of the right records at
the right time -
- Retention and disposition rules are driven by
three main factors... - Laws
- Regulations
- Corporate policy
18Why do organizations need e-Records?
- The likelihood of getting burned by corporate
records--regardless of actual guilt--has
skyrocketed for every public company - Forbes Magazine, Forbes.com June 20 2002
- Shred Early, Shred Often,
- Penelope Patsuris
-
19Why do organizations need e-Records?
- To improve operational efficiency
- Manage the tremendous volume of content /
information - Reduce Operating Costs
- Improve Decision-Making
- To prove compliance with regulatory and legal
obligations - The software can provide the FRAMEWORK necessary
for compliance. But it does NOT automatically
guarantee it! - To reduce risk of litigation or public
embarrassment - Avoid Accidental Disclosure
- Discovery is way too !
- Massive representation costs
20Sources of e-Records
- Today
- Corporate reports and invoices
- Imaging (conversion of paper to digital)
- E-mail Systems (both incoming and outgoing)
- Desktop Applications (word processing,
spreadsheets, etc.) - Near Term
- Transactional Systems (e.g., Banking, e-commerce)
- Web pages and content supporting web sites
- Web Transactions
- Data Collection Systems and Instrument Recording
Devices
21Key e-Records Concepts
- Reliability
- Authenticity
- Secure
- Accessible
- Accurate
- Complete
- Chain-of-Custody
- Auditable
- Original Format
- Maintained Throughout Retention Period
- Admissible
- Trustworthy
- Legally Defensible
22Two e-Records Roles
e-Records Management Functions
All Desktop Users
Records Specialists Only
- Declare
- Make the document a record
- Classify
- Assign the document to a subject code (File Plan)
- Search and View existing records
- Create/Maintain File Plan subject codes and
Retention Rules - LifeCycle Management
- Apply destruction archiving rules to e-Records
- Manage Physical Records
23Declaring Documents to be Records
- Declare means
- User can no longer delete/edit!
- Records Manager has exclusive ability to delete.
- Document has metadata applied to it
- To, From, Date, Subject, etc.
24Record Classification
File Plan
Retention Schedule
Classification
Safety
Doc. 1
Inspections
Doc. 2
Incidents
Finance
Doc. 3
Budgets
Doc. 4
Audits
Doc. 5
Travel
Requests
Doc. 6
Reports
25Sample Retention Periods
Regulation
Toxic exposure 30 years
Government - OSHA
Records for food (manufacturing, processing,
packing) 2 years after release
Life Sciences/ Pharmaceutical (21 CFR Part 11)
Records for drugs (manufacturing, processing,
packing) 3 years after distribution
Records for bio products (manufacturing,
processing, packing) 5 years after end of
manufacture
Medical records Hospital (either original or
legally reproduced form)
Healthcare HIPAA
Medical records for minors from birth to 21 ?
possibly life
Medical records 2 years after patient death
Financial Statements
Financial Services (SEC 17a4)
Member registration for broker/dealers
end-of-life of enterprise
Trading account records end of account plus 6
years
Sarbanes-Oxley
Financial and correspondence data 4 years after
audit
1
2
3
4
5
10
15
20
25
Years
26Records Disposition
Not as Simple as You Might Think
60 of all record destructions are event-based
27e-Records Management Organizational Impact
Strategy Business goals and objectives
Culture
ProcessProcedures and business rules
Culture
PeopleOrganizational structure, skills and
incentives
TechnologyApplications and infrastructure
Culture
28Compliance Master Plan and Methodology Roadmap
29Building A Successful RM Program
- Experienced, Knowledgeable Team
- Proven Methodology
- Project Oversight With Independent Verification
Validation - Enterprise Focus
- Comprehensive Training Plan
- Organizational Communication Strategy
- Measurement