research paper template - commercedownload.microsoft.com/documents/uk/business/... · web viewthe...

Corporate Governance and

Compliance in the UK –

Delivering Gain from the Pain

Microsoft’s Solutions

April 2005White Paper

Written by: Mike Davis, John Holden – Senior Research Analysts

Published April 2005© Butler Direct LimitedAll rights reserved. This publication, or any part of it, may not be reproduced or adapted, by any method whatsoever, without prior written Butler Direct Limited consent.

Important NoticeThis report contains data and information up-to-date and correct to the best of our knowledge at the time of preparation. The data and information comes from a variety of sources outside our direct control, therefore Butler Direct Limited cannot give any guarantees relating to the content of this report. Ultimate responsibility for all interpretations of, and use of, data, information and commentary in this report remains with you. Butler Direct Limited will not be liable for any interpretations or decisions made by you.

INTRODUCTION

Corporate Governance is a heading, it is not a single issue, it is big and varied, and as we learnt with the recent conviction of Bernie Ebbers, the former Chief Executive of the US communications giant Worldcom, where there is poor Corporate Governance, the whole organisation can fail. Good Corporate Governance is about running the organisation in a way that is compliant to the highest standards set both by the appropriate regulators, and by the organisation itself. Compliance is about having good processes, and the ability to demonstrate to stakeholders that those processes are monitored, and can be reported upon. Compliance is undoubtedly becoming a major pain point for organisations as we see a raft of legislation and regulations that are impacting on the way that they operate, and the levels of reporting they are required to deliver.Butler Group does not just see compliance as a pain. Rather we see it as formalising best business practice, and providing both investors and managers with confidence in the rigour of the business processes. If compliance is addressed in the organisation’s business and IT strategy, it will offer operational and even competitive advantages – there are demonstrable gains.This White Paper examines Corporate Governance and compliance as it is affecting UK organisations, and how Microsoft-based technologies can be used to support those organisations in addressing their respective pain points. It includes four case studies from different industries that illustrate how the challenge of compliance can be tackled with the assistance good IT systems, and how addressing compliance can be used to deliver business advantage.

WHERE IS THE PAIN?

In Butler Group’s opinion, compliance is about doing the right thing - operating in a way that gives shareholders, or stakeholders, customers, employees, and external regulators, confidence that the organisation is behaving in a manner that is beyond reproach. Butler Group defines compliance as: adherence to the legislation, regulation, and standards that apply to organisation in its respective jurisdiction. As the Confederation of British Industry (CBI) and Federation of Small Businesses regularly report, in the UK this appears to be a plethora of ‘red-tape’ that affects organisations of all complexions. A list of the applicable legislation and regulations would easily fill this whole paper, but many are obviously specific to particular vertical sectors or types of organisation. Examples of relevant legislation include: For UK-Listed companies – The Companies Act 2004, and the

Proceeds of Crime Act 2002. For companies that are also US-

WORKING OUTLINE #6 25-04-05

listed they will have to be compliant with the US Sarbanes-Oxley (SOX) Act 2002, by July 2006.

For Public Sector organisations - The Freedom of Information (FOI) Act 2000.

For all organisations - The Data Protection Act (DPA) 1998, Health and Safety at Work Act, and various Employment Laws.

Examples of regulations and standards include: Money Laundering Regulations 2003, and the BS7799/ISO/IEC

17799:2000 IT security standard.If there is one thing that we can be very certain of it is that there is more to come. For example a UK Small Companies Bill is currently being prepared, and as the European Union continues to harmonise we will increasingly see Directives that drive pan-European standards. Some pieces of legislation will have a wider impact than just in their original country - although SOX only applies to US listed companies, it is setting the standard for best practice. We are already seeing in the UK a ‘viral’ effect similar to that which happened with the ISO 9000 quality standard, in that large US companies are starting to insist that all organisations in their supply chain are also compliant with SOX.The priorities in the compliance agenda vary from business to business.Having good corporate governance, and being compliant, requires organisations at board-level to be aware of the legislation and regulations that are relevant to their particular vertical, to prioritise the issues to be addressed, and to implement any solutions within a strategic business and IT framework.

INFORMATION TECHNOLOGY REQUIREMENTS

First and foremost there is no ‘one size fits all’ solution compliance, but there are common elements, and using IT to support the addressing of compliance issues requires a strategic view of an organisation’s technology infrastructure.At its simplest, from an IT perspective, supporting compliance is about the recording, and storing the information that is required for managing, monitoring, or reporting on business processes, and then retrieving such information when required, either operationally, or for a regulator.The technologies that can support this can be grouped into three types:1) Information Management technologies - To ensure that

information is captured and stored appropriately. That it is retained for the period required, and from creation to destruction any changes are recorded to ensure transparency. This should be automated wherever possible


to ensure consistency and minimise the risk of non-compliance.

2) Information Analysis – Enabling the information to be retrieved, not only when requested, but also in a scheduled and automated manner, in the appropriate format required.

3) Information Security – Ensuring that only appropriate and authorised persons can access information, and just as importantly, that appropriate and authorised persons have recorded the information.

Figure 1 shows a list of the technologies that are covered by these headings.These technology requirements translate into: Robust and scalable storage for electronic information. Workflow or Business Process Management (BPM) to automate

as many of the tasks as possible. Effective search and retrieval tools. Identity and access management for the network and systems. Effective and tested disaster recovery.

MICROSOFT’S SOLUTIONS FOR COMPLIANCE

Microsoft does not offer any systems for compliance; rather it provides the platform upon which compliance solutions can be built, often by integrating with products from Microsoft’s wide range of partners. The core elements of any Microsoft-based deployment will be Microsoft Windows Server 2003, Microsoft Active Directory, and the Microsoft SQL Server database. Additional Microsoft products that may form part of the platform for the solutions include: InfoPath, SharePoint Portal Sever, Exchange Server, and Microsoft Analysis Server. As shown in Figure 1, some of these products provide capabilities in more than one area. SUPPORTING IT REQUIREMENT

MICROSOFT TECHNOLOGY

1) INFORMATION MANAGEMENTBusiness Process Management (BPM)

InfoPath

Collaboration SharePoint PortalDigital/E-mail Archiving Exchange ServerDisaster Recovery Windows Server, OfficeEnterprise Content Management inc. E-mail &

SQL Server, Windows Server, Exchange Server, Content


Records Management Management Server2) INFORMATION ANALYSISBusiness Intelligence/Analysis Analysis Server, Office (Excel)Corporate Performance Management

Office (Excel)

Search / Discovery / Retrieval SharePoint, Office3) INFORMATION SECURITYIdentity Access Management Active DirectoryNetwork Security Active DirectoryPolicy Management Active DirectoryProfiling SharePoint

Figure 1: Technologies to Support Compliance – Butler Group 2004

Most organisations have quite rightly developed their existing IT infrastructures and deployed appropriate Line Of Business (LOB) applications to meet their operational business needs. For example accounting and payroll systems, customer databases, and stock control systems. These often evolve into Enterprise Resource Planning (ERP) and Customer Relationship Management (CRM) systems as the organisation matures and expands. They are in general transactional systems where the individual items of data have a very low value. But there are lots of those items, and the structure, and in-built processes of those systems, can ensure a high degree of accuracy and integrity of information stored. Some of the information required by regulators to meet compliance requests will be stored within the LOB applications, and they are often the core repositories of organisational intelligence. However, this information can normally only be accessed by only a few specialists, thus reporting becomes expensive and another pain point in the compliance process.Microsoft’s .NET architecture enables the integration of these LOB applications with other Microsoft tools, meaning that organisations can exploit their existing IT investments as part of their compliance solution. The most important aspect for all organisations is that solutions are accessed through the existing Microsoft Office 2003 interface. This means that employees are utilising the tools they are already familiar with such as Word, Excel, or Outlook, reducing the pain of training and change management. Such solutions also have high levels of automation, eliminating the risks of employee mistakes and thus non-compliance. For example a document created in Word such as contract, can automatically be declared a record as it is saved, and then stored in a manner that cannot be changed until the time the legal retention requirement is passed.


Similarly information stored in an ERP system can be automatically retrieved into a report without the requirement for specialist skills, with the assurance of the integrity and accuracy of that information.Microsoft’s partners help deliver compliance solutions for organisations by integrating their own products with appropriate core Microsoft elements. These will normally be implemented by the partner, in conjunction with the deploying organisation, and potentially third-parties such as System Integrators (SIs). Examples of such products include the Enterprise Vault1

archiving product from Veritas (now part of Symantec). This is extensively used in the financial services sector for the storage, discovery and retrieval of e-mails to meet US Securities and Exchange Commission regulations. Enterprise Vault has also been deployed by the UK supermarket group, Somerfield, to support contract management, and Luton Borough Council to deal with DPA disclosure requests.The wide range of Microsoft partners includes those with experience of deploying solutions across a variety of businesses, or in specific verticals, such as Public Sector, Legal, Retail Banking, and Insurance. For example partners in the financial services arena help companies implement Microsoft Business Solutions such as Axapta, Great Plains, Navision, Solomon, Enterprise Reporting, and Forecaster, to support their respective compliance requirements.

DELIVERING BUSINESS BENEFIT FROM A COMPLIANCE SOLUTION

The fast and comprehensive retrieval of information when it is required for regulators, or even customers, is both a challenge and a pain-point. Examples include training records in relation to Health and Safety issues, a Subject Access Request under the DPA, or a disclosure under the FOI from a public-sector body. It is likely that in all these instances the required information will be across a number of electronic systems, and even in physical documents. Such retrieval ability is also increasingly necessary for customer-facing functions. For example in a call-centre environment, whether that of a local authority or a bank, where a rapid and comprehensive ‘view’ of the customer/client, can both improve the perception and delivery of service.An Electronic Document and Records Management (EDRM) system can provide a single point from which all required information can be accessed, with the confidence that it is complete, and accurate, with any changes to the data contained tracked, and the author identified. 1 A detailed review of Enterprise Vault 6.5 (April 2005) is available on Butler Group’s Web Site. (http://www.butlergroup.com)


The Role of Partners

An EDRM system can be combined with workflow or Business Process Management, to automate the retrieval, and any steps in authorisation required. It is doubtful whether any public sector organisation which has records on more than one site could address the DPA or FOI without EDRM.

CASE STUDIES

The following four case studies show how compliance solutions can be built that addresses the pain of their respective compliance issues using solutions based upon Microsoft technologies.2

Statoil is a major integrated oil and gas company with its headquarters in Norway. It operates in 29 countries and employs about 25,000 people, almost half working outside Norway. The company was founded over 30 years ago and it has grown both organically, and through acquisition since that time. In 2001, Statoil shares were listed on the Oslo Stock Exchange, and the company is currently enjoying strong growth in its international production, and retails petrol and oil in Scandinavia, Ireland, Poland, and the Baltic states. It is one of the major suppliers of natural gas to the European market, and one of the world’s biggest sellers of crude oil.The company recognised that there was a critical requirement for it to be able to supply detailed audit information to satisfy both financial and accounting disclosure needs. Statoil started a programme called Collaboration@Statoil covering all its locations and employees, with the intention being to ensure compliance with legal and statutory requirements such as the Sarbanes-Oxley Act, and to establish best practice for collaboration and information sharing in the enterprise. This is built on a technology architecture that enables document tracing and secure access to information throughout its lifecycle. The company understood that it required an extensive audit trail that could be accessed by drill-down and drill-around functionality. Importantly, Collaboration@Statoil allows staff to use Web-based IT tools, which automatically tag documents when they are produced.These tools are ideal for improving processes for the production and sharing of information among a wide range of work groups. Project teams collaborate within an electronic workplace, which utilises documents, tasks, activities, charts and presentations. Automatic identification of documents helps Statoil to eliminate duplicates. The company says that it produces over 300,000 information objects in a month within Collaboration@Statoil, excluding e-mail

2 Butler Group has undertaken a number of other compliance case studies including: Luton Borough Council, Somerfield, and TNT.


Statoil Case Study

8

mailto:Collaboration@Statoil



messages. Stored data is classified by project numbers, activities, and process ownership. The Collaboration@Statoil system has been developed incorporating technologies from a number of suppliers. At the heart are the Microsoft technologies, including Microsoft Office 2003, Microsoft Exchange Server 2003, Live Communications Server 2005, SQL Server 2000, and Microsoft Share Point Portal Server 2003. The end user portal is supplied by SAP, and Meridio provides electronic records management technology.Search engine technology is deployed with both Fast ESP and the Stratify Discovery System, which can continuously search through millions of documents, and provide a comprehensive view of Statoil’s global data.

Statoil plans to roll out the system to its Corporate Services division during 2005, and this will be followed by the sequential implementation in its other divisions including International Exploration and Production, Technology and Projects, Natural Gas, Manufacturing and Marketing, and Exploration and Production. The roll out over the whole of Statoil is expected to be complete by 2006. Ole Jørgensen, Statoil’s Senior Vice President – Information and Communication Technology, said that the amount of integration that Statoil had to contribute between products from different suppliers

had proved to be greater than expected, but that the challenges faced by them in setting up the project were largely related to people and processes, rather than technology. He said that this was exacerbated by the many types of users that they had to accommodate, ranging from knowledge workers to engineers.The U.K. government’s Ministry of Defence (MoD) employs approximately 300,000 people. It receives and generates an enormous amount of data that can be regarded as “records”. The MoD possessed a number of legacy electronic records management solutions, but these were rarely used because of their complexity. As a result, archiving its huge volumes of information, and retrieving it, had essentially become physical processes. Then the MoD came to face a major challenge; the need to comply with a large amount of statutory legislation, including the Freedom of Information Act 2000, and managing records to UK The National Archives 2002 standards. To comply with the legislation through existing processes would have placed an unacceptable administrative burden on civil service and military personnel.Towards the end of 2003, Microsoft began working on a proof of concept project that was demonstrated to the MoD in November of that year. The MoD was impressed with the simplicity and capabilities of the Microsoft platform, and it asked the company to work with the MoD and its partners, Fujitsu, to deliver this. It required an easy-to-use solution with document creation, search,


Technology Type

Microsoft products

Info. Mgt. SQL Server, Exchange Server, Content Management Server.

Info. Analysis Office, SharePoint, Live Communications Server

Info. Security Active Directory, Windows Server

MOD Case Study


and retrieval functionality, closely coupled with records management. A team was set up consisting of people from the MoD, Fujitsu, SourceCode, and Microsoft, and in ninety days it developed a robust and scalable solution. This was based on Microsoft technologies, comprising Microsoft Office Standard Edition 2003, Microsoft SharePoint Portal Server 2003, Microsoft SQL Server 2000, and Microsoft Exchange Server 2003. Meridio, a key Microsoft partner, provided the records management functionality, and SourceCode Technology Holdings supplied K2 .NET 2003. This is a workflow solution that was developed using the Microsoft .NET Framework, and that supports compliance requirements and the record creation process.

The MoD solution went live in July 2004 to a user population of approximately 7,000 staff at the MoD headquarters. Its employees collaborate in a single environment provided by SharePoint Portal Server. Users can submit items as records by simply right-clicking on the mouse button. This information is then recorded, and links are maintained within the SharePoint Portal Server environment. As with most projects of this type, producing the technology was only a part of the project. It was an even greater challenge to ensure that users

would actually use the solution. In parallel with Microsoft developing the proof of concept, the MoD also created a blueprint for an awareness and training programme for end users. Microsoft and its partners worked closely with the MoD, ensuring that the business vision was delivered as part of the solution. Due to its successful adoption, the programme methodology has been incorporated as a basis for change across the MoD.When the solution roll out is completed, an estimated 20,000 MoD employees will be using the system. The system has been so successful in its initial adoption that the MoD is exploring further use of the collaborative workspace to support other processes within the organisation, including business decision-making. Blue Rhino Corporation, which is based in Winston-Salem, North Carolina, US, is a major provider of branded propane gas cylinder exchange services, and a provider of complementary products. It is a division of Ferrellgas Partners, L.P. (NYSE: FGP), one of the USA's largest and fastest growing retail propane marketers, which acquired the company in April 2004. Blue Rhino had enjoyed rapid growth since it was formed in 1994, and its exchange services and products are offered at more than 30,000 retail locations in 49 states, Puerto Rico, and the U.S. Virgin Islands through home improvement centres, hardware, grocery, and convenience stores. It delivers to retailers through a national network of both independent and affiliated distributors. The challenges faced by Blue Rhino were the successful management of the rapidly expanding business, and the need to


Technology Type

Microsoft products


Info. Analysis Office, SharePoint, Live Communications Server

Info. Security Active Directory, Windows Server

Blue Rhino Corporation

Case Study

10

comply with the Sarbanes-Oxley (SOX) Act 2002. It had been running on manual processes, but these had to be automated if the company was to continue its growth. It carried out a review of Business Process Management (BPM) solutions to establish the most suitable to Blue Rhino’s needs, which would successfully integrate with its current infrastructure.Blue Rhino selected the Metastorm e-Work solution, which integrates well with its existing infrastructure that comprises Microsoft SQL Server as the company’s main database environment. The solution was easy to use and flexible for the company’s end users; it provided increased access to information and control for management. It also enabled Blue Rhino to comply with the Sarbanes-Oxley Act.

The company identified the processes to be deployed and within a year, it had automated more than ten processes in e-Work. One was Blue Rhino’s Inventory Procurement Process that keeps track of its millions of gas cylinders, and enables the company to order and transfer inventory between its 52 distributors. These distributors can use e-Work to order products, and Blue Rhino can set spending limits and authorisation approval limits.An e-Work process is also in place for IT Change

Control Management that allows internal system changes to be requested by Blue Rhino staff. This helps satisfy the requirements of Section 404 of SOX for the documentation of internal controls that have a direct effect on financial reporting. The company’s Customer Care department is also able to use an automated process for parts ordering, shipping, and warranties. It also links with the inventory system to track component numbers. An e-Work process enables Blue Rhino’s Human Resources and IT departments to prepare for new employees by providing the tools necessary to do their jobs.The company has also integrated e-Work with Rhino-Net, its portal tool that is used for the real-time sharing of information by Blue Rhino and its distributors. To summarise the benefits, Blue Rhino achieved rapid deployment, reduced costs, increased efficiency and employee productivity, while at the same time achieving compliance with SOX.

Bradford Teaching Hospitals NHS Trust was one of the first created at the outset of National Health Service (NHS) reforms in 1991. It is responsible for the management of the city's two main hospitals, the Bradford Royal Infirmary and St Luke's Hospital, which provide a comprehensive district general hospital service for the city of Bradford in West Yorkshire. The main services provided are the diagnosis, treatment and care of patients referred to the Trust by the patient's GP, by self-referral through its A&E department, or by a consultant from another hospital. The Trust has specialist facilities that are not generally available elsewhere, such as the Yorkshire Cochlear Implant Service.


Technology Type

Microsoft products


Info. Analysis .NETInfo. Security Active Directory, Windows

Server

Bradford Hospitals NHS

Trust Case Study

The Trust faced a major challenge to comply with the Freedom of Information Act (FOI) 2000, which came into force on 1 January 2005. The NHS is a high-profile body that is under constant scrutiny from government, media, and public so it was critical that the Trust implemented a cost effective and efficient solution. In theory, 500,000 citizens have a right to view information and the FOI requires that a legitimate request for information should be satisfied within 20 working days. If this is not met, the Trust can suffer a monetary penalty, which would affect its tightly controlled budget. There was also concern that any hint of non-compliance would be interpreted by the media as an attempt to conceal information.Bradford Health Informatics, the NHS IT support team, already had a content management portal in operation built around Microsoft Content Management Server 2002, Microsoft SQL Server 2000, and Microsoft Exchange Server 2003. Due to time and budget constraints, a full document management project was out of the question. The Trust had to find a solution that would aid FOI compliance, would complement the existing solution, and match their existing skill sets.

The Trust had previously partnered with Microsoft Global Gold Certified ISV Partner, Captaris Inc. (NASDAQ: CAPA, www.captaris.com), on its portal project, and it chose to partner with Captaris again. The FOI solution is based on the Captaris Workflow product (previously known as Teamplate), and makes extensive use of the Microsoft .NET Framework. Over four months, the location of information was examined and the data workflows were mapped, then a prototype system, containing dummy data and likely

scenarios was tested for three weeks before the system went live in late December 2004.As the FOI is a new process in the UK, there were no volume assumptions upon which the solution could be based. However, the Trust believes that with Microsoft SQL Server as the solution’s backbone, it has a scalable application that can deal with potentially hundreds of thousands of requests simultaneously. Captaris Workflow uses industry standards such as XML and .NET, enabling it to integrate seamlessly with the existing IT infrastructure to deal with the requests that have already been received. By introducing workflow tools, the system has provided additional benefits to the Trust in improved productivity and streamlined operations. The solution automates the information flow to ensure appropriate information is delivered to the right person at the right time. Whoever is assigned the task is made aware of any impending deadlines through e-mail event alerts. In cases where there is a lack of response, these are escalated to line managers to ensure compliance deadlines are met.The solution is now benefiting both the NHS Trust and the public that it serves. People that request information know the Trust is


Technology Type

Microsoft products


Info. Analysis .NETInfo. Security Active Directory, Windows

Server

12

handling their query within the mandated deadline, and are reassured that the Trust is providing a quality service. The Trust can ensure that it is fully compliant with the FOI requirements, by responding to an initial request within five days, delivering information to requestors, or making requestors aware that their search will incur a charge. It removes the burden of administration and paperwork from front-line healthcare workers so that they can concentrate on their primary aim of treating patients.

FIRST STEPS TO COMPLIANCE

Deploying IT to support compliance is both an essential and on-going project for any organisation. Therefore the disciplines and processes of Project Management need to be applied.First there must be sponsorship at the highest level. Ideally it will be ‘owned’ by the Chief Executive or another board member, and the appointed project board will represent all stakeholders. The person leading the agenda from a corporate perspective, needs to ensure that in all business decisions, the compliance requirements are considered, and that there is a clear picture for the whole organisation of the responsibilities.

The next issue is deciding where to start. The agenda is big, so there needs to be a focus, either on the legislation/regulation with fixed dates, or those whose adherence is required for operating practice. An example of the former is the Operating Financial Review (OFR), which under the Companies Act has to be produced from April 2006. Examples of the latter include DPA, FOI, and ISO 17799.Organisations then need to look at the processes to be recorded, and get the engagement of the employees in that analysis. This will help identify where IT solutions are needed to provide support, and start to include the employees in the necessary process of cultural change that will be essential for success.Once the business need has been established, just as was illustrated in the case studies, a solution can be sought.For employees, whilst they need to have an understanding about the requirements, the objective should be that it interferes with their operational duties as little as possible. Ideally compliance will be transparent, and embedded in the business processes.

SUMMARY AND CLOSING COMMENTS

Butler Group believes that Corporate Governance and compliance should be viewed strategically. It is not just about how the organisation is operating today, and to get a ‘tick’ from the regulator. It must be viewed as an on-going attitude to running the organisation better.


The issue is cultural, and should be core to all business practice. Compliance requires accountability at the process level, and this requires all people in the organisation to understand and take responsibility for those processes. IT solutions cannot solve the problem of addressing compliance, and there is no single ‘compliance solution’. Technology cannot on its own deliver the process, but can support the, design, management and monitoring of those processes.Corporate Governance and compliance is a major business pain-point, which will not go away. Companies intent on maximising their gain from compliance for a minimum of pain need to have utilise a strategic IT framework, which is ‘future proofed’ in such a way as new solutions can be added to the existing infrastructure.In addressing Corporate Governance and compliance, organisations must start with their relevant pain-points, and take a holistic approach. This will reduce future disruption, and potentially lower the required investment as new compliance requirements emerge. Most importantly it will allow the organisation to get on with running its business.The organisational challenges presented by Corporate Governance and compliance can be grasped, or resisted. The former offers the potential of gains and business advantage – not least because regulators will not be chasing the organisation. The latter will mean the continuing pain of ‘fire-fighting’ as issues arise, with the potential loss of an organisation’s reputation, and a major disruption to business or service delivery.

CONTACT DETAILS

Microsoft UKMicrosoft Campus, Thames Valley ParkReadingRG6 1WGUKTel: +44 (0) 870 6010100Fax: +44 (0) 870 6020100www.microsoft.com/uk

WORKING OUTLINE #6 25-04-05Europa House, 184 Ferensway, Hull, East Yorkshire, HU1 3UT, UKTel: +44 (0)1482 586149 Fax: +44 (0)1482 323577www.butlergroup.com

[CODE NUMBER]

14

http://www.microsoft.com/uk

research paper template - commercedownload.microsoft.com/documents/uk/business/... · web viewthe...

Documents