IT organizations focus on compliance


A recent survey conducted by the Forrester research firm suggests that technology decision-makers are paying significantly more attention to regulatory compliance today than they were a year ago.

Click here to enlarge image

In the Forrester survey, 77% of respondents who said they must comply with Sarbanes-Oxley (SOX) reported plans to increase their IT spending on at least one type of technology over the next 12 months (see figure).

This compares to a Forrester survey done last year in which 17 out of 20 chief financial officers said that SOX compliance "had only a neutral or slight pressure on their spending plans."

"CFOs didn't see a need last year [to increase their IT spending on technologies to support SOX compliance, but] companies are now getting into the mindset that records management is something that they have to take seriously-and that applies to traditional industries, not just highly regulated ones such as government," says Nicholas Wilkoff, a senior analyst in Forrester's industry economics and data team.

Of the technologies cited by survey respondents, security, storage, specialized process control, records management software, business intelligence software, and ERP software topped the list. Security-related purchases (61%) were number one, followed by storage (52%) and specialized process control (40%).

Interestingly, the Forrester survey also reveals that Microsoft users are 1.4 times more likely to increase spending on security technologies than non--Microsoft users.

The survey also indicates the growing importance of process control (40%), records management (39%), and business intelligence software (36%) in regulatory compliance. "Organizations need to get the processes in place, and I would think they are looking to isolate regulatory content and store it separately," says Wilkoff.

CIO Insight magazine and the Gartner IT consulting firm also conducted a joint survey of organizations earlier this year to learn more about the state of compliance and the general attitudes of organizations involved in compliance planning. Similar to Forrester, they found that most organizations (at the upper management level) are taking SOX compliance seriously and are generally optimistic about the efforts they were taking to comply with SOX and the timeliness of these efforts (i.e., their ability to meet various regulatory deadlines).

However, the CIOs polled in the CIO Insight/Gartner survey also expressed concern about the effects compliance efforts will have on their business over the short term and their ability to derive any business value or benefits from these efforts over the short term.

"CEOs and CFOs moan about the pressure [that compliance] puts on their businesses," says Richard Hunter, vice president at Gartner's Executive Programs. "They see it as either a burden or a burden with certain [potential] business benefits. It is especially a burden for those organizations that don't have the processes under control."

Specific obstacles include problems with data structures, security and business continuity, and supporting infrastructures, according to a CIO Insight article on the survey results.

Thirty percent of 179 respondents to the CIO Insight/Gartner survey said that they thought the "total cost of compliance with Sarbanes-Oxley will have a significant negative impact on [their] profitability during the first two years." However, 51% said they did expect to see some benefits as a result of the steps they were taking to comply with SOX.

However, regulatory compliance also has some potential benefits, including process standardization, which among other things, gives CIOs the opportunity to standardize systems, technologies, etc., establishing unified company-wide systems or processes that are easier to manage and better aligned to business objectives and can generate profits, according to the CIO Insight article.

The main problem organizations struggle with-especially those with data warehouses-is that their data is spread out, so the meaning of the data is not always clear or documented, and it is hard to extract value out of it, says Hunter.

However, the process of being able to separate this information and apply records retention periods to it-to derive business value or benefit-requires a variety of products, including content management software, records management software, and storage management software, as well as hardware.

Regulatory compliance may also have the added advantage of helping organizations uncover potential issues with other IT processes (e.g., business continuity and disaster recovery) and even get IT budgets passed by upper management.

Derek Woo, healthcare technology practice director at Windham Health, a healthcare software and services company that specializes in HIPAA compliance, says that regulatory compliance (in Windham's case, HIPAA compliance) can actually help IT organizations get their budgets approved.

"IT is always seen as a drain, not a revenue generator," he says, "and budgets are almost always getting slashed. However, IT organizations are finding that they can use regulatory compliance as a way to sell the IT budget."

The problem is that while IT organizations generally know that they want or need to spend money on their IT infrastructure to meet regulatory compliance guidelines, they don't necessarily know what they should be investing in.

Says Woo about typical healthcare clients: "They're wrestling with storage management. They don't know how they should be managing their data [and they haven't thought about things like either] running ad hoc tests or metrics on storage capacity to project needs, etc."

What they do know is that the industry is becoming increasingly regulated, retention periods are getting longer, and critical federal funding dollars are in jeopardy if they don't comply.

Woo says that investing in compliance-related systems and technologies, including storage, is a necessary evil, but is ultimately a tactical sell-one that is based on more than system price, performance, etc.

"It is about putting together a workflow of all things you need to be compliant, not just point solutions," he says. "But storage vendors are having problems conveying this message to users, who see them as just trying to sell disk."

Windham Health is working with storage vendors, as well as others, to help them figure out what aspects of their technologies address regulatory issues and is also working with healthcare providers to see what products are available that can help them maintain their compliance level today and in the future.

Of course, for some industries regulatory compliance has more immediate storage demands than others. For example, regulatory compliance is expected to have a more direct effect on storage demand in healthcare industries than it is in financial industries for the simple fact that the healthcare industry is simultaneously going through the transition from paper to digital/electronic media. Similarly, regulatory compliance is affecting some industries and data types more than others. But whether compliance increases user storage demands or becomes a key issue today or in 12 months or more, management (i.e., storage, records, and content) will be critical for not only ensuring that organizations are complying with regulations but also deriving the most business value out of their data and the IT dollars they spend.

In fact, the biggest "category" of increase (i.e., in terms of where users were spending their IT dollars) was in document management, according to the CIO Insight/Gartner survey.

InfoStor will take a look at the role that document/content/records management plays in compliance in the next article of this series.

This article was originally published on October 01, 2004