| News & Events |  |
Media Coverage | |
February, 2005 |
Sarbanes-Oxley isn't the half of it
Holistic approach to compliance reaps rewards beyond avoiding fines or staying out of jail
By Nancy Bartels
"I don't know how these manufacturers keep up with what's out there," says Jay Jeffreys, program manager for e-compliance solutions with manufacturing enterprise software vendor Wonderware. "What's out there" refers to the alphanumeric soup of regulations with which manufacturers have to comply to keep on the right side of authorities of federal, state, and-in some cases-foreign governments.Many manufacturers don't quite know how they're going to do it either, starting with the $6.1 billion that Boston-based AMR Research says companies will spend this year to comply with the 2002 Sarbanes-Oxley Act (SOX) alone.
SOX brought the compliance issue center stage for manufacturing executives. The act requires that officers of all publicly held companies sign off on the veracity of financial information about their companies-and be able to document how they know their numbers are valid-a requirement that reaches into almost every corner of the manufacturing operation.
But SOX is only the poster child for a long list of regulations, each with its own set of compliance requirements, forms, and deadlines. All this leaves manufacturers scrambling for ways to rationalize their approaches to compliance.
AMR's John Hagerty says the time has come for companies to start shifting from a tactical to a strategic response, keeping an eye out for long-term manageability across all regulations with which they must comply. Making compliance tasks repeatable and effective with a minimum of intervention should be the top priority.
"Compliance isn't a project," he says. "It's a process. It starts getting close to business process reengineering. If compliance is the driver, the next step is to streamline and standardize across all compliance requirements."
At that point, IT supports finance and operations requirements. "If you can automate a process, you can control it," says Hagerty. "SOX doesn't require electronics, but you can force compliance through electronics. The steps become repeatable, sustainable, and cost-effective."
Best practices
Begin by putting someone in charge of compliance-a designated compliance officer, says Joseph Ansanelli, CEO of data protection vendor Vontu. This person should not only be responsible for complying with current regulations, but watching the changes in regulations as they happen and making sure set policies adapt to them.
Outside expertise may be required. Says Wonderware's Jeffreys, "I would develop a personal relationship with a consultant who has a broader view than you do. You should be concentrating on being a good manufacturer. You want someone who makes it their business to stay in touch with this."
Then centralize all your compliance activities. "When you create a standardized approach, you always use it the same way across the organization," says Robert Farina, CEO of workforce management solutions vendor Cybershift. "Organizations must centralize and ensure they have visibility into what systems are doing. Many companies have 20 different systems that don't talk to one another, and they don't have a sense of transparency or one central viewpoint."
Divide your compliance system into two parts: financial and operational, says Scott McLeod, VP of ERP vendor Ross Systems. "You need both a financial and an operational system of record."
Once the systems are in place, enforce the rules. "The system is good only if you are willing to enforce it," says McLeod. He also recommends building checks and balances into software systems, thereby automating as much enforcement as possible.
This means that operations as well as finance and IT have to be involved. "It's the operations guys who have to gather the data in the first place. And they often are the ones who can see ways to gain added value for the data collected for compliance," says Jeffreys.
AMR's Hagerty recommends starting with what you have and leveraging it to meet your compliance requirements. Particularly in such industries as food, chemicals, or pharmaceuticals, robust production documentation capability probably already exists that can meet many compliance requirements.
"Take the systems you use for optimization and use them as evidence of compliance," suggests Steve McGraw, CEO of software vendor Compliance 360. "Look at your systems in place to see how you are already in compliance, and ask how you can use the data you already gather to provide evidence of compliance."
It's not about the jail time
This operational approach to compliance gets to the heart of a strategy for turning it from a pure cost center to a strategic enabler that can bring some real benefits-besides avoiding fines and jail time-to your business.
"It almost seems backwards to talk about document compliance," says Paul Hoy, director of manufacturing industry solutions for business intelligence vendor Cognos. "You should have processes in place first. If it's all about documenting, you're missing an opportunity to improve your processes. Just as you can't inspect quality into product, you don't get better performance by documenting compliance. If I'm consistently driving good performance, I'll have compliance."
Good governance, good performance, and good compliance seem to follow one from the other. Three out of five companies surveyed by AMR in 2003 expected to get some real business benefit from their compliance strategies. These include better risk-management capability, improved accountability across the organization, better visibility into performance at the business-unit level, and tight alignment between business policies and related controls.
Hoy says one of the outcomes of SOX compliance is it requires companies to have good financial predictability. To achieve that, companies need to track key metrics, do regular status checks, and examine the data that underlies those results. Says Hoy, "For example, I need to know and document why my margins are slipping. Is it an inventory problem? Is it a problem in the supply chain? The answer to that will give me a remedial path of action. That's a benefit over and above compliance."
Ray Hein, a VP for product life-cycle management (PLM) vendor Agile Software, suggests softer benefits: e.g., some companies use their compliance track record to build an image of social responsibility, good corporate citizenship, and as a marketing tool. Still, getting a companywide compliance plan in place takes time and patience. Hein compares the situation with that of companies qualifying for ISO 9000 certification.
"Someone has to be in charge," he says. "It takes lots of education and two or three years to implement, but in the end, it has a hard revenue impact."
AMR has identified nine components for a companywide compliance plan:- Integration infrastructure: to share data among applications and databases;
- Business process management and workflow: to manage and enforce defined process flows and coordinate internal cross-application processes;
- Learning and education management: to deliver information and training on policy and procedures, test that understanding, and track education requirements;
- Content, document, and records management: to administer and store unstructured data-e.g., text documents, spreadsheets, e-mail-necessary to support documentation, governance, and internal and external communications;
- Data warehouse/data mart: to accumulate the structured data needed to support performance-related and compliance requirements;
- Rules engine: to store all compliance-related business rules independent of other transaction and reporting systems that are part of any compliance regimen;
- Alerting engine: to inform individuals and applications of situations that may require additional assessment and action;
- Identity and security management: to limit access to authorized individuals, ensure privacy, and manage roles and responsibilities within the context of business applications; and
- Management dashboards and analytics: to deliver key performance data along with necessary analysis and reporting capabilities to support internal and external requirements.
A project with that scope cannot be implemented in one fell swoop. Getting a
compliance policy in place should be done incrementally.
Companies can start gathering the puzzle pieces from a number of different
entry points, says Hagerty. Spot-compliance vendors are one way to start.
Document management vendors offer a broad, global view and infrastructure to
manage vast quantities of documents. Quality management software and ERP
vendors-particularly those with powerful tracking and tracing
capabilities-offer another entry point. PLM and business intelligence
systems offer reporting systems that can support the beginnings of a holistic
compliance strategy.
Compliance issues are not going to go away. Manufacturers can look at
compliance the same way they look at insurance: spending big money for
something they hope they never have to use. Or they can look at it as another
opportunity to examine their processes and procedures and plan to reap the
benefits that come along with running a tighter ship.
