Essentials of Enterprise Compliance E-Book

Table of Contents

Title Page

Copyright Page

Preface

Foreword

PART I - Introduction

CHAPTER 1 - Compliance: Law and Society

Defining the Scope

Governance Point of View

Starting a Compliance Program

Structuring Compliance

Chapter Summary

CHAPTER 2 - Global Perspective

Influencing Governance Structures

Thinking Global Compliance

United States—Compliance Notes

U.S. Public Sector

Canada—Compliance Notes

Australia—Compliance Notes

Australia Public Sector

United Kingdom—Compliance Notes

Japan—Compliance Notes

Germany—Compliance Notes

Mexico or Other Latin American Country—Compliance Notes

Chapter Summary

PART II - Framework for Governance

CHAPTER 3 - A Framework for Governance

Introduction

Do As I Say—Providing Continuous Guidance

Business Rules and Structure Are the Foundation of an Enterprise

Building a Compliance Model

Optimized Compliance Management (OCM)

Chapter Summary

CHAPTER 4 - Exploring the Potential

Driving Influence: How Can Organizations Establish or Foster a Culture of ...

Looking at New Practices

Technologies Can Help Achieve the Vision

Supporting Regulation through Technology Enablement

Chapter Summary

PART III - Looking For the High Ground

CHAPTER 5 - Compliance at the Desktop

Auditing and Logging

Performing Tasks for Auditing

Viewing Reports for Auditing

Workflow Management

Digital Signatures

Signing a Document

E-Signatures Streamline Paper-Bound Processes

Signature Criteria

Records Management

Pretagging Content

Reaping the Benefits

E-mail Message Record Management

Classifying E-mail

Litigation Support

Managing Holds

Spreadsheet Management

Bar Codes and Labeling

Information Rights Management

Using Document Information

Portal Search

Improving Compliance with Technology

Viewing Item-Level Audit History

Managing Instant Messaging History to a Records Management

Signing of Documents

Using Information Rights Management with Classifications for Advanced E-mail Protection

Tracking of Changes to Document

Mapping Opportunities Summary

Chapter Summary

CHAPTER 6 - Powering Compliance

Recapping Key Compliance Regulations

Common Compliance Requirements

Procedural Rigor

Auditing and Logging

The Compliance Technology Landscape

Looking at Solutions

Utilizing Existing Technology Investments

Summar y

Managing the Cost of Compliance

Chapter Summary

APPENDIX A - Sarbanes-Oxley Act of 2002—Effective Compliance and Ethics Program

APPENDIX B - Description of the Technology Features Relevant to Compliance

Index

This book is printed on acid-free paper.

Copyright © 2008 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-646-8600, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, 201-748-6011, fax 201-748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty:While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services, or technical support, please contact our Customer Care Department within the United States at 800-762-2974, outside the United States at 317-572-3993 or fax 317-572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.

For more information about Wiley products, visit our Web site at http://www.wiley.com.

Library of Congress Cataloging-in-Publication Data:

Conway, Susan, 1947- Essentials of enterprise compliance / Susan D. Conway, Mara E. Conway. p. cm. Includes index.

eISBN : 978-0-470-44339-2

1. Corporate governance. 2. Business enterprises—Law and legislation. 3. Business ethics. I. Conway, Mara E., 1970- II. Title. HD2741.C696 2008 658.1’2—dc22 2008019301

Preface

This book is written in such a way to address the key business issues around enterprise compliance while highlighting real-world legal issues and discussions. Enterprise compliance has been broken down into four key components: governance, compliance, workforce migration, and technology support, as shown in Exhibit A.

EXHIBIT A

Content Road Map*

As Exhibit A demonstrates, the legal and regulatory challenges facing business in the twenty-first century are best addressed based on the level at which they are executed. Compliance and workforce migration (immigration and related employment law issues) are both addressed at the operational level, whereas governance is an executive- and board-level issue. Though all three concepts will be addressed in Parts I and II, governance will be treated uniquely while compliance and migration discussions can be joined. We will have an opportunity to discuss all three in unison in Part III as we look forward.

Technology is an enabler of all aspects of enterprise compliance. Potential technology benefits and risks will be discussed in Parts I and II.

Foreword

From the board of directors and executives to the general management and sales representatives, no one can act as passive, or even limited, advisers to the enterprise they serve. Members of corporate boards must take an increasingly active role in fulfilling their fiduciary responsibilities of oversight. They are no longer “window dressing,” and they should act effectively to add value to the company. Executive leadership must proactively engage in the dissemination of guidance, and their managers must actively work to structure compliance within the rank and file. Corporate governance has gone from being something “nice to do” to “please a few investors” to an essential component of a company’s valuation and risk assessment processes.

Although some organizations see compliance as a burden, others see it as an opportunity. Forward-thinking chief financial officers (CFOs) are structuring their governance policies, processes, and controls to enhance and reinforce long-term compliance.1 They plan not only to meet today’s compliance needs but to go beyond them, and in doing so they create genuine competitive advantages for their organizations.

These visionaries view regulatory compliance as a catalyst for change. This view can be contrasted with other business leaders who spend their time and resources in a reactive tactical effort to simply address today’s audit or legal challenges. A study by IDC2 found that the average company with revenue over $1 billion spends an average of $3.70 million annually to meet their Sarbanes-Oxley requirements.These CFOs tend to view legislation like Basel3 II as a “tax”—an unavoidable and incremental finance cost. They seem to hope that it will soon pass.

Moving compliance from overhead to business as usual is the new productivity frontier.

Forward-thinking business and government leaders are seeking out means to strengthen their compliance activities while working to offset the incremental cost of compliance. They recognize this as an opportunity to partner with other areas of the business to lower operating costs and improve business performance by streamlining processes, standardizing reporting, and integrating technologies, while delivering the organization’s compliance status at any time.

Competitive advantage is achieved through benefit-driven activities that embed compliance in the “business as usual” operations of an organization, creating a transformational journey from compliance to competitive advantage. Essentials of Enterprise Compliance focuses on this journey.Though each journey has common components, it is also unique to each enterprise. Regardless of law and regulation, the specific governance and compliance structure is guided by the unique culture, business processes, information management, and enabling information technology (IT) of the enterprise. These unique factors underscore the transformational benefits required to be competitive and deliver tangible savings and returns through compliance transformation.

Microsoft believes that to achieve the competitive advantage journey vision, an organization should have technologies that enable its people and become “People Ready.” Delivered through its enabling IT, the technologies must be scalable, security enhanced, and, above all, intuitive to the people within the organization.

Discovering solutions that meet the vision for competitive advantage and compliance requirements, and that enable the forward motion of the enterprise, should be the joint vision of all parties. Isn’t it time you considered leveraging your investment and delivering tangible results?

Mike McDuffie

Vice President, Public Sector, Microsoft Corporation

Notes

PART I

Introduction

After reading this book, you will be able to:

Governance is an expression of the stakeholder vision that serves to guide the operation of the enterprise. Governance policy can be envisioned as the core of a series of interlocking circles that form the foundation of successful enterprise. Compliance, revolving tightly around governance, is linked closely to data, security, quality, operational excellence, and financial transparency, which in turn connects to the broader issues of records and data management, accessibility, and intellectual capital security. You may immediately recognize these as the same relationships as those that are required for successful business management.

In the information-centric economy, without governance and compliance rules the enterprise would focus solely on the efficient and effective delivery of information without concern for the asset value or security of the deliverable. It is the role of governance policy to set constraints on this flow to secure not only the assets but to preserve the individual and business data privacy rights. Compliance drives this constraint to a granular level through the evolution of business rules that are executed in the operation of the business. Business rules, in turn, dictate the degrees of freedom that can be exercised in the production and use of information, enterprise knowledge, data, and intellectual property. Enterprises that ignore any of these key relationships open themselves to heightened levels of risk, including exposure to legal action, sanctions, and loss of stakeholder confidence.

The last few years have been challenging for those who work to manage these interrelated risks. From corporate scandals such as Enron and WorldCom to data privacy breaches at Choice Point and Bank of America, businesses today are pressed to develop more reliable methods of ensuring, tracking, and recording compliance-related factors involving not only employees and executives but also corporate and customer data.

In a global economy where an instant message from a contractor in Bangalore can throw a Boston-based company out of Sarbanes-Oxley compliance, understanding corporate compliance rules and information technology (IT) policies must be taken to a new level. Information-centric intellectual capital (people, knowledge, and data) has become the core asset of global enterprises. These virtual think factories may have designers working in Britain, engineering based in the United States, and manufacturing in China.This structure results in a complex compliance web enabled by information technology, complex business process outsourcing, and matrix management that is scattered across the organization.1

Business leaders and their advisers have been forced to reflect on what it means to have a strong compliance system. What are the components of effective controls? What does it mean to put a focus on corporate compliance and ethics? No enterprise is immune from the risks. Those who follow business news know that nearly every public organization and many private organizations have struggled with litigation exposures, regulatory investigations, and the like. Anytime you have employees spread across the globe in countless countries, you wake up every morning or you fall asleep every night thinking that any one of them can do something just slightly out of line and cause a great deal of peril to the enterprise.The key question is how you protect the enterprise against that in circumstances where you can never entirely eliminate the risk. Things will happen—there will be regulatory challenges, lawsuits, and incidents that cause concern—but the question is how to set up a structure of governance and internalize a set of business rules and values that will minimize the risk and convince the people who work for you and those who do business with you that the standards that govern your enterprise truly matter to you. Corporate governance and compliance should matter as much as meeting the revenue/budget targets, in satisfying the expectations of the business leaders, owners, and the board of directors.

The corporate experiences of recent years, for better or worse, are driving culture change.The new breed of business executive will need a framework for understanding how global labor, IT policies, and international legal compliance influences information work and drives business productivity.

Establishing a culture of compliance requires a continuous cycle of guidance, planning/reporting, and execution/monitoring.

Note

CHAPTER 1

Compliance: Law and Society

After reading this chapter, you will be able to:

Governance policy and compliance rules can no longer be passive guidance for CEOs, managers, supervisors, and employees. Members of corporate boards must take an increasingly active role in fulfilling their fiduciary responsibilities of oversight with proactive governance structures and compliance frameworks.

As Mike McDuffie pointed out earlier, a board of directors is no longer window dressing, and, therefore, must be a contributing factor in establishing solid governance across the enterprise. Organizational compliance rules must proactively implement the governance policy as well as ensure adherence to law. Adding to this complex picture is the organizational culture and operational management of the enterprise. Over the course of this chapter we will explore some of these interdependencies and try to peel back the layers, as shown in Exhibit 1.1, enough to clarify the relationship between governance, compliance, and operations.

Enterprise governance policy is the core of processes, customs, policies, and rules that guides and influences the way in which an organization is directed, administered, or controlled. Governance generally provides guidance on the relationships and a role of the people involved and includes an alignment of the rules to the goals of the enterprise. Enterprise governance is, for the benefit of the stakeholders (shareholders, owners, or citizens), designed to provide guidance from the board of directors, management, and, ultimately, the employees in the proper operation of the enterprise. It is often a set of lofty statements aligned to the enterprise mission and goals.

EXHIBIT 1.1

Organizational View of Compliance

Given this definition, it is clear that enterprise governance is not simply an outline for managing external regulations but is a high-level set of guidelines to the complex issue of enterprise operations. The focal point of governance, and its operational counterpart compliance, is accountability and fiduciary duty.The primary objective of governance, as outlined in Exhibit 1.1, is to provide a framework under which compliance is built. Governance, if structured and managed well, provides guidance to the operational processes and supporting systems that lead to good institutional behavior that in turn leads to shareholder protection and economic efficiency. Governance is about the delicate balance between appropriate workplace behavior and economic gains.