Midrange Stuff, OS/400 Edition--IBM Steps into the Regulatory Compliance Arena

Since the stunning revelations of corporate greed and corruption, the Sarbanes-Oxley Act has come to rest on the front burner for American business. Not only did the implosion of giant companies such as MCI WorldCom, Global Crossing, and Enron rock the U.S. economy, the necessity to prevent reoccurrences could be felt in IT departments from sea to shining sea. The Sarbanes-Oxley Act regulates the financial reporting of individual companies and holds company executives liable for reporting irregularities. IT departments are asked to make it happen.

The most common buzzword in the workplace right now is compliance. On closer examination, Sarbanes-Oxley is just at the top of the compliancy issue list. In addition to Sarbanes-Oxley, there are requirements affecting businesses that relate to the Patriot Act and to the Health Insurance Portability and Accountability Act (HIPAA), as well new regulations put forth by the Securities and Exchange Commission, the New York Stock Exchange, and the Nasdaq stock exchange. IBM, sensing an opportunity to sell software and services, snapped into action by announcing a collection of services and technology offerings aimed at what could be called the compliancy market, which AMR Research estimates to be a $2.5 billion opportunity concerning just Sarbanes-Oxley compliance in 2003.

According to survey results compiled by IBM Business Consulting Services, only 10 percent of executives indicated that their companies are compliant with Section 404 of the Sarbanes-Oxley Act. Most of the remaining 90 percent expect to be compliant within the July deadline--which is just eight months away, with the clock ticking. The IBM survey also indicated that nearly one third of survey participants “would have done things differently” in planning for Sarbanes-Oxley compliance, like getting an earlier start, running early pilots, and focusing less on the deadline and giving more consideration of the entire process.

Not surprisingly, many software companies are introducing compliancy solutions, almost faster than the Feds can crack the whip. And it should also come as no surprise that some business leaders are confused about covering all their bases; they want to apply the correct technology but don't want to grasp at technology needlessly. Giving attention to obtaining benefits beyond compliance is the more prudent approach that many chief executives are taking. Some say software companies are hyping the fear factor in order to drive sales.

IBM is one of the companies accused of fear-factor marketing. In its defense, however, Big Blue also has made the point that this is more than a compliancy issue. IBM executives say they are sending the message that now is the time to retool IT systems and business processes and therefore improve overall business procedures, as well as being in better position to comply with current and future regulations.

IBM executives also have pointed out that the company is not in the business of certifying customers for compliance with the Sarbanes-Oxley Act and other regulatory requirements. The products are meant to help companies "do the things that they need to do," they say, by assisting with such things as documentation of internal controls.

In terms of a product designed to help manage processes, controls, and information related to Sarbanes-Oxley Act compliance, IBM is introducing Lotus Workplace for Business Controls and Reporting. It is intended as a foundation for financial reporting and organized information gathering. It includes a “Control Assessment Template” and embeds capabilities from IBM’s WebSphere Portal and DB2 Content Manager products.

Although there is an IBM focus on this technology, companies without a significant investment in IBM technologies can also benefit. Lotus Workplace for Business Controls, for instance, uses WebSphere Portal and DB2 Content Manager, which are not exclusively IBM technologies.

IBM places great importance on its compliance-oriented services, presented in conjunction with KPMG, the well-known accounting and professional services firm. The most important element of this is a catalog of Sarbanes-Oxley-oriented controls for companies that are still figuring out where to begin.

IBM is also introducing an Anti-Money Laundering Service, which helps companies comply with the Patriot Act, which established programs to "prevent and detect" money laundering. Sections 404 and 409 of Sarbanes-Oxley also require companies to implement improved monitoring to detect and protect against internal fraud. According to IBM, this service covers that base as well. It is also sold as a hosted offering that is designed to replace a process that traditionally has been reliant on a great deal of manual input.

The Email Archive and Records Management Service is designed to assist companies in meeting SEC, NYSE, and Nasdaq regulations. The service provides financial services companies with on-demand e-mail archiving and records management as part of a hosted utility service for inbound and outbound e-mail, internal e-mail, and instant messages.

DB2 Content Manager for Data Retention Compliance provides data archiving and retention capabilities. It is essentially a combination package of DB2 Content Manager, DB2 Records Manager, and DB2 CommonStore services, and is aimed at compliance with SEC and Nasdaq regulations.

With the debut of TotalStorage Enterprise Tape Drive 3592, tape media and drives will feature Write Once Read Many (WORM) media technology, ensuring that data that's written can’t be overwritten.

IBM's Asset Disposition Data Disposal--Disk Wipe Services ensures that sensitive information does not remain on disk drives. These services are capable of meeting Department of Defense standards, IBM says.

Tivoli Storage Manager for Data Retention lets companies implement non-erasable, non-rewriteable storage controls to prevent deletion and alteration of data stored while using Tivoli Storage Manager.