Lynn Collier, Solutions Director, Hitachi Data Systems EMEA: Beyond the call of duty - driving business value from compliance
October 2009 by Lynn Collier, Solutions Director, Hitachi Data Systems EMEA
The regulatory environment is becoming increasingly complex for UK-based enterprises, with the UK and EU governing bodies as well as industry-specific bodies imposing a growing level of legislation. Companies and public sector organisations alike must stay alert to compliance if they are to avoid public embarrassment, fines, undertakings or even legal proceedings. Adding to this problem, new regulations are expected over the next twelve months that will continue to challenge businesses across all sectors. Smart organisations are preparing for compliance but the smartest ones are aiming beyond this and actually looking to drive business value out of necessity. If approached strategically, compliance is not a burden but an opportunity.
Learning lessons from MiFID
Despite being forewarned about impending regulatory changes, companies are often ill-equipped to deal with the legislation. This is generally because the true impact of compliance is not immediately obvious. For example, the Markets in Financial Instruments Directive (MiFID) introduced in October 2007, to which the majority of financial services companies need to comply, demands on average that three times the current amount of contact records be stored than under previous guidelines. After a few months of complying with MiFID, CIOs and IT managers began to hear their storage infrastructure creak under the strain of the data deluge. In some cases, under-provisioned storage systems saw the influx of new data volumes begin to cost the organisation serious money as it was stored on expensive, high-availability disk systems. For many financial services companies, MiFID has meant a lengthy retrospective overhaul of their data storage processes and infrastructure. Switching to highly scalable storage systems to avoid expensive upgrades; implementing a tiered storage architecture to lower storage management expenses; introducing virtualisation to maximise capacity and running data deduplication software to reduce data volumes are all common approaches. While these are all very effective steps to take in the face of burgeoning data volumes, they are much easier to implement prior to new legislation coming in, rather than afterwards, when the new data is already flooding in. Currently, storage environments in the financial services sector are leading the industry in terms of fitness for handling spiralling data volumes but many have achieved this the hard way.
Intensifying European legislation – EuroSOX
One much talked-about example of upcoming regulation is EuroSOX, which will affect every European business with over 2,500 employees. The Sarbanes-Oxley Act of 2002 in the US (SOX) only impacted companies trading in the States but in 2008 the European version, known as EuroSOX, comes into effect. This set of regulations brings together disparate directives already in place and harmonises them, with the aim of restoring investor confidence in the EU. In essence, EuroSOX places greater demand on an enterprise’s financial reporting – meaning more information must be stored, tracked, modelled and made available to relevant authorities as and when required. The archive requirements of EuroSOX will be significant. The need to store greater amounts of financial data, which can be retrieved and presented accurately within tight time frames, requires companies to adhere to strict data storage processes. The relevant data needs to be indexed so it is easily searchable and stored on a system with relatively high levels of availability so that it can be quickly retrieved. And most importantly, this information needs to be secure in order to prevent leaks and avoid attacks by hackers. In the current economic climate, this usually needs to be achieved on a shrinking IT budget, so only rarely can a company rip out an ineffective legacy system and introduce a new, best-of-breed infrastructure. However, it is important that non-financial sector companies learn from the experiences of their financial sector counterparts and prepare in advance for the demands placed on their storage infrastructure by EuroSOX compliance. It is key to select a robust and adaptable solution which will support compliance requirements today and which will offer an agile infrastructure to encompass future requirements. Coping with compliance
There are three important things to consider when reengineering your IT infrastructure to support compliance objectives:
The vast increase in data volumes often associated with compliance can require an organisation to implement an archiving platform, which specialises in the effective storage, search and retrieval of large volumes of data. When choosing an archiving infrastructure, it is important to select an open system with no proprietary lock-ins. Many archival systems store data in a format unique to that vendor, which can cause problems when the system has to be upgraded and the data transferred to a new format. In some cases this can lead to volumes of unreadable data or a lengthy and expensive migration process.
Remember that processes are just as important as technology. When it comes to retrieving data, the storage process is key. Files saved without the correct descriptions (metadata tags) attached will be almost impossible to find. Ingraining a culture of uniform tagging throughout the organisation will pay dividends when regulatory authorities request specific data at short notice.
Future-proof technology is more cost-effective than cheap storage methods. While tape storage is appealing for its price and familiarity, winding through miles of tape under time constraints to find a critical piece of archived information is every IT manager’s nightmare. Tape can degrade over time and this added to the challenge of managing data deletion in such an environment, make it an unsuitable medium for compliance archiving. The reliability and longevity of disk-based systems makes them the obvious choice for critical information archives.
Driving business benefit from necessity
Forward-thinking enterprises are increasingly looking to drive business value from the necessity of compliance. As organisations log more and more data relating to customer contacts and financial information, it makes sense to harness this knowledge for business advantage, ultimately generating profit for the company. A great deal of financial information, for example, can be used to generate superior levels of business intelligence.
EuroSOX is not the only regulatory change set to impact IT departments in the near future, with updates to the EU Data Retention Directive and MiFID expected within the next year. The rate of new legislation does not look likely to abate for some time, requiring businesses to proactively address potential compliance issues before they arise. By planning your IT strategy to support compliance objectives well in advance, your company will be able to deal with upcoming regulations with relative ease. If this forward-thinking approach becomes more common, it is likely that we will see many more companies derive significant business value from compliance. In this way, enterprises can look to mitigate the costs involved in compliance and take the opportunities that it offers.