Customer information, financial reporting and audit, exports, waste – almost every part of an organisation’s inputs and outputs are increasingly driven by regulation.
Indeed, regulation is often seen as a cost centre, operational headache and financial burden in terms of the potential fines an organisation could be liable for if found to be non-compliant – not to mention the incalculable damage to brand reputation that can be incurred if public sanctions are applied.
But the necessary evil that compliance is often seen as can be turned into a positive, if looked at as an objective way to measure whether processes and policies are up to standard. It can also be a means to an end of putting the best practices in place for maximum competitive advantage.
“Our compliance efforts can be seen as a way to enable a seamless effort to implement regulation. That allows the company to put more effective controls in place in a way that increases the efficiency of our processes and doesn’t hold back the business,” says James Stearns, director of regulatory compliance and senior counsel at Intelsat.
And, if anyone should know about compliance and its legal implications, Stearns should. This is because Intelsat is the world’s biggest global satellite communications service provider, involved in areas of utmost importance to both international and industrial security, with reported revenue last year of $1.7 billion (£839 million).
In fact, in 2006 the US Bureau of Industry and Security (BIS) issued over $16 million (£7.7 million) in fines to companies for violating export regulations, which essentially means they did business with the wrong people. And trading with an entity on the US restricted party list can result in administrative fines of up to $120,000 (£59,218) or criminal penalties, including 10 years imprisonment. Or, in Intelsat’s case and, as Stearns half jokingly told CIO: “We have to make sure we’re not selling satellite bandwidth to Osama Bin Laden”.
This might sound an exaggeration, but ‘Bin’ is a popular name in Middle Eastern countries, just as Smith is in the UK and Patel might be in certain parts of the Indian sub-continent. Stearns says: “Intelsat provides satellite capabilities in over 200 countries, but as a US company we are subject to export regulations that hold places like Cuba, Iran and Sudan as countries we’re not allowed to trade.
“Added to this the business moves at a very fast pace, where we can be asked to provide satellite capacity that’s up and running in a matter of days, but we can’t know each and every detail about the people requiring that satellite capacity.”
Managing this regulation is a mission-critical requirement for Intelsat – but one that has historically been a headache to comply with. Stearns explains that when he first joined the company in 2004, the company relied on manual means, including web searches, to check the provenance of customers. But in 2006, the company merged with video distribution satellite specialist, PanAmSat in a $6.4-billion (£3.3 billion) deal that radically changed the sheer scale of its compliance requirements. Stearns adds that the events of 9/11 also changed the dynamics of its regulatory environment, adding to the burden. “We briefly considered building new capability in-house, but with tremendous effort on the part of IT,” he says. “So we decided to outsource.”
Intelsat now uses an enhanced restricted party screening (RPS) on-demand system from specialist vendor, Management Dynamics. He continues: “The Management Dynamics solution has allowed us to fully automate this manual time-consuming task, eliminating potential fines or penalties due to trading with denied parties and improving our overall efficiency.”
He adds that the fact that RPS system can screen new customer requests in real-time adds to the business benefit of compliance and has turned a potentially negative requirement into an operational positive. “It was useful for all of us [IT, the business and legal] to talk about processes and procedures when deploying the solution,” explains Stearns. “In this way, it was useful, for example, for the salespeople to know exactly what to do so that we weren’t chasing business that would get the company into any trouble.
“Before the RPS work [with Management Dynamics], we didn’t have such a sensitive system and so salespeople had very little feedback on how the company would feel about doing business with that entity – the work helped us better define corporate policy.”
Management Dynamics’ RPS On Demand integrates with any source enterprise system via XML to screen customers, suppliers and other trading partners against over 50 restricted party lists issued by governmental institutions worldwide, alerting users of potential non-compliance and providing a powerful workflow to resolve hits. The web-based system allows trade professionals to screen multiple parties to each transaction before goods are shipped or service contracts are signed to prevent illegal transactions with banned entities and trading partners, avoiding fines, penalties and sanctions.
“As a leader in technology with a multinational customer and supplier network, screening has become critical to safeguarding our business,” comments Stearns. “We selected Management Dynamics to assist us in keeping in full compliance with global export regulations because of its complete and up-to-date list coverage. But one of the additional benefits already realised with the PanAmSat merger was that we could inherit and fairly seamlessly integrate the two customer bases. And in some ways, the work we did to deploy the RPS solution has driven forward the way we do business. It’s better to get prospects in the system early and be able to keep better track of restricted party business.”
Stearns believes the key to the success of what was a compliance-driven exercise was the process-centric and collaborative view taken of the business to make sure it maximised its investment in the new Management Dynamics technology: “We foresaw the benefits, but I don’t think we realised it would be as useful a process or system as it has been.”
The example set by Intelsat and Stearns should give any CIO that feels he is stuck between the rock that is maintaining business as usual and the hard place identified as regulation and legislation cause for optimism. But the effects of such burdens do not discriminate between companies with global scale and reach and those smaller, more locally-based organisations.
A good example of a heavily regulated industry is the legal profession. Just as Intelsat’s satellite business has the potential to directly affect matters of international security, lawyers are probably one of the most heavily regulated professions the world over.
While email may seem to be the least of an international law firm’s worries, Taylor Wessing has recently managed to reduce the IT burden and strengthen its compliance with such regulations as the UK’s Data Protection Act by taking on email storage, archiving and management Software-as-a-Service (SaaS) to handle archiving over a ten-year period.
Having proven, like Intelsat, that outsourcing to third party experts could improve businesses processes and eliminate regulatory burdens in one fail swoop, the upgrade to a ten-year service provision will replace a specialist, internal archival server and extend the unified email management of all internal and external emails and systems used by the company’s 1,200 users in its UK, French, German and Belgian offices.
Tim Hyman, head of Taylor Wessing’s UK IT operations, explains: “The incumbent archival server was originally due to last for five years but – due to the magnitude and growth of email traffic – we have outgrown it in just two.”
He said that the new arrangement allows the law firm to “offload all the hassle of capacity planning for the next ten years without sacrificing any of the control, as we can search, retrieve and manage all emails for our desktops”. He added that the extension of archiving services validates the decision to outsource this mission-critical part of the business to specialist email SaaS provider, Mimecast, 18 months ago.
“No other vendor could offer the combination of email security with business continuity to deliver always-on email in a single solution,” he said. “Providing our clients with 24-hour continuous contact via email is fundamental to our business.”
Hyman adds that the email service has allowed staff to continue to rely on email as a mission-critical communication tool even during planned or unexpected power outages and server downtime. And Mimecast has also enabled the consolidation of storage, security and continuity requirements.
Another advantage of the ten-year service is that the firm now relies on Mimecast to capture all the forensic data around email transmissions that may be necessary as evidence admissible in court in the course of its legal work or to demonstrate regulatory compliance, which Hyman said has turned an administrative headache into a business benefit.
As the compliance landscape becomes more cluttered with regulation and legislation like the Markets in Financial Instruments (MiFID) directive, EuroSox and the Payment Card Industry Data Security Standard (PCI DSS) to name a few, every CIO would do well to heed the advice of Stearns and Hyman and procure IT to manage the burden, but in a way that can also provide long-lasting benefit to the business.