Four vendors are to unveil products that do double duty: help companies monitor operational and system risks, and facilitate compliance with industry mandates such as the Sarbanes-Oxley Act.
Large companies are expected to dole out more money this year than last on IT products to automate key compliance tasks. PricewaterhouseCoopers surveyed executives at 131 US-based multinationals and found most want to improve how they use technology to remain compliant. In particular, respondents want technical assistance with SOX Section 404, which requires companies to attest to the effectiveness of the internal controls put in place to safeguard systems and processes related to financial reporting.
In the PricewaterhouseCoopers survey, 47% of executives said their company’s use of technology in support of Section 404 compliance was “satisfactory — with lots of room for improvement.” Just 38% said their company was doing a “great” or “effective” job with technology, and 10% say their technology efforts require major improvements.
Among all respondents, 75% expected to make significant technology changes in the second year of their SOX Section 404 compliance. Standing by are a slew of vendors with compliance software, including the four that are due to unveil products shortly: ArcSight, Axentis, LogicalApps and OpenPages.
ArcSight is unique among these four vendors in that its focus is on security information management. Its flagship, ArcSight Enterprise Security Manager (ESM) software, collects and analyses security data from devices such as intrusion-detection systems, firewalls, routers, switches and servers.
The tie-in to SOX compliance is that companies use ArcSight ESM to discover risks, correlate relevant security information and assess vulnerabilities — key parts of providing adequate internal controls.
To capitalise on compliance-related IT spending intentions, the vendor plans to unveil ArcSight Compliance Insight Packages, a new family of products that bundles preconfigured report templates, rules and dashboards, to help companies collect and review compliance-related data from log files.
The bigger risk picture
While ArcSight specialises in security log analysis, Axentis, LogicalApps and OpenPages operate in the broader compliance-management market, and each aims to help companies satisfy multiple mandates with a single framework.
Research shows that companies can save money by consolidating compliance efforts. Companies that choose individual solutions for each regulatory challenge they face will spend ten times more on IT products than those that take a sustainable, programmatic approach to compliance, according to Gartner Research.
Michael Rasmussen, a vice president at Forrester Research, warns companies to be wary of all-in-one corporate governance, financial compliance and enterprise risk management platforms, however.
There’s a legitimate need for companies to consolidate previously fragmented methods of keeping tabs on the many areas of corporate risk: financial, legal, compliance, operational and technology risks. But there’s no silver bullet for dealing with all of it, he says.
Rather, risk management and compliance initiatives require a combination of interconnected and complementary technologies, Rasmussen says. In a report published late last year, he identifies four combination products: enterprise risk management dashboards, which aggregate metrics; governance, risk and compliance platforms, which tackle documentation, assessment and analysis; applications that quantify financial risk, and niche applications that target specific areas of operational risk and control oversight.
OpenPages is aiming at the governance, risk and compliance category with its new product, which is designed to help companies identify, monitor and mitigate against operational risk.
The OpenPages ORM suite layers monitoring and analysis tools on top of the vendor’s core collaboration, workflow, document management and publishing features. Dashboards and reports highlight key risk metrics, and business-process automation features can trigger notifications, if, for example, a process fails.
OpenPages ORM lets companies tackle risk management and SOX initiatives using a single system, says Patrick O’Brien, director of product management at OpenPages. “A lot of the work that gets done for SOX compliance — the analysing of internal control systems, and the documentation and testing of that — is exactly the same work that has to be done for the operational risk-management process,” O’Brien says. “You don’t want to do that work twice.”
LogicalApps is set to launch its Active Governance platform, which is designed to handle risk documentation, compliance operations and internal control automation.
The software embeds controls for enforcing regulatory mandates and business policies within ERP applications, so transactions are analysed for compliance as they occur, not after the fact, says Chris Capdevila, CEO of LogicalApps.
Axentis’ product is an application integration framework called Enterprise Integrator. The software is the vendor’s first attempt to package development work required to link enterprise applications to its flagship Axentis Enterprise suite, which is a hosted platform that combines workflow, reporting, security and content management features.
Axentis is developing Enterprise Integrator adapters for popular ERP systems, e-learning platforms, whistle-blower software for handling anonymous employee reports, and identity management products.