Chris Pratley of Microsoft Office Labs notes in one of his recent blogs:

“Last year we released a “productivity future vision” concept video called “A Glimpse Ahead…”, also popularly known as the 2019 video, although we’re not really that specific on timeframe. The video is based on work being done in labs and research groups across Microsoft and elsewhere, and while it is not an attempt to predict the actual future, it does try to paint a plausible future that could result if the various technologies and software concepts being developed are commercialized. The funny thing about making videos that showcase futuristic concepts is that when released, many people think they are unrealistic. Then as various products appear in the market that are similar to what’s in the video, the video shifts to being insufficiently visionary – i.e. lame. So we need to keep working on the vision pieces and taking the heat from the doubters. We’re already seeing products appear in the market that offer the location-based augmented reality shown in the airport scene in that video. [emphasis added]”

For readers who have not yet seen the video “A Glimpse Ahead”, it can be found here:

Ian Sands, the Microsoft Office Labs Envisioning Director, explains the technology shown in the video here:

A spin-off version on the Microsoft Office Labs site entitled “Future Vision Montage” portrays how the technologies showcased in “A Glimpse Ahead” could help companies increase worker productivity: see

Recently, I had the opportunity to work with teams from Microsoft partners Open Text and Adapx to narrate a concept video that builds well on the Microsoft Office Labs future vision videos. The Microsoft-Open Text- Adapx video is entitled “This is the Future” and shows how technology from Microsoft, Open Text and Adapx can work together to help companies use Adapx Capturx software and a digital pen to digitize handwriting and integrate the data directly into Microsoft SharePoint, with any official records being stored in the Open Text record repository. Once stored, the data and records can be accessed using multi-touch screens utilizing Windows 7 technology. Silverlight technology was used as well to create the user interfaces. The video called can be found at:

Recently there are some interesting compliance related developments from two self regulatory bodies, that have issue guidance on social networking compliance. With the increasingly popular adoption of social networking sites such as Facebook, Twitter, LinkedIn for business and personal communications, it is but natural that regulators and institutions are being forced to take a fresh look at the issues involved and provide some baseline guidance. In some cases they are also adopting these tools themselves to be ahead of the curve as well as experience for themselves the issues involved. A good example being SEC use of Twitter.NASDAQ launch of social network for financial community to help members interact.

NFA - In December 2009, the self regulatory body, National Futures Association (NFA) in a letter to Commodity Futures & Trading Commission set out some compliance restrictions on use of social networking channels such as blogs, chatrooms, forums, Facebook and Twitter by its 4200 member financial firms and 55,000 associates. In NFA’s view online social networking groups do have the potential to impact customers decisions via unsubstantiated rumour spreading and intentional misrepresentations. NFA proposes strict supervision of the content and communications in this regard and also mandatory disclosures for employees who may be participating in any related trading or financial communities.

FINRA - And Tuesday, on 26th Jan, 2010, the US regulatory body FINRA (Financial Industry Regulatory Inc.) that overseas nearly 5000 brokerage firms and 633,00 registered representatives issued guidance to securities firms and brokers on the use of social networking Web sites such as Facebook, Twitter and LinkedIn to communicate with the public. Based on a task force study and recommendation, FINRA issued this notice to guide firms on applying the communications rules to social media sites, such as blogs and social networking sites. At the same time, FINRA is seeking to interpret its rules in a flexible manner to allow firms to communicate with clients and investors using this new technology.

We expect more associations/regulatory bodies across many sectors globally are going to issue similar guidelines on the use of Social Networking sites.  I look forward to your inputs and thoughts based on your own  experiences.  Stay tuned for more on this. To a more responsible blogging and Social Networking !

Microsoft Live Labs recently introduced a private access beta version of the “Pivot” tool leveraging Windows 7, the Internet Explorer rendering engine and Silverlight.  Access to the Pivot tool can be requested at http://getpivot.com. Pivot is a multimedia search tool that is designed to create very large “collections” of objects from the World Wide Web and then permit the user to visualize hidden patterns within the collections. 

Since Pivot is based on the Seadragon technology, the user can zoom in or out on images while retaining image detail.  Try Seadragon for yourself by clicking here:

Pivot enables the user to view the web as a web rather than as isolated pages. For example, a user can create  a “collection” of Sports Illustrated covers and then sort them based on type of sport, team or other search criteria. 

You can watch a demo by clicking here:

Although Pivot appears to have been primarily designed for consumer use to produce an richer Internet experience, some beta testers of Pivot have proposed that Pivot could have considerable value in the business intelligence space (e.g., to generate a mashup Pivot view of the Crunchbase database ) and in the e-learning space.  If these beta testers are correct, it might be valuable also to seek out potential applications of Pivot for creating large “collections” of risk and/or compliance data and then using Pivot to create better search visualizations of the hidden patterns within the data collections.  Possible areas of interest could include:

• Analysis of business processes subject to HIPAA within “hybrid” entities, such as insurance companies marketing both life insurance and health insurance
• Analysis of security breach incident logs
• Analysis of portfolio assets subject to multi-agency regulatory oversight
• Analysis of counterparty risk profiles and data

Given the complexity and size of risk and compliance databases and the movement toward real-time analysis of risk data, Pivot could prove useful in rendering data more understandable from a visual point of view.  Check it out and let me know if you agree.

Last week was extremely exciting for our team. Our focus on simpler, faster and cost effective solutions got a boost.

Over the years, Microsoft has a fairly large footprint in the Risk Management and Compliance Solutions technology.  We work with a rich ecosystem of over 150+ best of breed Risk Management and Compliance solution providers to offer their applications to clients on our platform.  We also have a few thousand clients who have bet their Risk Management and Compliance blueprints on our end-to-end interoperable technology as foundation.

But to make our end-to-end value proposition even stronger, last week Microsoft released its Compliance and Risk Process Management Pack and  IT Compliance Management Library Beta.  These latest offerings focus on the agility and automation pillars of our approach to Risk Management and Compliance solutions.

The Compliance and Risk Process Management Pack for System Center Service Manager 2010 helps provide end-to-end compliance management and automation for client and server computers. The IT Compliance Management Library (ITCML) is designed to help IT workers, managers, and partners configure Microsoft products to address specific IT GRC requirements. These solutions help customers understand and bind complex business objectives to their Microsoft infrastructure. This Beta release includes control activities and test automation for Windows Server® 2008, Windows Server 2008 R2, and Windows® 7.
 
Microsoft System Center Service Manager helps reduce costs and improve IT responsiveness through the power of its integrated platform. With built-in processes and workflow for incident and problem resolution, change control, and its con-figuration management database, Service Manager orchestrates activities and connects knowledge with System Center Operations Manager, System Center Configuration Manager, and Active Directory® Domain Services.

IT Compliance Management Library
The ITCML takes advantage of the ability of Microsoft System Center Service Manager to integrate with System Center Configuration Manager, System Center Operations Manager, and other systems to automate the monitoring, validation, and reporting of the compliance state of Microsoft products. This solution bridges the knowledge gap for IT professionals by translating auditor expectations into real IT tasks through the use of control activities that are specific to a particular technology or platform. The supplied control activities bind complex IT GRC requirements, stated as control objectives, to actual product configuration settings and events. System Center is then able to act as a GRC management and over-sight solution for your organization.

The ITCML ships with several new features, including:
• Control activity libraries for Windows Server 2008, Windows Server 2008 R2, and Windows 7 that contain specific policy, technical, and configuration guidance
• IT Compliance DCM baselines for System Center Configuration Manager 2007 R2
• IT Compliance Management Packs for System Center Operations Manager 2007
• A Test Automation to automate the validation of control activities
 
These can be downloaded from microsoft.com/grc

One challenge facing chief risk officers, chief compliance officers and other c-level officers of large, regulated companies is how to better understand the governance, risk and compliance (GRC) issues facing their companies. This can be an especially acute problem for conglomerates engaged in multiple lines of business (e.g., banking, securities and insurance) regulated on an international, U.S. federal and state basis. Although very sophisticated charts and graphs can now be created with Microsoft Excel and other available business tools, it may become necessary for very complex GRC scenarios to be able to visualize them through the use of 3-D virtual environments. For example, under the Health Insurance Portability and Accountability Act (HIPAA), health plans, health care clearinghouses and health care providers are deemed “covered entities” subject to the mandates of HIPAA. However, an insurance company that markets life insurance, property insurance and health insurance would be deemed a “hybrid” entity where only the health insurance operations would be subject to the requirements of HIPAA. The IT infrastructure supporting the company’s health insurance operations would be subject to the HIPAA Privacy Rule, one aspect of which requires the company to report on uses and disclosures of “protected health information (PHI”) relating to individual consumers. Thus, for the health insurance operations only, the company would need to track where PHI is maintained, used and disclosed for reporting purposes in order to protect the privacy and confidentiality of their customers’ health information. Manufacturing companies routinely use CAD/CAM software to portray complex engineered items, such as engines. Such CAD/CAM software can display the engine in 3-D, permit the viewer to “explode” the engine in order to see its individual parts and even drill down for an individual part to the engineering information relating to the part(click here and here for examples). This CAD/CAM approach might prove useful to provide visualizations of the companies’ lines of business and the GRC issues relating to each line of business, such as which IT systems deal with PHI subject to the HIPAA Privacy Rule.

This approach can be further augmented by developing 3-D virtual environments to portray the business operations of a company and the GRC issues relating to each line of business. For example, HP has developed a “Virtual Environment Design Automation (VEDA)” software application that creates a 3-D virtual environment that is not static, but rather changes as the underlying data in the connected database changes. An HP white paper describing the VEDA technology shows the creation of an exhibition hall “environment” that can be used to show off HP technology in separate virtual "rooms". One possible spinoff use of the VEDA technology would be a GRC environment, where each "room" would represent a different regulatory compliance issue. For example, one "room" could relate solely to legal mandates imposing risk assessment obligations on the target company (e.g., Basel II and the Sarbanes-Oxley Act). Another "room" would relate solely to legal mandates imposing IT privacy and security obligations on the target company (e.g., the EU Privacy Directive, HIPAA and the Gramm-Leach-Bliley Act). This prototype environment therefore could be used by corporate compliance teams as a tool for visually understanding their company's compliance "world" and to brief their Board of Directors on the company's compliance approach. In addition, within a “master room” contained in the 3-D virtual environment, the user could (i) "click" on a 3-D floating icon that represents the entire company and all of its lines of business from a hierarchical and/or business process point of view, (ii) “explode” the image to drill down to an individual line of business and then (iii) drill down further to view due diligence documents relating to the company's compliance with individual laws for that specific line of business. The 3-D image also could be mapped against the geographic regions impacted by the line of business operations. Microsoft tools such as Silverlight, Photosynth and Deep Zoom may prove to be valuable in the future in the development of such a virtual 3-D GRC environment. The technology approaches depicted in Microsoft’s Productivity Future Vision video also could prove to be of relevance for realizing such a GRC 3-D virtual environment.

Jeff Jinnett invites your comments.

My 18 years experience has taught me one thing - Risk Management and Compliance initiatives by nature are the most complex to execute. Due to the dynamic nature of the industry needs, there are so many moving parts that it gets hard to keep up. Based on my experiences in over 20 global projects, I share my top 10 steps to execute effective Risk management and compliance projects, based on some of the best practices I have seen in the industry by some incredibly successful leaders. 

1. Maximize existing investments and capabilities 
2. Familiarity - End user ease of use and familiarity for reduced cost of training
3. Efficiency - Integrated offerings help in efficient workflows and processes
4. Productivity - Save valuable hours for employees in everyday compliance tasks                               
5. Last Mile - Embed last mile compliance workflow at everyday interface/desktop level
6. Everyday activities - Embed solutions in employee regular daily activities so it becomes a habit 
7. Self Service - Right information, right time in right format for end users – Teach them how to fish
8. Rich ecosystem of best of breed solution providers – One size does not fit all
9. Total Cost of Ownership - Always follow the money
10. Rapid deployment - Quick and easy deployment for fast track projects - Get quick wins first

Do you agree?

As we have noted in previous postings on this weblog, there appears to be an increasing trend toward the federalization of regulatory areas impacting the financial services industry. Thus, the legislation to create a new Consumer Financial Protection Agency (CFPA), which passed out of the House Financial Services Committee on October 22, 2009  includes a provision to preempt contrary state laws under certain circumstances, such as where the state laws would significantly interfere with a national bank’s ability to do business.  In the area of data security breach laws, a similar trend appears to be emerging.

With respect to the obligation to make disclosures to the individuals whose personal information was not kept confidential, over 45 states have enacted data security breach laws that require such a disclosure.  The California data security breach notification law (SB 1386) , which was one of the first state data breach security laws, requires “a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." An important exception to the requirement to notify of a data breach under the California law (and various other state laws) is if the personally identifiable information was encrypted. This is an example of how critical information technology can be to either complying with a new law and/or securing an exemption from the new law.

In addition to these state laws, there are a number of U.S. federal laws that impose disclosure obligations on specific types of regulated companies. For example, public companies filing with the U.S. Securities and Exchange Commission (SEC) have an obligation under Regulation S-K  to disclose information to shareholders that materially negatively impact the company, such as a material impairment to the goodwill of the company. This type of disclosure would normally be made in a Form 8-K, but could also be required to be made in the annual report on Form 10-K. For example, during the Y2K years, the SEC required public companies to describe their potential risks from the Y2K problem and their ongoing Y2K programs, if the Y2K risk was deemed to be a material risk for the companies (See http://www.sec.gov/interps/legal/slbcf5.htm).  The SEC also has proposed an amendment to Regulation S-P  affecting companies subject to the Gramm-Leach-Bliley Act that would impose additional disclosure obligations in the case of loss of consumer private information. As interpreted by one law firm:

“[F]irms must establish procedures to provide prompt notice to affected individuals if a data security breach has occurred or is reasonably possible. The Commission did not provide guidance on what is meant by ‘reasonably possible’ but is seeking comment to determine if this threshold for notice is appropriate or whether there should be an alternative threshold for notice. The Commission indicated that it did not want to trigger notice ‘in every instance of unauthorized access or use, such as if an employee accidentally opened and quickly closed an electronic account record,’ because otherwise ‘individuals could receive an excessive number of data breach notifications and become desensitized to incidents that pose a real risk of identity theft.’  If a data security breach results in substantial harm or inconvenience to an individual or an unauthorized person has intentionally obtained access to or used sensitive personal information, notice must also be provided to the Commission (or, for certain broker-dealers, their designated examining authority). The Commission believes this trigger for regulatory notice will conserve ‘administrative resources by allowing minor incidents to be addressed in a way that is commensurate with the risk they present’.” (See http://www.bingham.com/Media.aspx?MediaID=6636)

There are also certain U.S. federal laws that require notification in the event of personally identifiable health information, such as under the HITECH Act.  The HITECH Act’s notification requirements for breaches of unsecured protected health information apply to entities subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), their business associates, and non-HIPAA covered vendors of personal health records (PHR). To constitute a breach, the acquisition, use, access or disclosure of the PHI must compromise the security or privacy of such information. The U.S. Department of Health and Human Services (DHHS) has issued guidance that lists technologies and methodologies that secure information, rendering the data unusable, unreadable, or indecipherable. If PHI is secured according to the DHHS guidance, unauthorized access to such information will not trigger the HITECH breach notification requirements. It should be noted, however, that these breaches may still be subject to state law notification mandates.

Over the past few years, the U.S. Congress has considered a number of bills that would create a federal data security breach law that would preempt contrary state laws. For example, on April 30, 2009, Representative Bobby Rush (D-Ill) introduced H.R. 2221, the Data Accountability and Trust Act . The “Data Accountability and Trust Act” would implement uniform federal breach notification requirements and preempt the various state laws requiring notification.

Data security breach laws are an example of the need for regulated companies to become adept at understanding the intersection between U.S. federal and state laws and regulations and the information technologies that can help them confirm compliance and/or exemption from coverage with respect to such mandates.

I was fortunate enough to have short work stints in Australia (both Sydney and Melbourne), a beautiful country with its free spirited fun loving sporty population.

I continue to be amazed at the sophistication and depth of their financial markets. There is also a lot of cross pollination of global markets expertise, ideas and world class talent between London and Sydney.

Their regulators RBA, ASIC, APRA and ACCC are amongst the most proactive and knowledgeable in the world. Australia’s top 4 financial groups - commonwealth Bank of Australia(CBA), WestPac, Macquarie, National Australia Bank(NAB) rank amongst the top banks globally. Despite the crisis all round in banks globally, all of these Australian institutions remain profitable, well capitalized and well managed. The Australian banking sectors’ profit margin is robust. At 1.3% of assets, Australian banks’ profit ratio sits in the middle-to-upper range on the international league table.

So what is Australia’s secret sauce?

Some of the key ingredients are:

• Mortgage Discipline: Securitization in lending is an Australian practice too. But banks in Australia did not adopt the US banking mortgage business model of originate to distribute.  They are more of an intermediaries with a balanced risk and reward equation. Also Australian financial institutions had relatively less or little exposure to complex structured instruments collateralised by US sub-prime mortgages.
• Too Strong to Fail & 4 Pillar Policy: The small number of Australian banks are extremely large relative to the size of its economy. There is a 4 pillars legislative policy that maintains the separation of the four largest banks in Australia by disallowing their merger or acquisition by any of the other four banks. This is both a handicap and an asset. But as a result the banks have also been able to withstand the takeover pressures that other banks around the world face. And all these banks have adopted a fairly robust risk management cultures, prompted by tight regulations. Australia was one of the first countries to adopt and achieve Basel II compliance for its banks. With higher capital adequacy norms, healthy capital buffers have also been an critical confidence factor for the banks.
• Credit Assessment Standards for 3rd Party Loan Origination:  For example banks can use third party loan originators. But banks must ensure that the originator applies the same credit assessment standards as the bank’s own.  Also banks must monitor and audit loans being originated via third party for on-going compliance with its lending criteria. Additionally banks can also include a best practice of a risk-based component in the fees it pays for broker-originated loans.
• Higher Capital Charges for Sub-prime Lending:  There are significantly higher capital charges for “low-documentation” loans since 2004. APRA has adopted a higher capital adequacy norms than most countries.
• APRA’s Meta Regulation Approach:  APRA adopts a ‘risk-based’ approach to regulation. Its focus is to empower and ensure that banks embed sound Risk management practices deeply across their organizational DNA’s. Some academics refer to this method as “meta-regulation”. 

This is backed up by risk assessments of the bank to check internal risk management processes; and direct intervention for improvements. Australia has four government agencies overseeing the financial system, namely the ACCC(Australian Competition and Consumer Commission), ASIC (Austrlian Securities & Investments Commission), APRA(Australian Prudential Regulatory Auth.) and the RBA. There are “twin peaks” model with APRA as the prudential regulator and ASIC as the market conduct regulator.

Ozzie..Ozzie..Ozzie..oye..oye..oye!

(a popular cheering cry in activities, sports etc.)

---------------------------------------------------------------------- 

Sources: My own personal experiences; APRA speeches 2009: David Lewis, GM, March 2009; John Laker, Chairman, Aug 2009;

----------------------------------------------------------------------

Sai Sireesh is Director of Risk Management & Compliance Strategy & Solutions, Worldwide Financial Services for the Microsoft Corporation.  Mr. Sireesh has over 18 years of global experience across Risk and Compliance Consulting, Financial sector Strategy and blueprints execution.  He has worked in North America, Australia, Singapore, Malaysia, Philippines, Thailand, Indonesia and India, is a regular contributor to the Journal of Regulation & Risk, and has authored several global research studies and articles.

Regulatory compliance has become an increasingly costly burden. For example, SIFMA has estimated that the U.S. securities industry in 2004 spent $23.2 billion on compliance-related activities(1). In addition, regulatory mandates have become more intrusive in their application to how business is conducted. In response to corporate scandals such as Enron, the mandates have shifted from regulating the final work product to be produced for regulatory review, such as the enterprise’s financial statements, to also regulating the process by which the final work product is produced. This principle is clearly evident in Section 404 of the Sarbanes-Oxley Act (“SOX”)(2). Section 404 requires corporate management to prepare a report on their internal controls and disclosure and their analysis as to the effectiveness of the internal controls in producing reliable financial statements for the corporation. As part of the Section 404 requirement, management must identify the internal controls framework on which the internal controls are based (e.g., the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework). Management also must obtain an attestation from an independent auditor as to the sufficiency of their internal controls.

Additional requirements in the areas of compliance training and oversight stretching from the worker's desktop to the boardroom have led to the realization that an effective compliance program must be enterprise-wide. For example, Section 301 of SOX requires the Audit Committee of the board to oversee the "Internal Control Report" prepared by management pursuant to Section 404, and establish procedures to accept complaints regarding internal controls and auditing issues from employees on an anonymous basis. In an attempt to institutionalize a more rigorous and open approach to financial documentation  disclosure, reporting and compliance, Section 406 of SOX requires issuers to adopt a "Code of Ethics" for its senior financial officers.

Increasing the regulatory pressure, the frequency with which important mandates are being issued has grown over the past few years. Further, reporting deadlines also have been shortened. For example, under Section 409 of SOX, issuers must publicly disclose "on a rapid and current basis" any "additional information concerning material changes in the financial condition or operations" of the company. In order to implement this SOX provision, the U.S. Securities and Exchange Commission shortened the period within which a Form 8-K “Current Report” must be filed to four business days. Four day reporting periods can pose a serious problem for companies with data contained in a multitude of repositories supported by multiple IT platforms. This environment can result in the time-consuming need to conform data before consolidation into one master data set for reporting purposes.

One consulting study estimated that a likely allocation of industry compliance budgets is as follows: (a) 55% for staffing, (b) 15% for IT, (c) 12% for training, (d) 10% for external counsel, and (e) 8% for auditing and monitoring. The study’s formula makes it clear that the majority of compliance cost (67%) results from training and staffing, rather than from IT and other costs. This suggests that enterprise-wide standardization on multipurpose, reusable IT solutions requiring less training and smaller staffs to implement and maintain could help to improve compliance personnel collaboration and reduce total compliance costs. It could also help companies more effectively accomplish the goal of establishing an enterprise-wide compliance program that can (a) identify and apply controls to the business processes resulting in regulated work output and (b) meet shortened reporting deadlines.

Technology alone, however, cannot accomplish these goals. Success will depend also on compliance attorneys becoming more IT-savvy and less dependent on compliance “point solutions”. Compliance traditionally has been of concern to attorneys who tended to be specialists in fields of law, such as healthcare, banking and securities law. Accordingly, the compliance teams formed on a law-by-law basis would have healthcare lawyers on the HIPAA team, banking lawyers on the Basel II team and securities lawyers on the SEC Rule 17a-4 team. Since the healthcare lawyers on the HIPAA compliance team would not consider themselves to be experts on banking or securities laws, they typically would not communicate with the Basel II and SEC Rule 17a-4 teams. This law-by-law approach naturally leads to a "silo" approach to compliance, where each team would work with its own budget and team members to identify their own unique compliance solutions. They also would maintain their own compliance documents, produce their own unique compliance reports and would report separately to top management and the board on their individual compliance efforts.

This legal compliance regime will need to change in order for large corporate enterprises to move toward a more nimble, “holistic” approach to compliance utilizing multi-purpose IT compliance solutions.  In the classic science fiction novel The Voyage of the Space Beagle(3), the author A.E. Van Vogt described a scientist called a “Nexialist”. The Nexialist was trained to understand all of the fields of science – chemistry, physics, biology, etc., and to find solutions to problems based on connections between scientific fields. The common definition of a “Nexialist” is “one skilled in the science of joining together in an orderly fashion the knowledge of one field of learning with that of other fields". Compliance attorneys need to become legal “Nexialists” in order to help develop multi-purpose IT solutions, by recognizing the commonalities that run through seemingly disparate legal mandates. For example, instead of developing or buying twenty different encryption tools for a variety of privacy and security mandates applicable to the enterprise’s banking, healthcare, securities and insurance businesses, the “Nexialist” compliance attorney could help identify a smaller set of encryption tools that can be multi-purpose and reusable across multiple regulatory mandates.
____________________________________________

(1) Seehttp://www.sifma.org/research/surveys/pdf/CostofComplianceSurveyReport.pdf
(2) See http://www.sec.gov/about/laws/soa2002.pdf
(3) See, e.g.,  http://www.amazon.com/VOYAGE-SPACE-BEAGLE-Vogt-vogt/dp/0020259905

____________________________________________

Jeff Jinnett is Governance, Risk Management & Compliance Industry Market Development Manager, US Financial Services Group, for Microsoft Corporation.  Mr. Jinnett is a former partner of the international law firm of LeBoeuf, Lamb, Greene & MacRae, LLP (now Dewey & LeBoeuf) and has experience in advising Fortune 500 companieis in the financial services industry on the use of technology to support corporate governance, risk management and compliance programs.  Mr. Jinnett has testified as an expert before committees of the US Senate on issues relating to the intersectiion of law and technology.  He is a member of ARMA (a records and information management professional association) and the Society of Corporate Compliance & Ethics (SSCE).

As the global economic crisis rumbles on, financial firms of all kinds anticipate an overhaul of risk management and regulatory frameworks. I asked Microsoft’s global head of Financial Services, Susan Hauser, for her views:

Sai: Susan, as the global head of Microsoft Financial Services, what has the past year meant for financial firms in terms of risk management and compliance?

Susan: Over the past 12-18 months, we’ve seen major changes in the organisational structure of many financial institutions, as well as the products they offer. Mergers and government bailouts are only part of the story. As banks try to ensure their survival, we’ve seen a more cautious attitude to lending and measures – such as interest rate cuts – aimed at stimulating the credit markets. Through all of this, banks are both recognising past failures and facing new challenges in governance, risk management and compliance.

It remains to be seen how the regulatory landscape will develop – will it go to a more light-touch, supervisory mode, or a heavier-touch, regulation-driven model? While there are some trends towards the latter, the picture is not yet clear. However, one thing is obvious: risk management is more crucial than ever to financial organisations, and failing to deal with it is not an option.

Sai: In your interactions with financial firms around the world, what are you hearing from clients about their expectations and concerns in this area?

Susan: Many financial firms are trying to understand how they can enhance their risk management capabilities, keep up with all the regulatory changes, and review proposed new changes, while at the same time ensuring their survival in the aftermath of the current financial crisis. In such an uncertain situation, nobody can say that this will be easy – a fact that is reflected in the predictions of analysts like Tower Group that despite pressure on budgets, risk management will be a key area for IT spending among financial firms this year. However, while the issues might demand some investment, there are steps that businesses can take to minimise the cost and complexity of their risk management environment while maximising its effectiveness.

Sai: What advice would you give to firms considering a risk management and compliance project?

Susan: In risk management, context is key – it might take somebody who works with certain tools on a day-to-day basis to recognise that something is amiss, while a manager looking at a set of figures might see nothing out of the ordinary. That gives all the more reason to take a holistic and inclusive approach to risk management and compliance, rather than boxing it off as a separate function – risk affects every part of the business, so risk management should be intrinsic to every function.

For this reason it’s a good idea to take a step back and look at how risk management and compliance practices need to work across the organisation, as part of everyday operations. This in turn can lead to a realisation of how your existing technologies can be used to address risk management and compliance issues – a practice that can help to minimise complexity, as well as IT spend.

Microsoft’s focus is to help its customers enhance and execute their vision for an integrated risk management and compliance culture and environment. By adopting a people-ready business approach based on five principles, which are: to simplify and automate the adoption for employees to be more productive; embed risk management best practices in everyday activities; enhance the risk analytics and computing and unlock data; manage risk across structured and unstructured business information; and define long-term sustainable risk management and compliance blueprints.  It helps financial institutions execute their long-term risk management and compliance vision and blueprints.

Sai: How do you see firms making the best use of existing technologies in this area?

Susan: By using service-oriented architecture (SOA) based technologies that are familiar to users, financial firms can go a long way to ensuring a solid risk management and compliance environment. New risks and regulations are bound to emerge, but basing the system on SOA will enable it to be continuously updated with new applications as regulatory and business demands evolve. We have seen an increasing adoption of Microsoft Office SharePoint Server 2007 (MOSS) for enterprise and operational risk management frameworks. We see this increasing with the risk and compliance capabilities in the 2010 wave offerings, which include Exchange 2010, Office 2010, SharePoint 2010, System Centre, Windows 7.

For Bank of America, one of the world’s leading financial institutions, compliance with international financial regulations is of vital importance and the recent global Basel II Accord regulation, required for implementation by US banks by 2011, resulted in the bank’s creation of a portal solution based on MOSS this past year. Developed and deployed in just four months, the risk and control self-assessment solution collects data associated with operational risk from employees and compiles it so as to accurately measure operational risk at an enterprise level. Some 1,500 Bank of America employees across 200 organisational units use the portal solution to access data on 1,800 key operational risks. About 800 of those risks are reported as part of the bank’s enterprise risk and control assessment, as required by the Basel II Accord.  The bank has enjoyed significant benefits from the solution, which include efficient development and deployment; a powerful way of assessing trends; and an easier approach to risk mitigation.

Microsoft works with a wide array of partners across the world, many of them financial sector specialists.  These partners deliver solutions that take advantage of strong infrastructure and reusable business components while using enterprise-ready technologies. I am also happy to see the our team, comprised of leading experts like Jeff Jinnett and you, Sai, is driving efforts to embed more risk management and compliance related functions and capabilities in our technology offerings and customer blueprints. For example, our recently released IT Compliance Management Guide and IT Compliance Management Resources Workbook can help companies view their compliance obligations in the context of authority documents such as Sarbanes-Oxley, enabling them to assess their risk management and compliance needs and address them by implementing controls within their Microsoft infrastructure.

Sai: Thanks for your thoughts, Susan. I am also excited to announce that we have commissioned a  global study on the Future State of Risk Management, with Professional Risk Managers International Association (http://prmia.org/). The study will be released in November 2009.

Note: The IT Compliance Management Guide is free to download at: www.microsoft.com/solutionaccelerators

- - - - - - - - - - - - - - - - - - - - -

Susan Hauser is Vice President, Worldwide Financial Services group at Microsoft.

Susan began working for Microsoft in 1997, focusing on banks in New York City and was responsible for wins where retail bank branch platforms deployed on Windows NT and thus established Microsoft as a key player/provider within financial services.  In 2000, she assumed the role of financial services director for the East Region in the US, where she managed strategy, operations, and key relationships with strategic financial services customers across all financial services firms in the region.

Sai Sireesh is Director of Risk Management & Compliance Strategy & Solutions, Worldwide Financial Services for the Microsoft Corporation.  Mr. Sireesh has over 18 years of global experience across Risk and Compliance Consulting, Financial sector Strategy and blueprints execution.  He has worked in North America, Australia, Singapore, Malaysia, Philippines, Thailand, Indonesia and India, is a regular contributor to the Journal of Regulation & Risk, and has authored several global research studies and articles.

At the heart of the record retention challenge is the difficult question as to what types of documents to maintain for compliance purposes and how long to maintain them. In certain cases, applicable laws and regulations specify the types of documents to retain and the length of time to retain them. For example, for purposes of electronic records maintained in a company’s role as a taxpayer, IRS Revenue Procedure 98-25 serves as a useful guide to the IRS’s document retention expectations. In addition, IRS Revenue Procedure 97-22 provides guidance for taxpayers who maintain books and records in the form of electronic storage[1].

The significant cost of maintaining records has motivated many companies to aggressively discard documents that are not expressly required to be maintained under applicable laws or required to be held for production in pending litigation. Indeed, if a company were to retain all of its documents, the cost of searching, identifying and producing documents in a particular lawsuit might become so expensive that the company would be forced to settle the case rather than incur the expense of discovery[2].  Certainly there is support for this position. Guideline Three of the Sedona Principles [3] states that an organization need not retain all electronic information ever generated or received. Also, Rule 37(e) of the U.S. Federal Rules of Civil Procedure [4] creates a safe harbor providing that sanctions will not be imposed on a producing party for “failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system”.

On the other hand, if a company adopts a “just barely compliant” approach to record retention, it runs the risk of being accused of spoliation or deliberately destroying documents in an effort to impede regulatory investigations or discovery in a lawsuit. While current case law is trending against requiring companies to maintain records merely on the speculation that they might be relevant for some unknown future litigation, companies still are required to maintain documents that are the subject of investigations that are pending or that the company knew or should have known were imminent [5] . 

A catch-22 therefore faces many companies: if they retain too few documents, they may end up failing to retain key documents needed for regulatory audits or for production in litigation. This could result in the company being sanctioned by the regulator or by the courts. On the other hand, if the company retains all of its documents, the cost of retention may become exorbitant and the company may end up retaining documents that could hurt it in the course of a regulatory audit or in litigation. Clearly, a balance needs to be struck between keeping either too few or too many documents.

Further, the retention and archival of documents should be done in such a way that the company avoids the use of multiple repositories and data formats, to the extent possible, in order to simplify and speed up the identification and retrieval of documents for audit and litigation purposes. A current trend in regulatory compliance is the imposition of increasingly shortened reporting deadlines. For example, Section 409 of the Sarbanes-Oxley Act [6] requires public companies to disclose information on material changes in the financial condition or operations of the companies on a rapid and current basis. The SEC has implemented this Sarbanes-Oxley Act requirement, by, among other things, requiring that current reports on Form 8-K must be filed within four business days. Segregating current, live data from older, stale information to reduce the size of data repositories that must be searched for purposes of reporting and become subject to automatic production requirements in litigation can help to reduce the burden on companies.

In addition, in the process of crafting a new records retention approach or re-examining an existing records retention policy, companies should keep in mind recent trends in compliance.  One key trend is that regulators tend to set standards of compliance, but are reluctant to specify what technologies and methodologies would be acceptable to achieve the mandated standards. For example, when states began enacting electronic signatures and records laws, a number of them also described digital signature technologies that would produce electronic signatures conforming to the state law’s requirements. When the federal government enacted the ESign [7] law, it prohibited states from specifying conforming technologies[8]. On the one hand, this regulatory approach gives companies a great deal of discretion in deciding how best to meet regulatory compliance challenges. On the other hand, this approach can give a company just enough rope to hang itself if it makes poor technology choices.

 In conclusion, companies today face a risk in connection with their records management approach of either keeping too many documents and potentially handing an investigator or plaintiff a “smoking gun”, or keeping too few documents and having a court impose sanctions on the company for alleged spoliation of evidence.  There is no “one size fits all” solution to this catch-22 dilemma. Companies need to map applicable laws, standards and best practices against their business operations and implement a records retention policy that can be defended in the event of an investigation or litigation. In addition, the company’s approach needs to take into account the capabilities of the company’s employees and the IT infrastructure in place. Ultimately, this process will only be successful if it results from a combination of the right personnel, an accurate mapping against the processes of the company and effective and scalable technology that is suited to the company’s operational environment.

________________________________________

  [1]See, e.g., http://www.uiowa.edu/~fusrmp/irsprocedures.html.
  [2]See, e.g., http://www.du.edu/legalinstitute/news/Focus_Reprint.pdf.
  [3]See http://www.thesedonaconference.com/content/miscFiles/Guidelines.pdf.
  [4]See http://www.law.cornell.edu/rules/frcp/Rule37.htm.
  [5]See, e.g., http://www.mass.gov/obcbbo/eve.htm.
  [6]See http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_bills&docid=f:h3763enr.txt.pdf.
  [7]See the Section 102(a)(2)(A)(ii) of the “Electronic Signatures in Global and National Commerce Act (ESign)”, located at the URL of http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=106_cong_public_laws&docid=f:publ229.106.pdf.
  [8]See, e.g., http://www.thelenreid.com/index.cfm?section=articles&function=ViewArticle&articleID=1388&filter=.
__________________________________________

Jeff Jinnett is Governance, Risk Management & Compliance Industry Market Development Manager, US Financial Services Group, for Microsoft Corporation.  Mr. Jinnett is a former partner of the international law firm of LeBoeuf, Lamb, Greene & MacRae, LLP (now Dewey & LeBoeuf) and has experience in advising Fortune 500 companieis in the financial services industry on the use of technology to support corporate governance, risk management and compliance programs.  Mr. Jinnett has testified as an expert before committees of the US Senate on issues relating to the intersectiion of law and technology.  He is a member of ARMA (a records and information management professional association) and the Society of Corporate Compliance & Ethics (SSCE).

As a major European economy Spain’s banking sector has relatively fared well in the international financial crisis. Both Banco Bilbao Vizcaya Argentaria (BBVA) and Banco Santander (BS), amongst the largest banks in the world, have done relatively well compared to their peers. With very few banks needing capital infusion and government hand holding,Spanish banks have done quite well in past years fueled by a real estate boom. Of course as the real estate declines over the past two years and the economy is in recession, many banks do have heavy exposures to the real estate sector and are saddled with a rising rate of bad loans. The government is stepping up with a fund of up to €90 billion (US$125.46 billion) to help banks restructure and cope with the effects of recession.

However the relatively better performance of Spanish banks is still commendable and can be attributed to below key factors:

1. Strict Financial Regulation Environment enforced by the Bank of Spain (Banco de Espana)
2. More Prudent Trading and Risk Management practices
3. Dynamic Capital Provisioning - Banks forced to set aside provisions during an economic boom fueled by construction and consumer spending
4. Loan Loss Provisioning - Spanish banks have higher loan-loss provisions than many of their foreign counterparts because of the way Banco de Espana set reserve requirements
5. Traditional Banking Focus – Most banks focus on traditional retail banking business and are less enamored by exotic business lines and products
6. Spanish Approach to Securitization – More for funding purpose than the most common risk transfer mechanism
7. Strict Treatment of Off Balance Sheet Items – All instruments need to be reflected in balance sheets and i.e. no structured products that treated as off balance sheet items
8. Strong On-site Supervision
9. Different Capital Requirement for Mortgage Loans depending on their loan-to-value ratios.

In many countries across the world, banks are required to increase reserves as losses increase and allowed to decrease reserves as profits rise. This setup increases bank lending during economic boom periods and decreases lending activity during downturns, a cyclical tendency.

Banco de Espana sets reserves based on an weighted average of a banks’ assets, with the weights determined by past default frequencies for different asset classes. The hypothesis is that historical default frequencies will accurately reflect reserves going forward. This presumes that the historical record provides a good indication for distinguishing between cyclical and more permanent components of loan performance.

We already see many countries starting to look at dynamic provisioning as a best practice. Of course the issue with dynamic provisioning and its  compatibility with IFRS needs to be handled.  Here again Bank of Spain has led the way to find common ground in terms of accounting standards.

So hats off to Spain for showing the way for prudent banking via solid commonsense risk management!

-------------------------------------------------------------------------------

Sources & Acknowledgements: BBVA Economic Research Working Paper, Feb 2009 – "Dynamic Provisioning and other tools"; Banco De Espana; Financial Times; Financial Week.

_____________________________________________

Sai Sireesh is Director of Risk Management & Compliance Strategy & Solutions, Worldwide Financial Services for the Microsoft Corporation.  Mr. Sireesh has over 18 years of global experience across Risk and Compliance Consulting, Financial sector Strategy and blueprints execution.  He has worked in North America, Australia, Singapore, Malaysia, Philippines, Thailand, Indonesia and India, is a regular contributor to the Journal of Regulation & Risk, and has authored several global research studies and articles.

If a company were ever asked to describe its IT security program, the company likely would have to bring in numerous staffers from the IT department and refer to reams of documents to present a full picture of the company’s IT security approach.  The need to be able to describe the company’s IT security program in layperson’s terms, without having to resort to a series of technical interviews of IT team members, could arise if the company is sued as a result of a data security breach and has to describe its IT security program to a jury.  It also could be necessary if regulators, board directors, bank lenders, outside accountants, insurance underwriters, or other critical third parties meet with the company and seek information about its IT security program. 

A due diligence document summarizing the company’s IT program could be very helpful in this situation, since it could be prepared based on interviews with key IT department members and a review of relevant documents.  The due diligence document would be designed to make the company’s IT security approach as clear and understandable as possible.  Rather than being prepared to be an attorney-client privileged document, the summary due diligence report would be designed to be disclosed.  In addition, in the course of finalizing the summary due diligence record, the company would in effect be creating a “risk mitigation plan” for the program, since the process of interviewing project team members and reviewing documents would force the company to step back and look at its overall program from the view of a third party.

In addition to providing a “30,000-foot view” of the company’s IT security approach, the risk mitigation plan (RMP) could include references to industry standards, private sector white papers, public sector directives, and other third-party “best practice” guidelines the company believes match portions of its IT security approach.  For example, the company could obtain a HIPAA[1] Security Accreditation from URAC[2] and cite this as an “external validator” of the company’s IT Security approach. The URAC HIPAA Security Accreditation[3] can be applied for by any company having to deal with “protected health information”, such as a HIPAA “Business Associate”, not just by healthcare companies.  Since HIPAA is arguably the most stringent U.S. Federal IT standard for the private sector, evidence of compliance with the HIPAA Security Rule[4] could be helpful in validating the strength of a company’s IT security program.

Alternatively, the company might have an outside consultant review the IT security methodology used by the company and have the consultant write a report stating that the company’s methodology is substantially similar to the consultant’s own methodology, which the consultant has used for comparable companies.  By creating the RMP and attempting to find “external validators” for each of the key IT security program documents, the company is forced to think in terms of how best to defend its IT security decisions as meeting best practices to the extent known at the time. 

The drafting of an IT Security RMP also enables the company to see where its IT security program may be subject to attack in litigation as not matching industry standard practices. This gives the company time to locate a potential expert witness who could support the company’s deviation from the industry norm as reasonable in light of the company’s circumstances.  Since the preparation of the document requires interviewing the key IT department members to debrief them on their understanding of the IT security program, it also will give the company and its in-house and outside counsel the opportunity to determine which IT department members would make the best witnesses to testify on behalf of the company should it become involved in litigation.  The company also could seek to introduce the RMP into evidence as the outset of the company’s defense as a pre-existing business record kept in the normal course of business[5]. The RMP could help to persuade the jury that the defendant company was not guilty of gross negligence or willful misconduct, so as to avoid the imposition of punitive damages.

Athough readers of this blog may think that the effort required to create the IT security RMP only makes sense for a Fortune 500 company with a large IT security program, it could also be helpful for small and medium-sized companies.  This is because business partners may begin to worry about the IT security-readiness of their smaller business partners.  If a small or medium-sized company cannot convince its business partners that it has a good IT security program in place, it might lose its business partners to a larger competitor due to the business partner’s “flight to quality.”  If the smaller company had created an IT Security RMP, it could disclose that document (subject to appropriate confidentiality agreements) to the business partners in order to reassure them and preserve the relationship.

____________________________________

[1] Health Insurance Portability and Accountability Act (HIPAA): see http://aspe.hhs.gov/admnsimp. 
[2] URAC is a healthcare accreditation organization: see http://www.urac.org.
[3] See http://www.urac.org/programs/prog_accred_HIPAAS_po.aspx.
[4] See http://www.cms.hhs.gov/SecurityStandard/02_Regulations.asp#TopOfPage.
[5] This is relevant for admitting evidence under the business records exception to the hearsay rule under U.S. Federal Rules of Evidence, Rule 803(6): see http://www.law.cornell.edu/rules/fre/rules.htm#Rule803.

_____________________________________ 

Jeff Jinnett is Governance, Risk Management & Compliance Industry Market Development Manager, US Financial Services Group, for Microsoft Corporation.  Mr. Jinnett is a former partner of the international law firm of LeBoeuf, Lamb, Greene & MacRae, LLP (now Dewey & LeBoeuf) and has experience in advising Fortune 500 companieis in the financial services industry on the use of technology to support corporate governance, risk management and compliance programs.  Mr. Jinnett has testified as an expert before committees of the US Senate on issues relating to the intersectiion of law and technology.  He is a member of ARMA (a records and information management professional association) and the Society of Corporate Compliance & Ethics (SSCE).

Whilst there is a lot of focus on banking, the insurance sector is also witnessing a wave of regulatory changes specially around cross-border exposures. So I did some quick research on the world of insurance supervision.

Devoid of dramatics, the Basel, Switzerland based IAIS (International Association of Insurance Supervisors) has been quietly driving adoption of  enhanced regulatory and risk management best practices. IAIS represents insurance supervisors of around 190 jurisdictions in nearly 140 countries. The IAIS issues global insurance principles, standards and guidance papers, provides training and support on issues related to insurance supervision and works closely with other international institutions to promote financial stability. During the Jul-Aug 2009 timeframe, IAIS reaffirmed a number of actions being taken to reinforce insurance regulation and improve the resilience of the global insurance sector against new challenges. Some of the broad actions being:

• Developing guidance on the use of supervisory colleges in group-wide supervision, which will be consistent with the FSB protocols. This guidance will take into account responses from a recent IAIS survey among insurance supervisors on their  experience with supervisory colleges;

• Expediting the application approval process and encouraging additional members to join the IAIS Multilateral Memorandum of Understanding (MMoU) which is now operational; The MMoU is one of the IAIS’s key responses to the G20 Declaration to strengthen international cooperation among supervisors. The MMoU is a framework for cooperation and the exchange of information and sets minimum standards to which signatories must adhere. With the MMoU in place, insurance supervisors will be better equipped to improve the effectiveness of cross-border supervision of insurance companies. The MMoU will also contribute to the global effort to ensure that systemically important financial institutions are appropriately regulated. The MMoU has a crucial part to play in this. Each authority applying to be a signatory undergoes a rigorous and independent validation process to ascertain whether the minimum standards of the MMoU are satisfied. Signatories can therefore take comfort that the information they exchange is properly protected.

• Proceeding with research into the design and practicality of a common assessment framework for insurance group supervision.

In mid of 2009, IAIS announced a long term vision to adopt and develop a global regulatory insurance standard similar to EU’s Solvency II. In EU, the new Solvency II that will become a law by 2012 introduces risk-based solvency and economic capital requirements for insurance firms across Europe. The focus is on more risk-sensitive measures to better manage risk exposures. This IAIS proposal has already received support from 17 national supervisors as part of a memorandum of understanding (MOU) that will be validated soon. This MOU will form the basis for consistent coordination and information exchange between insurance supervisors across borders. Albeit not a legally binding obligation, this is a significant step towards a global insurance regulatory framework. A working group has been setup to help explore a regulatory and supervisory framework that will help better manage internationally active insurance groups.

The IAIS has committed to ensuring that insurance supervisory tools are continuously improved and kept up-to-date with developments in the global financial environment. At the same time, IAIS is also focusing on reinforcing its standards, in particular through a comprehensive review of the Insurance Core Principles. Let us await more developments, but the road ahead for insurance supervision does look exciting and global and regional insurance with cross- border operations need to keep an eye on this to be prepared in future.

By the way for those of you in the Insurance firms who are interested to participate, you can sign up as observers to the IAIS proceedings. And, the 16th IAIS Annual Conference is to be held on 21-24 October 2009, at Rio de Janeiro, Brazil.

_________________________________________

Sai Sireesh is Director of Risk Management & Compliance Strategy & Solutions, Worldwide Financial Services for the Microsoft Corporation.  Mr. Sireesh has over 18 years of global experience across Risk and Compliance Consulting, Financial sector Strategy and blueprints execution.  He has worked in North America, Australia, Singapore, Malaysia, Philippines, Thailand, Indonesia and India, is a regular contributor to the Journal of Regulation & Risk, and has authored several global research studies and articles.

Our previous posting provided an overview of the typical ediscovery lifecyle and identified the need for an enterprise-wide approach to ediscovery. This posting will explore the explore some of issues relating to the ediscovery process steps in more detail and describe the characteristics of an enterprise-wide EDRM system for ediscovery.

Some Issues Relating to Ediscovery Process Steps

Legal Hold Put in Place: The producing party’s counsel will notify all appropriate company personnel of the existence of the claim, preservation letter and/or document request and advise personnel not to delete, discard or otherwise interfere with the integrity and availability of the requested documents pending resolution of the claim. This legal hold would override the normal deletion provisions under the company’s retention policy. Failure of the producing party to institute this legal hold after receiving notice of a claim may result in a charge of “spoliation” of evidence. This may lead to a court imposing sanctions on the producing party.

Prepare for Production: The counsel and/or paralegals for the producing party typically would identify those documents and records that were responsive to the document request. At this stage the producing party could create a file plan for the documents placed on legal hold and being prepared for possible production.

Court Proceedings: U.S. Federal Rules of Civil Procedure (FRCP) Rule 16 (c) empowers the court to issue orders controlling and scheduling discovery, including orders affecting disclosures and discovery. This could involve the issuance of protective orders requiring the requesting party to maintain the confidentiality of trade secret documents, barring the production of privileged documents or amending the scope of a document request.  At a FRCP Rule 16 pre-trial conference, the court usually would meet with the parties and work out a schedule for production of documents based on a discovery checklist. Also, several federal jurisdictions have promulgated local rules of practice and other guidelines concerning electronic discovery (e.g. D.N.J. Local Rule 26.1(d) [1]. These local rules would supplement the FRCP.

Review Against Production Response Plan: Counsel would at this stage review the steps taken to date to ensure that they have been in conformity with the enterprise policies for ediscovery, such as a “Litigation Response Plan[2]”. The Litigation Response Plan acts as a blueprint for the litigation response team and addresses topics such as (a) accounting for archived and non-archived information, all storage locations, backup protocols, and (b) chain of custody issues.

Use of Virtual Due Diligence Room: In cases where the documentation is voluminous, where the documents are widely dispersed geographically, where the documentation is in electronic format or where speed is essential, the parties may opt to use a secure extranet of the producing party whereby the requesting party’s personnel can access the extranet through a “portal” and review the produced documents online. Virtual data rooms are already used extensively for mergers and acquisition due diligence in the U.S[3] .

Characteristics of an Enterprise-Wide EDRM System for EDiscovery

The typical process steps involved in litigation and ediscovery illustrates the need for an enterprise-wide communication and collaboration portal that connects into the enterprise’s document and records management systems. This portal would facilitate the needed information-sharing and decision-making that supports an effective ediscovery program. It also could be utilized for the production of documents to opposing counsel through the use of extranet portals for “virtual discovery rooms”. The ideal enterprise-wide EDRM system would support policy management, providing administrators with the ability to set policies to manage the lifecycle of records from creation to destruction. Policies would also be created to move records from one storage media to another as they age. This may also be used for technology refresh to ensure that the records are always stored on current media so that they can be retrieved. Mapping this architecture against a process-based view of the company should help the company avoid expensive point solutions and duplication. The achievement of an enterprise-wide EDRM solution also would help the company better understand the true cost of recovering data and records from inaccessible media, so as to allow the company to support a request to the court to shift document production costs to the other party.

___________________________________________________

[1] See http://www.klgates.com/files/upload/eDAT_rules_D_N_J_LCivR26_1.pdf.
[2] See, e.g., http://www.law.com/jsp/legaltechnology/roadmapArticle.jsp?id=1158014995172&hubpage=Identification
[3] See, e.g., http://en.wikipedia.org/wiki/Data_room.

___________________________________________________

Jeff Jinnett is Governance, Risk Management & Compliance Industry Market Development Manager, US Financial Services Group, for Microsoft Corporation.  Mr. Jinnett is a former partner of the international law firm of LeBoeuf, Lamb, Greene & MacRae, LLP (now Dewey & LeBoeuf) and has experience in advising Fortune 500 companieis in the financial services industry on the use of technology to support corporate governance, risk management and compliance programs.  Mr. Jinnett has testified as an expert before committees of the US Senate on issues relating to the intersectiion of law and technology.  He is a member of ARMA (a records and information management professional association) and the Society of Corporate Compliance & Ethics (SSCE).