Compliance is a headache. Ask anyone who has to worry about it. There's an alphabet soup of regulations such as the Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPAA) and Basel II -- not to mention various internal policies that require adherence.
By tracking and managing documents, an enterprise content management (ECM) system eases the burden of complying with these regulations somewhat. But ECM is not without challenges: If you are just beginning this process, you need to build the case for investment and then scope your project and create a team. Even when you have things up and running, an ECM system can face challenges with user acceptance. And, as with any technology, the implementation alone cannot serve as the solution. You need to establish governance policies and best practices to put the technology to best use. Moreover, these policies need to reflect the processes and workflows associated with your business. Using technology to marry with these processes can be difficult, particularly for companies with numerous departments, international divisions or other kinds of structures that spawn different processes among these various branches of a business.
Beyond compliance: Managing unstructured information
Still, despite its challenges, ECM is one of the most important tools for meeting compliance goals, noted Apoorv Durga, a senior analyst at Real Story Group. For one thing, ECM is broad and adaptable. While regulatory compliance for SOX and HIPAA are the primary drivers of compliance initiatives, these regulations aren't the only motivations for introducing ECM systems.
ECM is a powerful tool for compliance efforts, but success requires a broader view.
"There could be company-specific compliance efforts, such as [those] for organizations that define their own processes that allow them to function in a uniform way, maintain quality, protect their assets or be more responsive to their customers and employees," he said. These efforts, in turn, could involve controls and audit procedures for internal financial operations, human resource policies, tracking professional requirements such as certifications or visa status, or managing confidentiality requirements such as information related to nondisclosure agreements (NDAs), copyrights, patents or insider information related to trading.
In order for a business to respond to the challenges associated with those various compliance issues, it needs to have sound practices and processes to manage information, Durga explained. "While most organizations have effectively managed structured information -- such as data that resides in enterprise systems like ERP [enterprise resource planning] systems, they have not mastered unstructured information -- such as that found in physical paper documents, images, microfilm and numerous document repositories," he said. The practice of ECM, attempts to address the challenges posed by unstructured information "such as content storage; effective classification and retrieval; archiving and disposition policies; mitigating legal and compliance risk and reducing paper usage," Durga said.
Melissa Webster, program vice president of content and digital media technologies at IDC, agreed that properly managing unstructured content is key to ensuring compliance. In fact, she noted, ECM systems are specifically designed to ensure content is properly managed, and they can provide the records management capabilities that govern retention and disposition. "ECM vendors typically offer archiving in addition to content and document management, and it's that combination of content/document management, records management and archiving that -- together-- ensure all of the organization's unstructured information is properly governed," noted Webster.
Governance and access management
Still, according to Alan Weintraub, a principal analyst at Forrester Research Inc., it's important to look at ECM in relation to the business as a whole. Specifically, he explained, Forrester focuses on the role of ECM in extracting data from email messages, faxes, contracts and other sources and providing it to transaction processes. "On the business side, ECM is about taking policies, processes, research and collaborative capabilities and mining that to get value," he said.
A component of that is ensuring that ECM incorporates governance -- the process of checks and balances. Within that, Weintraub said, roles, responsibilities, processes and procedures need to be in place to ensure the integrity of governance, to define proper use of data, and to provide procedures to access, approve or publish information.
The governance program defines when you can use information and what is protected, he added. Thus, he noted, in the context of compliance challenges such as HIPAA, enterprise content management can manage issues such as data classification; specifying what levels of information individuals can have access to. "In the HIPAA world, for example," he continued, "you have patient privacy issues, so while there are certain documents that anybody can see, for example, -- something describing potential adverse drug reactions when the document describes drugs that an individual has been prescribed -- that must be private." That is where ECM systems can specify what information certain groups can see and what they can't.
Fortunately, those capabilities are standard among ECM products, Weintraub said, because the underlying technology is now largely commoditized. "There are differentiations between vendors, primarily between systems that are more business or more transactionally oriented," he said.
User adoption can be an obstacle
But despite increasing standardization among features, users still present a wild card in terms of implementation. Indeed, Weintraub said that the biggest roadblock to ECM implementation is not the technology or the vendors, it is the users. Based on interviews Forrester has conducted, Weintraub said ECM is one of the most disruptive technologies an organization can adopt.
"With other systems, such as data warehouses, [customer relationship management], or financial systems, there is no real alternative way of operating. You need those systems to get the job done," Weintraub said. But there are many ways to "work around" an ECM or match some of its capabilities with other systems. Thus, "When you adopt an ECM, you are telling people they have to work differently; documents must be kept in a certain way and in a certain system, and they must employ metadata values that require more work. So the challenge is user acceptance and adoption," he noted.
For more on ECM
Governance: Risk mitigation is just the beginning
In fact, said Durga, organizations may not always be ready for ECM. Thus, he suggested, organizations and decision makers should examine the ECM maturity model that is available for free at www.ecm3.org. "It helps to provide a structured framework for building a roadmap, in the context of an overall strategy," he said.
According to Durga, the framework suggests graded levels of capabilities -- ranging from rudimentary information collection and basic control, through increasingly sophisticated levels of management and integration. The final result is a mature state of continuous experimentation and improvement.
And if your organization is somewhat mature, ECM can deliver value – and strengthen and simplify compliance requirements.
Finally, noted Webster, while she sees ECM as a powerful tool for compliance efforts, success requires a bigger view. The structured information in "systems of record" such as ERP, customer relationship management, human capital management and supply chain management also needs to be managed properly for compliance. In other words, ECM is crucial but it is not the whole picture.
About the author:
Alan R. Earls is a Boston-area freelance writer focused on business and technology.
This was first published in September 2013