Build on a foundation
There's no IT solution for regulatory compliance, but just try doing without it
By Frank O Smith, senior contributing editor -- Manufacturing Business Technology, 1/1/2006 12:00:00 AM
Regulatory compliance adds a layer of complexity to business management, and the more global the business, the greater the burden. "There's no real legacy of compliance in manufacturing outside of life sciences industries. Sarbanes-Oxley provided the first brush with it for many," says John Hagerty, a VP with Boston-based AMR Research. "Seeing the penalties associated with noncompliance is a key accelerant to taking it seriously."
The Sarbanes-Oxley Act (Sarbox) of 2002, passed in the wake of the Enron scandal, mandates stricter corporate governance and financial disclosure for U.S. publicly owned companies. It is, however, only one among scores of global regulations enacted in the last few years.
The more commonly encountered new U.S. regulations include the TREAD and Bioterrorism Acts, and CFR 21 Part 11. From the European Union (EU), the RoHS and WEEE environmental regulations are hot topics of conversation. And manufacturers are seeing emerging regulatory environments from Argentina to China, and from Australia to Russia.
Information technology is seen as the most efficient way to address regulatory compliance.
"The government doesn't require anybody to use technology, but managing it manually is overwhelming," says Cass Brewer, director of education and research for the IT Compliance Institute (ITCi) in Seattle.
"If you had to plow through paper, movement of a lot of products would be frozen. In some cases—like food—you'd be forced to scrap it," says Colin Masson, a director with AMR. "That wouldn't look good to stakeholders or authorities."
Investment in compliance technology, despite tight overall IT budgets, is increasing, according to IDC. The Cambridge, Mass.-based analyst firm reports 26.5-percent growth in compliance-related investment in storage and security hardware, software, and related services in 2005 over 2004. Growth through 2009 is forecast at just over 22 percent.
"A confluence of events has companies turning to IT for leadership," says Brewer.
Corporate mandates
Other companies are appointing corporate compliance officers.
"Compliance is what I do," says Dennis Symanski, worldwide compliance officer for Sun Microsystems. "I make sure the products we design can be shipped anywhere in the world. I'm the interface between Sun and the government."
The electronics industry is especially hard pressed to meet compliance mandates like the RoHS and WEEE regulations coming online in 2006, with significant regulatory mandates anticipated soon from China.
"I have to sign declarations of compliance before countries around the world will allow us to ship within their borders," Symanski says.
That means Sun, its contract manufacturers, and suppliers must maintain records to quickly authenticate declarations. "During audits, if irregularities are found, we have to resolve them very quickly. Not doing so could lead to shutdowns or recalls," claims Symanski.
Requirements vary widely, with some countries like the U.S. and the EU permitting self-declaration with the ability to substantiate claims. If manufacturing takes place in China, however, the government must directly certify products and plants. In the case of Taiwan, every configuration of memory, chip speed, and other options must be registered.
To ease these burdens, Symanski serves as a U.S. representative to the International Electrical Committee, meeting with other country representatives to develop global compliance standards.
"Just keeping pace is one of the biggest challenges," says AMR's Masson. "That's why it's important to create a culture of compliance in the organization, supported by some common technology."
Because requirements will only grow, it's imperative that this culture of compliance have both authority and reach. "People need to push compliance to the strategic level, so as to achieve efficiencies," says Brewer.
According to Gary Zasman, director of information life-cycle management solutions, Sun Microsystems, "There are four areas that impact compliance best practices." Starting with the most critical, these include:
-
Data retention: archiving of data for a specified period;
-
Business continuous-disaster recovery: ensuring that the business can continue, and that data will be available for legal and compliance conformance;
-
Data protection: protecting data against damage or loss, utilizing backup and recovery; and
-
Data security: responding with threat & vulnerability detection, and intrusion monitoring.
Architecture and solutions
Hagerty says manufacturers have been disappointed that there's no out-of-the-box solution. And according to Masson, "ERP vendors with the largest technology footprint are heading toward a compliance architecture, but data will still come from other systems. SAP's environmental, health, and safety solution will have a core database and recording functions, but if you want to do emission modeling, you'd need to go to another technology."
Still, enterprise systems act as a foundation to build on. "There are common practices around the documentation of workflows or processes, describing policies, showing how policies are implemented, using data repositories, event detection, maintaining records, and tracking changes that regulations specify," Masson says. "There is an existing technology foundation for regulatory reporting."
Jim Sabogel, VP of the life sciences business unit of SAP, says ERP does offer common tools, especially for interdepartmental work. "The regulations may change, but the tools stay the same," says Sabogel. "Electronic signature is one. With regulations like Sarbanes-Oxley, you're looking to ensure that the financial records are controlled. If you make changes, integrity is maintained with electronic signatures."
Regulatory legislation is forcing manufacturers to think long and hard about the life cycle of business information. "One thing with records, you don't want to keep them for too short a period—or too long," says Zasman. "A piece of information has a life cycle. You create it at one point, and at some point, you cremate it. During its life cycle, you protect it."
Dave Bassett, director of compliance for Solectron, a Milpitas, Calif.-based electronics manufacturing services provider, led an enterprise compliance team comprised of representatives from every part of that company. The team thoroughly analyzed every process and piece of equipment to ensure "compliance management will be as relevant as yield management," says Bassett.
As for mastering the complex maze of requirements from around the world, Bassett uses what he calls "shmoo" analysis. "We lay them all out, and then 'shmoo' them together to see how they overlap. Then we create policy to deal with them."
