Three years ago, when managers at SunTrust Banks Inc. began searching for software that might help them cope with new regulatory requirements, they kept their demands to a minimum. Although the financial-services company had just endured a tough first year of Sarbanes-Oxley compliance, no one expected software to solve all the problems. “Sarbox was killing us,” says John Wheeler, the company’s senior vice president of financial-reporting risk management, “but we went in with very defined — and low — expectations. We wanted a basic, bare-bones program.”
SunTrust purchased a financial controls management application from OpenPages, one that Wheeler says was limited in scope, but flexible. And OpenPages claimed that, in subsequent releases, the program would link up with its other compliance and risk-management programs. “That integration wasn’t quite there when we first implemented the software,” says Wheeler. “We were going on faith regarding the vendor’s promises.”
SunTrust hasn’t been disappointed. Since 2005, OpenPages has extended the capabilities of its product, allowing SunTrust to better assess risks stemming from Basel II and the Patriot Act, not to mention a variety of operational and credit risks. More recently, SunTrust purchased a general-compliance module from OpenPages, which the bank’s compliance group uses to catalog regulatory mandates and related controls for each line of business. Next, says Wheeler, SunTrust plans to integrate the two compliance modules into a single platform.
Join the club. Increasingly, corporate executives are ratcheting up their expectations for software that can capture a wide range of governance, risk, and compliance (GRC) information. Those functions can overlap, sometimes in unexpected ways. In 2005, when the California State Automobile Association purchased a program called Leaders4 (from vendor 80-20), the goal was to use it as a board information-management system. But as Bob Flax, assistant general counsel at the automobile association, soon learned, “The software had functionality I didn’t even know about.”
That hidden functionality came in handy the next year, when Flax was asked to devise an automated system that would ensure that the motor club franchise could pass AAA’s rigorous certification process. An annual ritual has evolved, says Flax, in which a different vice president would be plucked from management to spearhead the painful process. “We had no central view of compliance,” he notes. “We started from scratch every year.”
That meant poring through a thick quality-control manual that contains what Flax describes as “probably 10,000 things” that the California club’s 7,500 employees need to address.
To Flax’s relief, it turned out the 80-20 software includes features ideally suited to the task. The program’s electronic questionnaire function, for example, allowed Flax to send out questions about procedures and policies to employees, who then responded. The data was then certified, and Flax used the software to produce published reports for board members. “The software took what had been a four-month process down to two weeks,” he says.
Beyond Scut Work
This urge to converge is largely a post-Sarbox quest for greater efficiency. As John Hagerty, vice president and research fellow at AMR Research, points out, companies have spent substantial sums attempting to cope with the many burdens of Sarbanes-Oxley. Spending on Sarbox peaked in 2006, with publicly traded companies forking out about $2 billion on technology and consulting to help them assess internal controls and material weaknesses. With much of the Section 404 scut work now automated, customers want to leverage that initial investment and create a foundation for future compliance needs.