These are my notes from a webinar presented by Knowledge Management Associates, Inc. that featured speaker: Sean Megley, KMA SharePoint Architect and resident “compliantist.”
What contributes to the cost of compliance?:
- Lack of Tools
- Ad hoc audits
- Random frameworks
- Unreliable results
Sean thinks we should free ourselves from the “tyranny of spreadsheets and email!”
The greater the number of people you can get involved in compliance, the better the results. You want it to be easy, you want to get lots of people involved, and you want it to be part of the workflow. He thinks using SharePoint as a central database and portal effectively centralizes the processes and information.
Being in compliance means that you have evidence of compliance. You need a log to prove the steps you have taken.
Sean went through some more theories of compliance and then moved on to display a model SharePoint portal for compliance. The portal also incorporates InfoPath for replicated business processes. The portal logs the forms and data from InfoPath.
Sean used a wiki as a way to communicate, with links to key documents and policies.
Sean notes that the heart of SharePoint is a document repository. You can store documents and wrap information around the documents.
SharePoint has an alert feature built into its lists and libraries. The alert can trigger action based around compliance. SharePoint will let you know when something is changed or added.
SharePoint has key performance indicators (KPIs) to track controls.
Knowledge Management Associates is offering to pre-package the portal with controls and regulatory requirements built-in as a starting point. For example, he has put the text of a regulation and then mapped it to the controls of the company.
Why SharePoint and not Excel? SharePoint takes information in a spreadsheet and exposes it for other people to see and to allow other inputs and logging of changes.
SharePoint can be used for project management. It has a rudimentary Gannt chart tool.
The big question is whether you want to inflict SharePoint on your co-workers and IT staff. It can be a beast to manage and some of the 2.0 tools barely work.
See:
- Sharepoint and Enterprise 2.0: The good, the bad, and the ugly by Dion Hinchcliffe for ZDnet
- SharePoint Wiki Disaster – from KM Space
- Wikis in SharePoint 2007 – from KM Space
- Blogging in SharePoint 2007 – from KM Space
Doug, thanks for attending our webinar. The Hinchcliffe article was an interesting read, too — thanks for the link.
Our experience is that this type of solution can often be deployed without inflicting material pain on users or IT staff. This is particularly the case in many organizations with compliance requirements who already use Microsoft Office extensively within their organizations, and who have aleady deployed SharePoint to some degree.
The Enterprise 2.0 features, while limited in this version of SharePoint, aren’t necessarily key to this offering, which is primarily based around core SharePoint capabilities like documents, lists, calendars, etc.
Thanks again for joining us. I look forward to discussing this offering with you as it matures, and chatting at future KM Forum sessions.
Mike –
At my old law firm we were a long time user of SharePoint so I am very familiar with the pros and cons of SharePoint.
If you already have SharePoint deployed, I think you could run lots of the compliance through the system. I actually think it would work wonderfully for that use. (It is something I have been contemplating myself.) I would recommend anyone that has SharePoint deployed in their organization to think about using its tools to help with the compliance program.
However, if you have not deployed SharePoint then all of the other issues and concerns about SharePoint come into play. If your organization is thinking about it, the compliance people should get on early and set it up for their use.
My last parting shots were based on a new deployment of SharePoint. I would not recommend that a compliance person be out front in advocating for a SharePoint deployment.
I see your point about “barriers to entry” for SharePoint, and agree that a compliance program would be a tough way to justify a ground-up implementation. As we see more opportunities, I look forward to reporting back on the mix between orgs new to SharePoint and orgs with SharePoint wanting to leverage it to drive down cost of compliance. I don’t know yet whether our findings will support your contention above, but I hope that our sample size is quite large. :-)
I agree that Sharepoint has lots of advantages in terms of centralization of documents, collaboration, and revision histories. But, I would also argue that mere centralization is not enough. It significantly reduces the problem of information duplication (lots of spreadsheets floating around), but it’s not a comprehensive solution to the problem of being able to understand the impact on any variable of a change in another variable. For example, if a compliance control fails, how does this impact the total risk profile of the enterprise, or the compliance status for a given regulation? Information needs to not only be centralized, but effectively mapped to all the other risk and compliance information that it impacts.
I would also argue that the program and project management capabilities in Sharepoint are rudimentary at best. And, when attempting to track multiple compliance projects, including their total costs, a more robust program management solution is needed.
Sumner –
I think we are in agreement that SharePoint does not provide as robust a solution for compliance as some of the offerings by CA. It certainly does not have the robust risk management attributes.
But for a small company that is already looking to use SharePoint for its intranet, it is an interesting possibility. SharePoint is a much better solution than just a collection of spreadsheets and documents on a shared drive.