ECM Report

Much has been made of late of Sarbanes-Oxley (SOX), HIPAA and various other regulatory compliance related issues. Supposedly, these initiatives were going to drive Enterprise Content Management (ECM) sales in much of 2003 and 2004. Yet, for the most part, ECM vendors have left a lot on the table and not capitalized on this major trend to the greatest extent possible. Let’s examine why I believe vendors are struggling in this area, what they need to do to get the right message out, and the best way to approach compliance-minded organizations.Now, don’t get me wrong, ECM vendors are out there making plenty of compliance-centric sales and companies are definitely buying. They are doing some things right. But if you really think about it, are the sales that have been made more a function of the robustness of compliance-related solutions and the vendor’s sales skills? Or are they more a function of the fact that many organizations have guns to their heads and feel they must do or risk serious sanctions and likely job losses? Seriously now, every once in awhile there are certain “sexy” and/or timely technologies that prospects don’t really need much motivation to buy. They are practically sold before a salesperson even walks in the door. Government mandates and the risk of non-compliance makes for a lot of very eager buyers.First, a little background on the Sarbanes-Oxley Act. SOX aims to solve some the problems inherent in corporate governance, financial disclosure and public accounting. A couple of things leapt out at me when I first began researching SOX’s implications with regards to technology. First, there is no mention of software or any technology to be found. Becoming compliant does not require it. Second, the sections that apply to the corporation as opposed to an outsourced RPA (Registered Public Accounting Firm) are fairly easily described. Compliance involves a set of procedures, reports, records management and retention, and committees. The sections that are most commonly sited as the ones requiring compliance include:Section 301 - Procedure and policy for anonymous complaintsSection 302 - Corporate responsibility for financial reports (Certification process)Section 404 - Management assessment of internal controlsSection 409 - Real time disclosure (Authoring and review)Even though only the larger, publicly traded companies are actually required to comply with SOX, many organizations are taking the opportunity to take one step or another to develop best practices and improve their risk management capabilities and internal control processes. Whether out of a legal need for compliance or just to be safe, Sarbanes-Oxley is driving many initiatives across many organizations.From a marketing perspective, ECM vendors are drooling. The synergies between SOX compliance and ECM solutions are obvious. In fact, even prior to SOX, most ECM marketing messages revolved around the ability to bring together “content, people, and processes.” Whoa. Sound familiar? As noted above, corporate SOX compliance involves procedures (processes), records management and retention (content), and committees (people). The parallels between a proven ECM message and SOX compliance requirements are striking. This is why ECM is a natural solution set from which SOX compliance can be achieved. That message is not lost on vendors, to be sure.In the world of solution selling, finding “pain” is one of the key steps in discovery. Without finding a pain that your solution can help ease, getting a prospect to understand why they should buy it is infinitely more difficult. ECM vendors don’t normally have a problem with finding need. There are so many possible real and money-saving ways that ECM solutions can be deployed, not finding some need somewhere in an organization should really scare sales managers. Add SOX to the equation and enthusiastic buyers should not be hard to find.So given all of the reasons why ECM and SOX make great bedfellows, why isn’t the market going through the roof as many anticipated it would?Well, regardless of the synergies, there are still some difficult challenges that vendors face when taking their compliance solutions to market. One big one is in the fact that SOX isn’t the easiest thing in the world for organizations to understand. The gist of it is certainly understood, but the details can be somewhat confusing nor is it completely definitive in its definition of what constitutes compliance. This confusion can lead to lengthier sales cycles as organizations are learning as they go.A second hurdle that vendors may see in the market is that, still, no matter how much vendors wish it were the contrary, SOX compliance does not mandate a software solution. Once the details are understood, however, it does become apparent that it would be difficult to do without. How exactly would you propose being able to produce email without some way of managing said email? Well, it would be hard. Nevertheless, organizations are still going to investigate all possible options to be compliant, technical and otherwise. In some cases, because SOX is confusing and the solutions that address it are new, some organizations are looking at simple compliance first, with more automated and sophisticated compliance later. That reticence poses a potential problem for ECM vendors.Another barrier has been the sheer volume of solutions that have suddenly appeared on the market. ECM vendors are not alone in attempting to address the need. Business Process Managment (BPM), Business Intelligence (BI), Email Management (EM), Customer Relationship Management (CRM), and many other traditional tools have all launched products that address compliance in one way or another. Throw in brand spanking new solutions that don’t do anything else and you get a market that is struggling to define itself. To a buyer, it can be daunting to compare solutions that are light years apart in approach. To the vendor, selling against solutions and competitors you have never heard of makes it very difficult to differentiate in a coherent, knowledgeable way.So, how should vendors be approaching prospects with these concerns?First, I think they need to focus more on compliance education and less on the technology. Most organizations are going to feel overwhelmed by jumping straight to a solution when they can’t quite even comprehend the problem. Imparting some wisdom and demonstrating that you understand the problem will help gain trust and confidence.Second, recognize that your solution solves only a part of your prospects problem. ECM solutions generally operate under a central-repository metaphor. Complete control and complete compliance would require an organization manage 100% of compliance-related records in one or more repositories. While ECM solutions do this well, in some organizations it could be an absolutely monumental undertaking. Visibility into compliance policies and risk is the key, not centralization. Put ECM where it makes sense and establish good partnerships to fill the gaps.The last, and in my estimation, most important message to consider is size and scope. I think this is where vendors have generally missed the boat. Remember, SOX really only involves information as it relates to financial reporting and best practices. Becoming compliant does not require looking past those specific processes and information. And while there is plenty of opportunity to sell compliance specific solutions, the deployment of said solution is still going to be somewhat limited in scope. I believe you should be thinking big as you aim small.Compliance should be used as starting point for organizations to completely reevaluate their risk management policies and procedures on an enterprise scale. And don’t limit the discussion to Sarbanes-Oxley. There are plenty of additional compliance issues that affect various industries. The SEC, FDA, DOE etc. all regulate various industries in one way or another. Mix in different countries and their own versions of similar regulations and you should quickly see that the problem is much larger than any individual rule or piece of legislation. Each issue carries with it its own urgency and criticalness.ECM solutions, by their very nature, are also flexible and open enough to position companies for future changes in regulations. The case could be made that they are nearly immune to obsolescence as many, more vertical, point solutions may be. ECM packages don’t need to be rebuilt to conform with new regulations, they just need to be repackaged. This has obvious benefits to the large organization looking to preserve what will likely be a significant investment.While SOX in and of itself is finely focused, don’t miss the opportunity to do bigger and better things. There are plenty of nice, economical and very nimble solutions that address aspects of SOX compliance. ECM solutions differentiate with their scope. Don’t forget the ‘E’ in ECM. Organizations will quickly realize that as a platform, ECM solutions can help solve many compliance and records related problems, not the least of which is Sarbanes-Oxley.There is a general willingness on the part of management to better understand how the organizations under their control are managing critical business information. You may never again have such focused attention of CXOs. They want your help. They will be good customers. Think big, but focus.As you move forward with the ear of compliance minded organizations, try to make sure that Sarbanes-Oxley and other compliance related initiatives aren’t simply replacing traditional initiatives. Sure, it can be the proverbial “foot in the door” but a wider ranging analysis of risk management policies will yield additional opportunities. Economies of scale suggest larger deployments with broader reach will provide much more bang for the buck and provide better protection from additional regulation. CXO’s, now more than ever, are likely to be exceedingly willing to kill many birds with one stone.