IBM Global Business Services Strategy & Transformation

White Paper

IBM Compliance Information Lifecycle Management

and Inventory of Obligations: reduce costs and
increase speed of regulatory compliance

Executive summary
In a globalized financial market governed by more than 10,000
regulations – and with more than 4,000 new ones in the
pipeline1 – managing compliance is a complex matter. The
complexity is exacerbated by the constant, rapid increase in
data, most of it unstructured and locked away in enterprise
email systems. In many organizations, there is a general lack of
clarity around what information needs to be kept, and for how
long. Even where there is a clear understanding of how
regulations on data retention impact the enterprise, it is no
small endeavor to design and implement the correct policies for
classifying and storing data in an appropriate manner.
The challenge is to find the right middle ground between
keeping too little and too much data. Too little may expose the
enterprise to the risk of regulatory sanctions, spoliation
sanctions and impaired operations, and too much may mean
increasing costs for operations, infrastructure, records
management and litigation.
Gartner estimates that enterprises choosing stand-alone
solutions for each regulatory challenge they face will spend 10
times more on compliance projects than counterparts taking a
more proactive, integrated approach2. Enterprises operating in
the financial services sector need a holistic approach to:
• understand what information they hold, and what they need
to keep
• ensure critical information is retained, protected and
discoverable at low cost
• leverage stored information to create new business value.
The holistic Compliance Information Lifecycle Management
solution from IBM provides a turnkey hosted service to address
these three key elements. The service is supported by experts in
the IBM Risk Center of Excellence and Global Delivery Center
and is built with software from the integrated risk management
domain of the IBM Banking Industry Framework.
1 Estimated figures based on IBM engagement experience
2 Source: http://www.gartner.com/it/page.jsp?id=492233
IBM Global Business Services 2
Drawing on the IBM Inventory of Obligations — a database of
international regulations and their applicability — the IBM
solution is tailored to suit each client’s jurisdiction and risk
appetite. From automated classification of all structured and
unstructured data through to policy-based management of
relevant data throughout its full lifecycle, the IBM
Compliance Information Lifecycle Management solution is an
intelligent, end-to-end solution that can:
• reduce the cost of records management and discovery for
litigation support
• shrink physical infrastructure and costs
• deliver process savings through automation and
best‑practice methodologies
• reduce liability insurance costs by creating a smaller,
better-managed set of records
• deliver between 175 and 750 percent ROI, based on IBM
estimates and depending on the data volumes involved and
on the quality of existing processes
Explaining the challenges
Financial services firms operate in perhaps the most highly
regulated of all global markets, and face significant challenges
in meeting their regulatory obligations in a timely and cost-
effective manner. These can be broken roughly into external
and internal challenges.
Externally, there are more than 10,000 global regulations that
may affect a financial services firm, and strong signs that
regulators intend to keep up the pressure: more than 4,000
new regulations are in the pipeline. As margins become
smaller in the mature markets of the US and Europe, banks
are increasingly looking for growth opportunities in new
geographies, which inevitably exposes them to new sets of
regulatory compliance issues. The fallout from the recent
credit crisis and related government intervention around the
globe has sharpened the appetite of regulators for greater

scrutiny of financial services firms – and there is considerable
political pressure in many countries to introduce tougher
sanctions for infringement. All of this adds up to an urgent
need for many financial services firms to take a closer look at
their obligations and to check that they have adequate policies
and systems in place to ensure that they are keeping the right
data in the right ways.
Internally, the key challenges are to understand how the
external factors affect the business, and then to design and
maintain the correct approaches and systems to address them.
At a time of budget cuts and reduced staffing levels in
compliance and IT, these are not trivial tasks.
Previous approaches to compliance may well have been
reactive and isolated, with new policies and systems
introduced to address specific concerns or deficiencies
identified in a single area of the business. Over time, many
firms have therefore built up a set of overlapping controls,
duplicating cost and effort and hindering a holistic view of
compliance structures across the enterprise. Where a firm has
merged with or acquired other companies, there may be
significant unknown risks buried in the fragmented
compliance structures of the acquisitions.
Before addressing the practicalities of how to classify, store
and manage information for compliance purposes, financial
services firms need first to understand how a vast and
overlapping patchwork of local and global regulations
translates into specific retention policies for each part of their
business. This understanding is not a static, one-off
achievement; rather, it must be continually revisited as the
external regulatory framework evolves and as the internal
business structures and requirements change.
The amount and types of data that must be retained for
regulatory reasons have been rising steadily, against a
background of explosive growth in overall data volumes. Much
of the new data is unstructured and locked away in corporate
email systems, intranets and personal storage folders. In
compliance terms, rising amounts of unstructured and poorly
managed data significantly increase the risk of regulatory
penalties and spoliation, as well as pushing up the costs of
IBM Global Business Services 3
eDiscovery during litigation proceedings. Indeed, a recent
survey by the Association for Information and Image
Management (AIIM) found that a firm’s electronically stored
records were less than half as likely as their paper records to
be under suitable control.
In IT terms, the rising volumes and complexity of data
inexorably translates into high costs for the physical
infrastructure – in the absence of technology to automate
content classification and retention rules – particularly as
there is a requirement to manage multiple different types of
storage (online, near-line, online backup, offline backup,
archives, and so on).
Finally, financial services firms are well aware that regulatory
compliance need not just be a painful cost of doing business –
it can also present a significant opportunity for improving
internal efficiency and enabling new business opportunities.
Improving the classification, retention and accessibility of
business data for regulatory purposes will also accelerate
internal reporting, improve access to timely information for
accurate decision making, and enable faster response to new
opportunities or competitive threats.
To address the challenges outlined in the previous section of
the paper, the IBM approach identifies three key
requirements: know, manage, leverage.
Know: what data do you have, and what do you need to keep
(for compliance and/or for business)? How do you decide what
must be kept across all different business units, jurisdictions,
and how do you keep up-to-date with regulatory
requirements?
Firms need clear retention policies and a cost-effective way to
classify information as it comes into the enterprise. The first
step is to move from a one-off, limited, reactive approach to
compliance towards an ongoing, holistic, proactive approach.
This will combine keeping abreast of changing regulatory
obligations, translating them into policies for information
management, and creating an efficient framework to actually
implement and maintain the changing policies.

How to tackle these challenges
Manage: how do you keep the right information available in
the right form to meet demands both from the business and
from external regulators? How do you ensure that information
is properly protected and managed throughout its full
lifecycle?
As staff resources decline and data volumes increase, there is
a growing need for automation and policy-based control in
information management. On the infrastructure side, a
hierarchy of storage will be required, including auditable
processes and solutions for protecting data against
unauthorized access, corruption and loss. Particularly during
legal discovery, the infrastructure will need to deliver rapid
and cost-effective access to the relevant information.
Leverage: how can you derive business value from
information that is stored (primarily) for compliance
purposes? How can you support effective, accurate, timely
business decisions?
To turn compliance from a business cost into a valuable
source of new opportunities, financial services firms need to
create enhanced taxonomies for data, and then to ensure that
incoming data is accurately classified. By eliminating
duplicated and outdated information, firms can reduce
storage and management costs while enabling faster and
easier access to data.
The introduction of automated analysis of data and pattern
recognition will start to break down functional barriers,
simplifying reporting and enabling new enterprise-wide
opportunities to be identified.
IBM Global Business Services 4
The IBM approach to Compliance Information Lifecycle
Management
The IBM approach to Compliance Information Lifecycle
Management is divided into four stages, as follows:
1. Evaluation – an expert assessment of the as-is state. The
output is to define the future operating model across
governance, roles and responsibilities, the inventory of
obligations, data collection and reporting processes, and
supporting application requirements.
2. Obligations – compilation of a tailored inventory of
obligations, based on the relevant external requirements and
the internal appetite for risk.
3. Implementation – the selection and deployment of the
appropriate technologies. This stage also encompasses the
development of policies and the design of processes around
compliance information lifecycle management.
4. Operation – IBM manages the full Compliance Information
Lifecycle Management environment, either in your data
center or at an IBM secure location. Daily operations are
monitored by experts in the IBM Risk Center of Excellence
and Global Delivery Center.
Deep experience, proven capabilities
By engaging IBM to manage compliance information
throughout its full lifecycle, financial services firms gain the
benefits of IBM’s long track record of success in the industry.
Combining leadership in risk and compliance consulting with
extensive experience in delivering world-class Enterprise
Content Management (ECM) services, IBM has the internal
skills and methodologies to provide a cost-effective, low-risk
service. IBM is also the market leader in technology for
records management, database archiving, text analytics and
classification, data and content federation, and Business
Process Management.
 IBM Global Business Services 5

The IBM Compliance Information Lifecycle

Management offering
The IBM Banking Industry Framework is an integrated set of
IBM Compliance Lifecycle Information Management is a hosted
industry-specific software offerings spanning four key
solution that provides end-to-end compliant management of
domains for the banking industry.
your content and data, on site or remotely. The offering is built
with software from the integrated risk management domain of
the IBM Banking Industry Framework. • The Payments and Securities domain helps banks
progressively transform their payments operations to
The Compliance Information Lifecycle Management solution become more flexible and efficient.
draws together IBM resources from business and technical
consulting, software, hardware and managed services. As a true • The Customer Care and Insight domain helps banks
turnkey offering, it provides the hardware, software, build a foundation for creating a single view of the
installation, provisioning and operational support required to customer and enabling more effective and efficient
deliver guaranteed, financially backed service level agreements. sales and service.

The first stage in the solution is to create the policies and the
framework that will govern the new holistic compliance
environment. Experts from the Risk and Compliance practice
within IBM Global Business Services use the IBM Inventory of
Obligations – which is pre-populated with thousands of
international laws and regulations – to help you determine what
legislation is relevant to your business in all the jurisdictions in
which you operate. The Inventory of Obligations is then used to
highlight and analyze the gaps in your existing compliance
policies, and to develop a list of business requirements to
address these gaps and ensure correct coverage.
• The Core Banking Transformation domain enables
banks to modernize and renovate legacy applications
that support core banking functions while re-aligning
them with changing business needs.
• The Integrated Risk Management domain supports
banks in taking a holistic approach to managing
Financial Risk, Financial Crimes, Operational and IT
Risk, and Governance and Compliance. For
Governance and Compliance, IBM aims to help banks
comply with voluntary and mandated regulations while
differentiating their competitive position.

IBM Risk Center of Excellence

and Global Delivery Center

Client Single Site Location, Multiple

Remote Locations or Mobile Workers

IBM Primary Management Infrastructure

• IBM Off-site Vaulting

• Hot-site / Replication
WAN Target Site

Figure 1: CILM is a hosted solution that provides end-to-end compliant management of your content and data, onsite or remotely
 IBM Global Business Services 6

Obligations Analysis & Exam

Data Collection

REGULATORY & RISK ANALYSIS Exam & Audit

BUSINESS
INTELLIGENCE
Risk Tolerance
Level 1 Review &
MONITORING Escalation
OBLIGATION PLAN/ & CONTROL
Identify Potential
Changes to PROGRAM EFFICIENCY Perform Internal
Baseline Monitoring Controls Audits
Obligations and Collecting Test
Update Baseline Results
Obligations
Level 2 Review &
Escalation

Develop &
Implement Policy,
Accept Changes SOPs & Control
Requirements Control Data

HQ &
Operating
Control Units
Requirements Testing Results

Figure 2: The regulatory based Compliance Operating Model from IBM

The Inventory of Obligations provides ongoing clarity around
the obligations owed to regulators in all markets, and full
traceability from internal controls to external regulations.
Rather than attempting to piece together a view of compliance
from multiple different systems and points of control, you can
use the Inventory of Obligations to maintain a clear, cross-
functional view of all requirements and related systems and
policies.
The Inventory of Obligations analysis is supplemented with an
Automated Content Assessment of your firm’s content. This
assessment, uses IBM’s text and data mining tools to crawl
your content, classify it in accordance with your retention
schedule, and quantify both the amount of content that needs
to be retained and the amount that may be disposed of.
The business requirements output from the Inventory of
Obligations and the Automated Content Assessment is used to
generate and test functional specifications, from which IBM
creates detailed project plans for the implementation and
operations stages. Following testing and refinement, the
solution is put into production – and continually recalibrated
to ensure that processes and policies remain in line with
changing business and regulatory requirements.
As part of the solution, IBM provides continuous, automated
examination of all existing stored information, applying
sophisticated text analysis tools to determine what must be
retained, and providing an advanced software solution for
automatically classifying, storing and managing all enterprise
data.
In functional terms, the IBM Compliance Information
Lifecycle Management solution covers four broad areas:
content collection and archiving, classification, records
management and eDiscovery. Combining a number of IBM
software offerings and software deployment best practices
from the Banking Industry Framework for Integrated Risk
Management, the solution is backed and audited by experts
from the IBM Risk Center of Excellence and Global Delivery
Center. This provides highly skilled and experienced staff
resources at low cost, with the ability to rapidly scale up the
dedicated team for specific eDiscovery projects.
• Content collection and archiving: IBM FileNet Records
Crawler, IBM FileNet Records Manager, IBM FileNet P8
Platform, IBM FileNet Content Manager and IBM
CommonStore combine to collect and archive
information.
• Advanced context-based classification of structured and
unstructured data: handled by IBM Content Integrator
Enterprise Edition, IBM Cognos Content Analytics and
IBM eClassifier.

• Records management: IBM InfoSphere Records Manager
and IBM Optim solutions move data to the appropriate
part of infrastructure (live production data, active
historical data, online archives, offline archives)
according to policies.
• eDiscovery search and analytics: the IBM Risk Center of
Excellence and Global Delivery Center team use IBM
InfoSphere eDiscovery and related tools to deliver a fast,
thorough and cost-effective service, working from properly
managed content stores that contain only the legally
required information.
At the infrastructure level, the Compliance Lifecycle
Information Management solution includes advanced
solutions from IBM System Storage, underpinned by
comprehensive storage management services from IBM
Global Technology Services.
Summary of the benefits
The IBM Compliance Information Lifecycle Management
solution both provides complete clarity and robust, automated
processes around compliance, and significantly improves
operational efficiency in compliance and IT, reduces the size
and cost of the IT infrastructure, and delivers integration of
information across functional silos. IBM’s estimates for
expected ROI for the solution range from 175 to 750 percent,
depending on the data volumes involved and on the quality of
existing compliance management processes.
Compliance benefits
• improved understanding and implementation of
compliance obligations, reducing the risk of non-
compliance
• flexibility to adapt faster, more effectively and at lower cost
to new or changed regulations
• ability to perform eDiscovery faster, more reliably and at
lower cost
IBM Global Business Services 7
• potential for significant reductions in business liability
insurance by eliminating duplicated or irrelevant
information to shrink the total data set
• automation and improved accuracy in information
classification reduce compliance costs
• enhanced ability to see enterprise-wide risk, and to adopt
effective risk-avoidance systems
• reduced risk of spoliation penalties
IT and operational efficiency benefits
• significant reduction in cost of information classification
and records management
• important process savings in data management, archiving,
backup and recovery
• smaller, lower-cost infrastructure; smaller data volumes to
archive, back up and recover
• “pay as you drink” pricing, based on your needs and
volumes
• solution balances the cost of data storage and management
against the changing value (both business and regulatory)
of the data
• automation to help reduce staffing requirements and free
up precious skilled technical personnel
Business enablement benefits
• improved view of data across business units reduces risk
and highlights cross-selling opportunities
• improved information classification ensures higher
quality data for improved decision-support
• enhanced ability to identify new business opportunities,
and to address cross-functional issues by uniting silos of
information
About the author
Gary Rylander is an Associate Partner in IBM’s Strategy &
Transformation practice focused on the Financial Services
Industry segment. He specializes in helping banks implement
effective systematic controls for Governance & Compliance
related issues. He can be reached at rylander@us.ibm.com.
© Copyright IBM Corporation 2010

IBM Global Services

Route 100
Somers, NY 10589
U.S.A.

Produced in the United States of America

January 2010
All Rights Reserved

IBM, the IBM logo and ibm.com are trademarks or registered trademarks of
International Business Machines Corporation in the United States, other
countries, or both. If these and other IBM trademarked terms are marked on
their first occurrence in this information with a trademark symbol (® or ™),
these symbols indicate U.S. registered or common law trademarks owned by
IBM at the time this information was published. Such trademarks may also
be registered or common law trademarks in other countries. A current list of
IBM trademarks is available on the Web at “Copyright and trademark
information” at ibm.com/legal/copytrade.shtml Other company, product
and service names may be trademarks or service marks of others.

References in this publication to IBM products and services do not imply

that IBM intends to make them available in all countries in which IBM
operates.

Please Recycle

FDE03001-USEN-00