IT WEEK • 29 NOVEMBER 2004
36 COMMENT How better policies and attention to
basics can help companies get more value from IT
CONTENTS
36 INTERVIEW Reporting
systems and governance
36 COMMENT IT chiefs face tight budgets and increasing demands. So are
there ways of using current systems
more efficiently to cut costs and
add value, asks Madeline Bennett
37 INTERVIEW Jim Goodnight, chief
executive of BI software vendor
SAS, explains how reporting
systems can help companies to
comply with growing regulations
MANAGEMENTWEEK
WHERE TECHNOLOGY BECOMES BUSINESS REALITY
Editor: Madeline Bennett
Firms neglect email policies
nly a fifth of firms fully understand the law on email use and
retention, according to a new
report, though most are aware of the business value of good email management.
Despite their poor understanding of
legal requirements, the study by security
specialist Diagonal Security found that
three-quarters of firms had email management policies in place. Furthermore, most
respondents said effective email management could improve operational efficiency and reduce business continuity risks.
But worryingly, almost one in 10 of the
executives questioned were unable to say
whether their firm had an email policy at
all. Meanwhile, the introduction of new
reporting rules such as the recent SarbanesOxley (SOX) Act in the US, is increasing
the need for email policies for compliance.
Michael Stimson, principal consultant
at Diagonal Security, said a lot of companies do not realise that email can constitute
a business document for legal purposes.
“Email has grown up with business but is
O
not seen as one of the key feathere has to be a combination
IS EMAIL IN ORDER?
tures of business,” he said.
of policies, procedures and
“However, society is changing Does your firm have an technology,” said Stimson. He
email control policy?
slightly, primarily because of
added that good storage and
Don’t know 8%
corporate governance initiadata retention systems are
tives like Sarbanes-Oxley and
needed to aid compliance.
No
Basel II, which are making
Mike Davis of analyst firm
17%
firms sit up and take notice of
Butler Group said one way to
[the need to keep records].”
reduce the chances of breaking
Yes
75%
Stimson added, “Compthe law could be to keep all
anies are aware [of corporate
emails, but added there could
governance and email man- Source: Diagonal Security
then be a risk of keeping certain
agement rules], but many have
data for too long, so careful
not done enough research yet to fully
judgement is needed when writing policies.
understand why it is an issue to them.”
Meanwhile, Microsoft’s email storage
Implementing a policy on email use
policy recently came under the spotlight
and retention should only be the first step,
when it was accused of deliberately deleting
said Stimson. He added that policies must
emails relevant to an ongoing legal dispute.
be frequently revised, and staff must be
The company’s group vice-president Jim
trained to understand the importance of
Allchin allegedly instructed staff to routhese policies and to follow them.
tinely delete emails after 30 days.
Firms must regard email as part of their
The incident highlighted the imporofficial records, to comply with rules such
tance of having formal procedures for
as the SOX Act and the UK Data Protection
email storage. Legal experts usually advise
Act. “A technology focus is vitally importhat emails relating to business contracts
tant, but if firms are going to work in comshould be archived for several years.
Getting value from IT, p36 Sneak, p38
pliance with all these rules and regulations
Oracle patches quarterly
Lisa Vaas
any IT experts have welcomed Oracle’s recent decision to stop issuing
monthly bundles of patches from next year
and to issue quarterly bundles instead,
arguing that the monthly schedule has put
too much pressure on IT departments.
“[Database administrators] have enough to do now,” said Ian Abramson, chief
technology officer at consulting firm Red
Sky Data. “If [vendors] put out a patch
every month, there’s no way IT staff are
doing anything but installing patches.”
Oracle database
buyer Mary Jane
Swanson, president of the Twin
M
Davidson: firms
can plan ahead
itweek.co.uk
Cities Oracle User Group in Minneapolis,
said she was pleased by Oracle’s decision.
“We like having a strategy of a consolidated plan of rolling out patches in a pre-tested manner,” she said. “We want to make
sure [any update] has time to be tested and
coordinated with certain applications to
be rolled out, and there’s not enough time
to do that every month.”
Oracle said the new quarterly Critical
Patch Updates system is a response to feedback from customers. “We found that customers would prefer to get things on a
schedule they can plan around and that
fixes multiple things, as opposed to patching on, say, a Wednesday or a Thursday,
being forced to drop [other tasks], and
patching under duress,” said the firm’s chief
security officer, Mary Ann Davidson.
But though many IT managers said
they were pleased that Oracle was abandoning the monthly patch schedule favoured by Microsoft, some said they would
IT Week staff
CORPORATES LIKE PATCHING PLAN
Oracle’s decision to issue patches
• on
a quarterly basis rather than
monthly has met with approval.
Many Oracle users say they will
• find
it easier to roll out patches in
•
bulk when scheduled for a specific
date that they can plan for.
But IT chiefs would also like Oracle
to offer automated patching tools.
like Oracle to follow the example of
Microsoft’s automatic patch update capability and some of Microsoft’s tools.
“With auto update and tools that make
it pretty simple to roll out [patches], you
have the facility to roll a patch out to 5,000
servers,” said Aaron Newman, chief technology officer of Application Security.
Oracle does not provide tools that can so
easily patch so many servers, he added.
The first set of cumulative and integrated Oracle security patches is due on 18
January, followed by updates on 12 April,
12 July and 18 October.
www.oracle.com www.eweek.com
© eWeek USA 2004
Claire Pope
PeopleSoft
users oppose
takeover bid
Oracle’s hostile bid for rival business
applications vendor PeopleSoft last
week looked odds-on to succeed,
with the two firms left effectively
wrangling over price.
Oracle had promised to withdraw
its long-standing offer if fewer than 50
percent of shares were tendered, at
$24 each, by 19 November. In the
event, almost 61 percent were offered.
Despite the shareholder vote of confidence, PeopleSoft’s board refused to
capitulate. It said it would approve a
sale only at “an appropriate price”,
restating an earlier call for more cash.
PeopleSoft customers still face uncertainty. A survey by AMR Research
of 150 PeopleSoft customers – many
of them users of JD Edwards products
acquired by PeopleSoft last year –
found widespread pessimism. Sixtythree percent said they would drop
maintenance either straight after a sale
to Oracle or later if no improvements
were made. Sixty-four percent had low
opinions of Oracle’s likely plans for
their apps: 47 percent predicted no
new functionality and 17 percent foresaw only minimal enhancements.
“PeopleSoft and JD Edwards’ combined [annual] maintenance revenue is
$1.1bn,” wrote AMR analyst Bill Swanton.“The study reinforces how important future enhancements are... Customer loyalty is tied to a future vision,
and third-party maintenance, such as
that provided by TomorrowNow, can
become attractive if a customer does
not plan to upgrade.”
Oracle may decide to put forward
a list of candidates to replace PeopleSoft’s current board next spring. If
accepted by shareholders, an Oraclebacked board could remove poison
pill provisions designed to block the
takeover, and approve the $24 offer,
valuing PeopleSoft at $9.2bn.
35
MANAGEMENTWEEK
IT WEEK • 29 NOVEMBER 2004
How to get more value from IT
IT budgets may be tight, but many firms could make their cash go further by paying more
attention to the basics and ensuring they have good processes, says Madeline Bennett
to fit in with the new requirements
but at no extra cost to us.
But hopefully this group is the
minority, especially in light of last
week’s comments from BT’s chairman Christopher Bland on the
price of the Sarbanes-Oxley Act.
According to Bland, compliance
with these US rules has cost BT
£10m – a hefty burden on the IT
department if a proportion of this
cost went on upgrading systems.
Budget restrictions mean IT
directors have to constantly look
around for ways to get more value
out of existing systems for little or
no additional upfront investment.
In some cases, improvements
may be possible by tightening up
supply chain systems. New research
from Unisys shows that almost twothirds of manufacturing firms
expect to spend more on supply
chain solutions over the next three
years to improve the visibility of
goods in their systems. Technology
for supply chain management does
seem to have weaknesses at present –
only 15 percent of manufacturing
executives say they completely trust
the accuracy of supply chain data.
Businesses wanting to improve
efficiency through their supply
chains might do best to start with
the basics. For example, they might
see better results by implementing
additional controls over data entry
and management, rather than
investing in an end-to-end technology management system.
And any changes on the supplier side ought to be tracked and
recorded in a timely manner so
companies can make their purchasing and selling decisions based on
the correct information.
Another possibility for reducing
costs is at the software maintenance
level. According to analyst firm
AMR Research, the emerging trend
of third-party support could cut
firms’ maintenance costs for enterprise resource planning (ERP) systems by up to half.
Tools to improve governance
Jim Goodnight, chief executive of BI software vendor SAS
Institute, explains how reporting systems can help firms to
comply with increasing corporate governance regulations
BUSINESS INTELLIGENCE INTERVIEW BY DENNIS CALLAGHAN
IT Week:As founder and chief executive of
business intelligence tools vendor SAS
Institute, can you explain how IT systems
can help organisations comply with growing corporate governance regulations and
risk management requirements?
Jim Goodnight: A lot of people think that
[operational risk management] should be a
part of our Financial Intelligence solution.
They certainly think it needs to be part of
the corporate compliance area. So we’ve
had a lot of people ask
us to include operational risk as part of
our Sarbanes-Oxley
[US corporate governance law] solution.
And when does SAS
Goodnight:
reducing risk
36
plan to offer tools to meet this demand?
Eventually, it will be merged in. But since
both our OpRisk and our Sarbanes-Oxley
corporate governance software are proceeding very rapidly on totally separate
tracks, it’s going to take us a little while to
pull something together.
Would you say the new Financial Intelligence system is your most important
product release this year, next to the SAS
9 platform release in March?
I would certainly rank the Financial Intelligence system up there with our Marketing Automation solution, which we announced earlier this year. At SAS we have
been offering a financial consolidation and
reporting system for about four or five
years now. This new release is unique in
that [we] have developed algorithms that
allow everything that needs to be computed to be computed on the fly.
How does this help users?
It means nothing is pre-computed. It’s just
each time you ask for a value, you get a
sub-second response, and that value
appears. We believe that we probably have
a three- or four-year advantage on any of
our competitors.
There has been a lot of acquisition activity in the software industry recently – Oracle’s drawn out attempt to buy PeopleSoft
being an example. Does an attempted hostile takeover like this and the likelihood of
more acquisitions help you justify your
decision to keep SAS private?
Absolutely. Not so much the acquisitions
but the fact that by being private we don’t
have to worry about making our numbers
every quarter. We’re not quarterly focused,
we’re focused on the next two years.
Do you believe takeover bids have a negative effect on customers?
PeopleSoft has lost a lot of business because of the FUD [fear, uncertainty and
doubt] factor. Very few people are willing
to install PeopleSoft right now because of
the FUD stuff. I personally thought when
[Oracle chief executive] Larry Ellison first
This might be a good time for
IT directors to revisit their current
agreements with vendors such as
PeopleSoft and SAP, and to consider whether they are getting worthwhile or necessary upgrades. If not,
perhaps they should start looking
for third parties that would be willing to take on the support contract
but at a more competitive price.
In the coming months and years,
many IT chiefs will still be asked to
get more business value out of IT
but with less cash, and this poses a
constant challenge. Under these
conditions, stepping back and considering the bigger picture and
being open to less familiar options
could pay dividends. ITW
[email protected]
ABOUT JIM GOODNIGHT
Goodnight is chief executive of
• Jim
business intelligence vendor SAS
•
•
Institute, a role he has held since
the firm’s launch in 1976.
He takes an active role in sales and
programming, and has authored
many of the procedures that comprise SAS software. He also drove
the development of the firm’s AntiMoney Laundering solution, which
was launched in 2003.
Goodnight has a masters degree
and doctorate in statistics from
North Carolina State University.
made his offer, he was just messing with
these people, just to mess up their quarter.
But then it dragged on and on, and it’s
messed them up now for over a year.
Since you compete against Oracle in a lot
of areas, would a takeover mean some of
these PeopleSoft customers would be
more likely to consider Oracle than SAS?
We compete against Oracle primarily with
data warehousing. At Oracle they believe
that since they can store data in a database,
it automatically makes them a data warehouse vendor. However, without the analytical and reporting tools to go with it,
that’s only half the solution. ITW
www.sas.com www.eweek.com
itweek.co.uk
© eWeek USA 2004
I
t looks like life will still be busy
for IT managers in 2005 and
beyond. This year has been the
year of corporate governance rules,
which has heaped more work on
IT teams as firms try to get their
houses in order. And this pressure
looks set to continue, with more
laws on the horizon.
Some argue that the compliance
requirements offer a perfect opportunity for IT managers to demonstrate the role technology plays in
key business issues. They say IT
chiefs can use the current emphasis
on compliance to get money for
new IT systems or to overhaul
what’s already there – and to get a
toehold on the board.
I’m sure this is true in forward-thinking organisations. But
I imagine that many companies
respond to requests for cash for
IT to aid compliance in the same
way that they respond to requests
for higher spending elsewhere –
fine-tune what you’ve already got