Mention the word "compliance" and it is likely to conjure up images of scandalous performance by companies such as Worldcom, Enron, and Tyco. But beyond corporate governance and government regulations such as Sarbanes-Oxley, HIPAA, and the National Do Not Call Registry, compliance is creating a new need for technology in less obvious areas.

Perhaps the largest of these relates to the rise of outsourcing, whereby companies are moving non-core functions to outside vendors. Along with the rise of outsourcing, there is an attendant increase in the use of service-level agreements (SLAs). An SLA is a contract between a provider and recipient to deliver one or more services according to an agreed upon set of performance standards. It contains a description of the service or deliverable to be provided; it sets performance expectations in terms of cost, volume of work, responsiveness, and quality; and it defines metrics for evaluating whether or not the performance requirements have been met.

As more companies outsource their IT infrastructure and business functions, they rely increasingly on contractual obligations and SLAs to ensure their needs are met and they are getting their money's worth. A June 2004 survey of 320 IT professionals conducted by Oblicore found that outsourcing has become important to 76% of companies. About half of the companies had 10 or more SLAs, 28% had more than 50, and 7% had more than 1,000. Forty-two percent of companies reported they had more SLAs than a year ago, while 56% predicted more SLAs in the year ahead. Interestingly, 64% of respondents said their SLAs had major or moderate financial consequences for not reaching SLA targets. Perhaps most importantly, 75% of companies said that it was important to improve SLA management, which is an important type of compliance.

The survey also found that 49% of companies have a mix of internal, customer, and supplier SLAs. This shows that many companies now participate in a "service chain," whereby the performance of suppliers can directly affect a company's ability to satisfy its own customers. This was most apparent in industries with the word "service" in their name, such as financial services, telecommunication services, and healthcare services. While it is clear that SLAs are on the rise and are becoming more important and difficult to monitor, 43% of companies do not report on contracts at all, while another 16% only report quarterly or even less frequently. At the other end of the spectrum, in terms of "best practices," 13% of companies reported on contracts in real time, 11% did so daily, and 21% weekly. Companies indicated that the primary benefits of more frequent SLA monitoring and management were increased customer satisfaction, improved operational efficiency, and increased performance visibility.

Balanced against the increased importance of outsourcing and the general lack of reporting are numerous industry studies that show that as many as 75% of major outsourcing projects fail to "comply" with their original objectives. What's wrong with this picture?

Companies are finding that compliance is not easy or cheap. Business "regulations," often in the form of SLAs and other legal agreements, are intended to help companies specify, monitor, and measure internal performance as well as their relationships with customers and suppliers. Government regulations place their own compliance demands on companies. Yet compliance monitoring and reporting is hampered by the fact that many large companies are geographically and functionally diverse, and the trends toward outsourcing and service chains make compliance even more challenging.

What are the implications of this for technology and in particular for Web services, and what new opportunities are they creating? Consider the example of a health insurance provider and its relationship with external entities such as customers, doctors, hospitals, etc. HIPAA requires that the provider implement safeguards to protect against the misuse of individually identifiable health information. At the same time, the insurance provider may have signed IT outsourcing agreements with one or more vendors to manage and run its back office operations. So how does the insurance provider proactively monitor the performance of its outsourcing vendors to ensure that they are not inadvertently and illegally disclosing sensitive patient health information without the company's consent, thereby exposing the company to major legal liability? Most companies are now resorting to SLAs and active monitoring to ensure compliance.

Consider another example, from the world of financial services. Compliance is creating a need for companies to exchange different forms of performance data in a seamless and real-time manner. For instance, financial services firms are dependent on global providers of network services to provide brokerage services to customers around the globe. To gain a competitive advantage, financial services companies commit to providing high levels of service, during specific time periods, in different geographies, at low cost. To achieve this, they outsource major portions of their IT to best-of-breed network providers that offer high-quality bandwidth at low rates due to economies of scale. To facilitate this service chain, there needs to be a continuous flow of performance data between multiple parties. Financial service companies need to monitor the health of their networks and compare it to industry standard benchmarks. At the same time, they must constantly monitor the level of service that they are providing to customers, in the form of service availability, response time, transaction throughput, and call center responsiveness to customer issues. This requires gathering, aggregating, correlating, analyzing, and reporting reams of performance data from heterogeneous IT systems and business applications.

What has become apparent is that "compliance" is more than adhering to static government regulations by establishing high-level guidelines, training personnel, filling out forms, gathering quarterly signatures on financial documents, and filing paperwork that is rarely viewed. Compliance today requires the ongoing proactive monitoring, management, and reporting on a dynamic set of business commitments and standards. It is causing three separate disciplines that previously were performed independently to become intricately intertwined.

Prior to the enhanced litigiousness of our society and the related increase in the use of SLAs, it was commonplace for companies to separately manage contracts, measure financial results, and monitor IT service levels. However, with the onslaught of SLAs, and especially now that there are serious financial consequences for not meeting service targets, it is causing companies to carefully connect the dots between legal, financial, and IT performance. Failure to do so could have potentially disastrous effects to the tune of millions of dollars in assessed penalties, lost revenue, and even jail time in the event of fraud.

The challenge of compliance reporting is aggravated by performance data that is present in systems that have grown independently and that is brought together only by using manual methods. A supplier may provide a company with a spreadsheet via e-mail. This approach is error prone and does not lend itself to providing an adequate picture of compliance for a business. More often than not manual performance data is late and out of context, providing little value in the effort to satisfy compliance requirements. Lack of accurate and timely data due to manual collection and transfer processes is the bane of chief compliance officers everywhere.

The characteristics of today's systems, where silos of information do not readily communicate with each other, lead to a set of problems that make compliance very difficult to implement and manage, except at a most rudimentary level. These characteristics include:

• Inconsistent data management policies across systems
• Inconsistent data formats across systems
• Non-integrated systems that do not share information
• Poor data reconciliation across systems for compliance