Four years ago, Brett Curran faced a daunting deadline. The senior corporate compliance director at HealthMarkets, a $2 billion North Richland Hills, Tex., insurer, knew the company had to meet new federal HIPAA regulations, and there wasn't much time to do it. The only answer was to automate the process. But with 10 business
units operating largely independently of one another, each with its own IT infrastructure, he realized he needed a system that could not only monitor against a consistent set of policies, but also provide each division with flexibility to introduce its own procedures--and the best way to tie everyone together would be through the Web. "It was the only way to remove the boundaries created by traditional client-server applications," he says.
After a brief search, Curran decided on Axentis Enterprise Suite from Axentis, based in Warrensville Heights, Ohio. Using a software-as-a-service (SaaS) system, in which the software would be installed on Axentis servers, the program seemed to offer the quickest and most effective solution. Curran now swears by the HIPAA monitoring system. The Web-based approach made training staff from different divisions easier since everyone could tap into the system simultaneously. "We had a smooth deployment and rollout," he says.
Thanks to a growing number of risk, governance and compliance requirements, compliance officers increasingly are turning to suppliers of Web-based technology to automate the process of meeting those complex mandates. With as many as 60 companies competing in the space today, compliance officers have a wide range to choose from.
Axentis, Curran's choice, differs from its competitors in one important respect: Most of its competitors offer a choice of delivery models. They will host the software themselves for a fee, as Axentis does, or they will install software on a customer's internal servers, which employees can access through a Web browser.
Like HealthMarkets, companies choose the service-provider model when they're in a hurry to get the job completed. "Doing it in-house can be an 18-month process," says Michael Rasmussen, an analyst with Forrester Research Inc. in Cambridge, Mass. "The service model is a good way to bypass IT." On the other hand, for customers seeking more control over their systems, the in-house alternative is a better choice. It's also easier to tie the platform to, say, a corporate ERP system.
Generally, products differ by the specific vertical markets they target. QUMAS, the granddaddy of GRC platforms, focuses its QUMAS Compliance Suite on the full gamut of risk and compliance issues faced by the pharmaceutical industry, according to Rasmussen. More recently, QUMAS, which is based in Cork, Ireland, has branched out to financial services. In contrast, Axentis has offered a multi-industry platform from the start. "While [Axentis] doesn't have great depth, it has breadth," says Rasmussen.
In a recent report from Forrester, Rasmussen identified QUMAS and Axentis as leaders in the GRC space. Others receiving strong performance rankings included BWise, IBM, OpenPages, Stellent and Protiviti. The BWise platform, for example, which has both risk and compliance features, received praise for its ability to identify and track risk and performance indicators. On the other hand, IBM's Workplace for Business Controls and Reporting platform got high marks because it can be easily integrated into an organization's broader technology architecture. As for OpenPages, while the company has focused on compliance with the Sarbanes-Oxley Act for the past two years, it's well able to handle broader governance, risk and compliance functions, according to Rasmussen.
Despite the plethora of providers, some companies are standouts in specific areas. A case in point is Paisley Consulting in Cokato, Minn., which has a particularly strong reputation in the market for compliance related to SarbOx, according to Rasmussen. Its Auto Audit, which automates the audit process, can be easily integrated into the rest of the system. Alpharetta, Ga.-based Compliance 360, says Rasmussen, is also particularly adept at handling regulatory intelligence and compliance management. Through a partnership with Lexis/Nexis, customers can create a profile based on the regulatory and compliance requirements they must meet. Then, the system automatically alerts customers when new cases, regulatory changes or laws arise, and integrates that information into the system.
How do you choose the best platform for your needs? First, says Rasmussen, select a company with domain expertise in your particular area. Then, look for a vendor with the flexibility to meet both current and future requirements. Take HealthMarkets' Curran. During the HIPAA implementation, he started thinking about the need to automate a host of other new regulatory requirements, such as the Patriot Act and do-not-call telemarketing rules. The upshot: He added those procedures to the system as well.