As regulatory audits loom, wise executives have long ago abandoned the "save everything" approach to regulatory compliance, which is akin to stuffing receipts into a shoebox while hoping the IRS will go knocking elsewhere.
Wise executives know it's smarter to watch for red-flag transactions, and then, when the business is audited, they can produce a record that proves knowledge of various regulations and diligence in complying with them.
I just finished a demo of a product called E-RiskWare from Obian. It's a business risk management solution that helps companies comply with Sarbanes-Oxley. From an IT standpoint, the demo left me a bit dazed. But then my inner executive surfaced, and I saw that E-RiskWare handles communication among managers, the board, and external auditors. E-RiskWare creates ad hoc teams, some of whom only get reports and others of whom can subscribe to risk alerts to get real-time updates that allow management teams to respond proactively. For example, if the CFO finds numbers that don't add up in the next quarter's financial reports, he or she can submit the issue to the system. Those wired most tightly into the CFO's loop get going on the solution. Their communication, the documents they create, and the annotations each team member adds to the documents are stored in an evergreen record from identification to resolution.
The longer I examined the product and materials, the clearer it became that E-RiskWare is a well-thought-out adaptation of an enterprise software development solution or bug-tracking system for business management. I can't say that it's unique; business management software is not my specialty. Yet, wouldn't you feel better knowing that your bosses, legal team, and the board of directors are all accountable to one another the way developers and other IT workers are? I, for one, would have loved countering with hard evidence the defense I heard so often from those in the hot seat ("the bastard never told me"), while dissuading managers from stealing credit for their employees' ideas.
The truth is, we all belong in that fishbowl, at least those of us who aspire to advance our careers. The downside of constant auditing is that if you get lazy or screw up, everybody on the team will know it. The upside is that if you're the one who sees the transposed fields on the quarterly report, in a transparent system you're seen as the root of the process that gets the report fixed and reaudited before the report is submitted. If your boss ignores the fact that you saved the company's butt and his boss's boss ignores it, the chairman of the board is going to walk, weeping, into your office and hand you the keys to her Mercedes. And she's going to see that two levels of management failed to recognize your contribution.
Stereotypical notions about developers pointing fingers, passing the buck, and screwing around on company time contributed to the uptake of systems that track issue response time down to the second and code coverage down to the line of code. Software is most reliable when it is created in an atmosphere of real-time transparency and to-the-person accountability.
It took strict regulations and a demo of Obian's risk management system to bring me around, but buggy business models present a bigger risk than buggy code.