Businesses in construction and related fields face a daunting list of items requiring compliance with regulations and standards. Requirements for compliance apply not only to building and fire codes, but also to safety, environment, labor laws, green house gas emissions and energy use. Requirements for compliance come not only from government entities, (including federal, state, county and local), but also from the owners, architects, engineers, partners and interested or invested parties such as insurance companies, banks and subcontractors.
A joint effort by the National Center for Manufacturing Sciences and the U.S. Environmental Protection Agency highlights how the federal government views the compliance landscape. The pair established the Construction Industry Compliance Assistance Center as a “source for plain language explanations of environmental rules for the construction industry.” Included in those pages is a Compliance Summary Tool where you can select a state, the type of construction and how the project might impact the environment. It then produces a page with a list of each environmental compliance item along with specific compliance steps and contact information.
It’s been common for contractors, architects and engineers to handle compliance in silos. So there’s a safety program with checklists and compliance requirements reminders, and there’s another one for storm water management and other environmental compliance issues. All the labor compliance items are handled under the HR processes and compliance on subcontractor insurances is dealt with in the accounting processes. If you move compliance tracking to the cloud there are providers who consolidate the tracking.
“Our technology is basically a $40 million relational database workflow management engine that the largest companies in the world use to automate compliance,” explains Larry Goldenhersh, CEO and founder of Enviance. “It automates the workflow of compliance including data capture and data management, whether you’re talking about core drilling, permit sign off or an overtime issue. We provide compliance workflow automation in the cloud, over the Internet.”
While there has been reluctance by construction firms to use the cloud for compliance management in the past, John (J.J.) Castner, business development executive with CMO Compliance sees more acceptance these days.
“We originally offered our construction audit, risk and compliance solution as cloud only,” Castner says. “However the industry pushed back and we had to provide an on premise solution as well. But that was a few years ago, and now the construction industry is more open to cloud solutions.”
He says the sensitivity of audit, risk and compliance data that his company’s solutions capture for construction clients, and other industries such as financial, aviation and food safety, means many clients may be reluctant to host such data off premise. However, as internet banking and other cloud based technologies are more widely adopted, the industry has been more receptive to cloud solutions for compliance.
Goldenhersh uses the example of Chevron, one of his company’s clients, to illustrate the kinds of complex compliance management tasks being handled in the cloud.
Chevron uses the Enviance system to manage the permitting for the construction of the largest liquid natural gas facility being built in the world today in Gorgon, Australia. Chevron also uses it for environmental compliance and permit compliance in the San Joaquin Valley in Central California where Chevron operates exploration and production activities in a 6,000 square mile area. Within that area Goldenhersh says Chevron manages 2,000 air permits and has 50,000 monthly compliance obligations. Thirty-thousand of those obligations are data capture, and more than 25,000 are tasks. Chevron also uses Enviance’s solution to automate the collection of the data, compare it against allowable ranges, and establish tasks that are required by statute, or by the company, to get things fixed. The system also handles all the reporting to local, state and federal authorities.
Both Enviance and CMO Compliance typically work with very large construction enterprises that operate globally and it’s exactly because of their global operations that companies like these turn to cloud solutions.
“Given that our construction audit, risk and compliance solution sits in the cloud, it can be accessed anytime, anywhere – and we now even provide support for iPads and iPhones, so information can easily be logged or reviewed onsite,” explains Castner. “ If you can make a phone call on your iPhone or PDA/Smartphone, you can do a construction site safety inspection on your iPhone or PDA/Smartphone using our cloud solution.”
Compliance also requires interaction with many different players on a given project, and they all need access to project data and have the ability to interact with it. Goldenhersh says the interoperability is transparent.
“Those involved in projects would want separate access and so we have a security system that allows the architect to have access to the system and the architect can see only what the architect is supposed to see,” explains Goldenhersh. “The contractor can also have its own subscription and do exactly what it wants, but all the data can be common in the system. It’s truly a collaboration platform because construction projects are not well executed in stove pipes. You have to have the architect and engineer talking to the contractor, and somewhere in there the construction manager too, otherwise everything hits the fan.”
Of course, the cloud depends on connectivity, so for projects out in the boonies where there is limited, low speed or nonexistent Internet access it’s not going to be a viable solution. But for those who have to manage modest to difficult compliance tracking and reconciliation where there is Internet service, doing so in the cloud can make the task timely, efficient, accurate, accessible, scalable and inexpensive.
Believe it or not there are laws and regulations that govern the use of information. Falling under the banner of regulatory compliance, dealing with these aspects in cloud computing gets murky. Major topics and considerations include:
Fourth Amendment – James Urquhart does an excellent job of exploring this in his article at CNET. He references a scholarly work by David A. Couillard as he traces the complex route the courts have taken in NOT deciding much of anything about Fourth Amendment questions related to whether or not information given up to a third party on the Internet has any right to privacy. Essentially, the law does not keep pace with the rapid evolution of technology. Couillard cites the fact that it was nearly 100 years before the Supreme Court recognized that telephone conversations have a constitutional protection from unreasonable search. The pivotal issue here centers on the Third Party Doctrine which assumes that information turned over to a third party has no reasonable expectation of privacy. Of course it gets much more murky when you start to define the information as either content, or transactional, and when you start to define the containers the information is stored within.
Government Rules – In Article 8 of the Charter of Fundamental Rights of the European Union the organization lays the groundwork for the fundamental right of personal data protection. The organization enters into talks and agreements with governments that are not in the EU to make sure the same protections apply to the citizens’ data even when it is shared with companies, people and governments in other lands. In another instance, Canada has the Personal Information Protection and Electronic Documents Act that governs how electronic documents are used and what private companies can do with personal data. The U.S. Department of Commerce is tasked with the job of “harmonizing data privacy” between the U.S. and other governments that have much stricter privacy laws, like the EU. This is called the Safe Harbor program.
FISMA – This is an effort by the U.S. National Institutes of Standards and Technology (NIST) to protect the nation’s information infrastructure. It does that by promoting the development of standards and guidelines that handlers of information must follow.
HIPAA – The U.S. Department of Health and Human Services issues privacy and security rules relating to health information.
SOX – this is the Sarbanes-Oxley Act passed in 2002 that created new standards for public companies to follow in the wake of several major corporate and accounting scandals, including Enron.
PCI Security Standards Council is a global organization that is developing security standards for account data protection. The founders include the major credit card companies.
SAS 70 Audits (Statement on Auditing Standards) is an auditing standard developed by the American Institute of Certified Public Accountants that includes auditing the controls over information technology.
All of these information security fronts are evolving everyday. Stay tuned as we bring you the latest information and analysis on these important topics.