It goes without saying that managers in any regulated organization face a perpetual burden in the form of the logistics associated with "compliance," whether that be compliance with applicable laws, regulations or even internal policies. Often a case can be made that an enterprise spends so much time ensuring compliance that it loses sight of why compliance is important in the first place.
In the quest for efficiency in managing compliance, many companies seek ways to automate the process with technology, thus easing the burden on operating staff while hopefully increasing accuracy at the same time. This represents one of the greatest of double-edged swords in business.
Process management automation is a good thing in IT, and compliance is no exception. It enables efficient use of technology, allows for the observation of massive amounts of data in a short period of time, brings numerous resources to bear, eases what often is tremendous complexity and executes "rulesets" relentlessly and accurately. However, there is a downside to automated compliance activities if they become an excuse for ignorance. The purpose of this tip is to provide a series of concrete points to be considered when undertaking any attempt to leverage technology to initiate automated compliance processes.
Point 2: The data must be sound. Once the assumptions pertaining to a risk have been carefully documented, the next question becomes whether there is sufficient data to support automation. In this exercise, "data" will typically be operational, which may include loss data, event logs (e.g., IDS logs), system activity (e.g., failed login attempts), governance data (e.g., timeliness of vendor updates such as PCI re-certifications), aging of open audit items, etc. When undergoing the data-evaluation process, pose the following questions about the data in question:
- Can the data truly be mapped to the risk? This takes discussion and agreement between IT and business units to validate that the data sufficiently correlates to the applicable risk. Just because it can be tracked doesn't necessarily mean it should be.
- Is the data available, credible and reliable? In order to automate a compliance process, all three of these criteria should be met. However, if any of these are suspect, that doesn't mean that the process cannot be partially automated, but it will have implications on the amount of manual intervention that will still be required.
- Is the data statistically significant? Automating a process to monitor and analyze a small handful of data points will rarely pass a cost-benefit analysis and will probably create more risk that it solves.
Point 3: The process must be sound. This point has several aspects that are key to compliance automation.
- There must be mechanisms in place to ensure that any automated process management will take place reliably. Too many fires have started because no one checked the batteries in the smoke detector. For any given process, this requires that a specific individual is clearly identified with responsibility for ensuring that the process is executed without exception.
- A clear process must exist for reviewing exceptions and responding accordingly. Depending on the environment and circumstances, "red," "yellow" and "green" alerts may mean different things and require different responses. And remember, all green for too long can be just as much of a warning as sudden red, perhaps even more so.
- Finally, and most critically, there must be flawless mechanisms in place to handle change. Even the most subtle change to an operating environment can have dramatic consequences on the availability, integrity (at any point in time) and reliability (over time) of data, which can severely compromise the compliance process, not to mention fail to mitigate or even exacerbate the underlying risk.
In the end, it is critical to remember that automated compliance technology can be part of the process, but it can never be the process. Effective compliance always requires the insight and intuition of seasoned professionals who understand the risks that compliance activities seek to subjugate and can identify and interpret the relevant data that is presented to them. However, when managed properly, technology can be used effectively to supplement and support an enterprise-wide compliance program.
About the author:
Eric Holmquist has more than 27 years experience in the financial services industry and is a frequent industry author and speaker. As president of Holmquist Advisory, he has experience in virtually every area of bank operations including: risk management, branch operations, IT, information security, finance and accounting. Named one of the "Top 50 Faces Of Operational Risk" by OpRisk & Compliance Magazine, he has developed risk management, MIS and information security programs and is an expert in creating operational efficiency and risk alignment. He can be reached at firstname.lastname@example.org.
This was first published in August 2009