Hard-Boiled Compliance

NOTE: This originally appeared on this date at Quest Software's ToadWorld, on the expert blog "John Weathington's Quest for Compliance". The link to the actual ToadWorld article is at the bottom.

What’s the best kind of problem to deal with?

A problem that never happens.

Earlier, when I was training to be a facilitator, my instructor emphasized something that you’ve probably heard before. She kept saying, “Prevention over Intervention.” The context was of course, in facilitating through a meeting. She taught us that, if you setup ground rules at the beginning of a meeting, and get everyone to agree to them, the rest of the meeting will go much smoother. In practice, I’ve found she was absolutely accurate. Another popular locution that has been popularized over the years is, “An ounce of prevention is worth a pound of cures.” Phrases like this resonate well with me, so I’d like to present to you my golden gem of controls:

John Weathington’s Golden Gem of Controls: One effective preventative control is worth a thousand non-preventative controls.

Keep this in mind as you and your team are navigating the landscape of risk control. In my perspective, there are only four types of controls, and they deal in two different dimensions; timing of the risk event, and risk property. For timing, you’re either dealing with a risk that will occur, or a risk that has occurred. For risk property, you’re either dealing with the cause of the risk, or the impact of the risk. It’s really that simple. So, if you look at all the permutations of the referenced dimensions, you have the following four types of controls:

1. Corrective Controls are controls that deal with the cause of a risk that has already happened.
2. Adaptive Controls are controls that deal with the impact of a risk that has already happened.
3. Preventive Controls are controls that deal with the cause of a risk that may happen in the future.
4. Contingent Controls are controls that deal with the impact of a risk that may happen in the future.

Since fraud is a hot topic these days, let’s use that as an example. Let’s say we’re trying to control the risk that corporate executives will fraudulently back-date options, so that they can cash in big ( not such a far stretch ). One cause of this might be too much collusion in the upper ranks. Usually these kinds of activities are pulled off because the CEO, CFO, and other high ranking officials in a company are all working together. The key impact that the SEC is worried about, is the misrepresentation of financial data ( i.e. executive compensation ), that has now just occurred due to the fraudulent activity.

We can control this in a number of ways. A corrective control would be huge fines and jail time for the guilty senior management. Remember, they caused it, and the fraud has already happened.

An adaptive control would be some sort of settlement to the shareholders that were impacted. Executive compensation will have to be restated, and that will probably cause the company’s stock to suffer. A settlement to all the shareholders would be an adaptive way to handle this, as the fraud has already happened, and you’re taking care of the impacted parties.

An example of a contingent control would be to setup a Fraud Fund, in the anticipation that something like this might happen. The fraud hasn’t happened, and might not ever happen, but if it does, a fund is available to compensate impacted shareholders.

Of course, I’m saving the best for last. A preventive control is always the best choice. An example of a preventive control would be to setup an independent agency that audits the option issuing process, before it can be authorized for execution. You are taking measures to treat the cause of the problem ( collusion ) before the fraud actually occurs.

Of course all controls need to be effective. An ineffective control, isn’t really a control, it’s just a drain on resources.
So, since preventive controls are the ideal situation, let’s talk about some architectural considerations for supporting them. Here are three areas of your company’s data system infrastructure, where preventative controls can be realized:

Tap into the Transactional System

This is the most effective, and obviously the most challenging. If you’ve followed my work, you know I advocate the construction of a Compliance Data System ( CDS ). Although the CDS can be leveraged, what we’re talking about here is outside the scope of any downstream system. Since transactional systems come in all shapes, sizes, and forms, I can’t advise you on any specifics; however I can leave you with some goals. You need to be able to prevent an action from happening, based on a recognized condition. For instance, to control for data privacy, you may need to block an unauthorized request to view sensitive personal data. If your transactional system centralizes it’s action processing ( popular design consideration in web applications ), this is a good place to inject these rules.

To leverage the CDS, make sure the rules are documented, and the violations are captured. Develop a log that records all violations, and make it tamper proof. This information can then be downstreamed by the CDS for compliance related analytics.

Build a Compliance Operational Data Store

Leverage the Operational Data Store ( ODS ) concept from the data warehousing community, to build a compliance operational data store. This will be a part of your comprehensive compliance data system. To create any kind of preventive control outside of the transactional system, you will need leading indicators, and a fast response system. An example of a leading indicator, might be an inappropriate approval, since an inappropriate approval could lead to fraud down the line. Your compliance operational data store should catch this, and flag it as a potential problem, before it becomes a real one.

Leverage your Compliance Data Warehouse

Just because your data warehouse is downstream and strategic, doesn’t mean that it can’t be used for preventative controls. Fair-Issac has made an extremely profitable business purely around this concept, and the adoption of the FICO score. You can use your strategic data and advanced data mining techniques to identify trends that will attack the cause for future negative impact, in the same way Fair-Issac uses its proprietary data to deny credit to high risk borrowers.

Controlling risk is important and necessary. Any effective control is a good control, however a preventive control is by far the best choice. Effectively leveraging your transactional systems, and intelligent use of the operational and strategic components of your compliance data system to support effective preventive controls, is the smartest way to control risk at your company.

...read the article on ToadWorld