Hard-Boiled Compliance

NOTE: This originally appeared on this date at Quest Software's ToadWorld, on the expert blog "John Weathington's Quest for Compliance". The link to the actual ToadWorld article is at the bottom.

If your company operates like most, your compliance efforts were brought about by an urgency. For instance, perhaps your company instituted its SOX compliance program because the deadline for SOX compliance was growing near, and the filing requirement forced your company into action.

There is a bigger picture here however. In the landscape of governance, risk, and compliance, the compliance part is a by-product of risk. You’ve heard me say this before. Compliance is about implementing controls ( like Segregation of Duties ), which is about controlling risk ( like risk of fraudulent activity ).

By understanding the overlying framework, prudent companies can build a compliance program not from urgency, but from a more sensible risk standpoint. And by engaging their database professionals ( that would be you ), they stand a good chance of modeling it correctly.

But You’re Already in Compliance – Why Should You Care About Risk?

Focusing on risk is an evolution from compliance, and has the following advantages:

• Convergence – Often times, risk will allow you to combine multiple controls into one. This reduces costs, as the number of controls is in direct relation to the cost of compliance.
• Identifying Control Weakness – Focusing on the risk allows you to address the real issue of potential loss, and derive controls instead of arbitrarily implementing them based on a demand. For instance, Segregation of Duties is only one way to control the risk of fraud. Only by focusing on the risk itself ( fraud ) can you properly control for it, which may entail multiple controls, of which the key control may not even be a Segregation of Duties control.
• Alignment with Strategic Objectives – In the framework presented, compliance and risk are supporting elements to strategic objectives. There’s no way to get compliance in alignment with strategic objectives, without bridging it through proper risk analysis.

Modeling Uncertainty

Risk is uncertainty – it’s that easy.

For some reason, trying to model uncertainty seems to give people problems, but it’s actually pretty simple. In our example above, the risk is fraud. We are uncertain if fraud is going to occur. And since the impact of fraud is probably pretty severe, we need to control for it – and this is the birth of compliance. Segregation of Duties is one way to do this. So what the regulators will suggest is that you focus on Segregation of Duties, and that’s what you implement. They’ve taken it upon themselves to assess the risk and recommend appropriate controls.

But now your company wants to be a little more mature about compliance, so they ask your help on profiling the risks that are being controlled. Here’s where you start:

• RISKS
  • RISK_ID – Unique Identifier of the Risk
  • RISK_NAME – Name the risk ( i.e. fraud )
  • PROBABILITY_GUAGE – The probability that the risk will occur. A number between 1 and 100.
  • IMPACT_DESCRIPTION – A general description of what will happen if the risk occurs.
  • IMPACT_COST – A quantitative measure of what it will cost if the risk occurs.
  • IMPACT_GUAGE – A degree of impact, expressed in terms of a scale from 1 to 100.
  • DETECTABILITY_GUAGE – How easy it is to detect the risk. A number between 1 and 100.

This is a good starting point for modeling the pure risk. If you have a compliance program already in place, do an exercise for each control to explore the risk that’s being controlled.

Completing your Risk Model

To finish out your risk model, you will need to consider the following tables:

• RISK_INDICATORS - There will be a many to one relationship between RISK_INDICATORS and RISKS ( a risk can have multiple indicators ). In this table will be the probability ( INDICATOR_PROBABILITY ) that if this event shows up, a risk is soon to follow. You will also want to track the lead time between the risk indicator and the risk occurrence.
• RISK_CAUSES - There will be a many to one relationship between RISK_CAUSES and RISKS ( i.e. a risk can have multiple causes ). This is, in essence, all the entries in the RISK_INDICATORS table with an INDICATOR_PROBABILITY of 100%.
• CONTROLS - Ah, this is where you started! Obviously, your controls table will contain all the ways you are controlling your risk. Of course once the analysis is under way, you may modify this table with more or less entries. The key here that you did not have before, is now you have a link between your risks and controls. The link is many to many, so you’ll need to introduce an associative table ( i.e. RISK_CONTROLS )

This should get you started in profiling the risks at your company. Once complete, with some simple reporting your company will have a very good picture of where it’s exposed, and your auditors will have an easy time understanding your compliance control structure.

...read the article on ToadWorld