01 February 2008 Comments

 

Cross regulation compliance

Tom McEvilly, CheckFree

Just another ‘necessary evil’ is what comes to many a mind when considering the endless wave of regulatory and legal mandates. With corporations diversifying both geographically and materially in their pursuit of new markets and profits, the ability to simultaneously juggle Sarbanes Oxley, MiFID, AML, Basel II and so on is rarely considered a business opportunity. When you add internal standard operating procedures or additional operational policies from business partners, it becomes clear that a holistic plan to address all of these mandates, as well as those to come, would be the best way to achieving compliance while maintaining profitability. Why then does the corporate culture still veer towards unsustainable, one-time, silo-based compliance projects? How do we make it ‘pervasively achievable’ and maybe-even-a competitive advantage?

For many organisations, the multiple governance, risk and compliance initiatives seem like insurmountable barriers. Yet indications suggest that the trend toward increased regulation is set to intensify in the coming months and years. In addition to the regulations already in place, the UK finance industry alone faces as many as 20 new EU initiatives due in the next three years.

Michael Rasmussen, Vice President of Forrester Research, sets out the challenge nicely, “Frequently, individuals or departments get bogged down in one area of compliance, such as SOX or privacy laws, but fail to realise that compliance is an octopus-like challenge. Managing this many-tentacled beast requires that an organisation establish a technology architecture for governance, risk, and compliance.”

Yet culture and habit prevail and holistic integrated strategies are often passed over in favour of one-off compliance specific projects that do not account for the significant overlap across multiple regulations. Each time a new mandate is introduced or changes occur there is a mad rush to develop yet another audit checklist or apply modifications to existing checklists; thereby introducing a vicious, overlapping cycle. There is also the need to review all of the relevant software applications that correspond to specific compliance requirements. The consequence is costly in terms of duplication of efforts, soaring costs, disparate technology solutions, and counterproductive remediation efforts that often go undetected until the next testing cycle occurs.

Where then are the executives with the holistic view of all industry and regional mandates facing their organisation? Where is the corporation’s ability to make fully informed decisions? Without it companies remain vulnerable to the increasing complexities and interdependencies of enterprise risks.

Converging efforts to achieve compliance across multiple mandates, while simultaneously enjoying a return on investment may seem like a complete paradox. It clearly calls for a paradigm shift across the entire organisation, starting with senior management. Looming compliance deadlines, fear of financial losses and damage to reputation, tightening budgets and pressure to improve the bottom line, mean this concept of convergence can be a hard sell to those who can shepherd in change. However, even the toughest critic must admit that the current labour intensive, fragmented approach isn’t sustainable in the long-run.

Forward thinking organisations are recognizing that critical business processes such as reconciliation and exception management form a “foundation” layer upon which financial governance can be built, that’s why it’s where the auditor typically starts. A two-pronged cross-compliance strategy can be devised whereby the first prong emphasizes the need for clean reliable data to drive risk analytics and the second prong emphasizes control activities including approvals, authorisations, verifications, reconciliation totals and transactions, and segregation of duties. Combined together, it becomes clear that reconciliation and exception management best practices drive enablement of an array of compliance initiatives including SOX, Basel II, MiFID, and Solvency II. By applying a cross-compliance strategy based on foundation processes organisations can better leverage IT investment and resources.

When reviewing process automation systems, opportunities exist to identify and collectively review business processes that are relevant across multiple governance, risk, and compliance initiatives. By abandoning the myopic approach to business process review across all of these workflows, potential problems and improvements can be identified and simultaneously applied across compliance initiatives.

In short, no one will argue that you’ve achieved your compliance goal if a 15 step manual business process delivers effective internal controls. However, if a brief review of this business flow could produce a 5 step process largely managed by automation, your benefits will clearly extend beyond compliance alone.

The moral of the story: bare minimum, silo-based projects may lead to bare minimum compliance at a hefty cost. Without a more strategic integrated approach, your organisation is not only perpetuating the rising cost of compliance and its reputation as a necessary evil, you are also likely leaving ‘free’ money on the table. Who knows, business process improvements, automation, or potential functional centralisation with a holistic approach to cross compliance challenges might even deliver competitive advantage.

Tom McEvilly, director, global sales strategy, CheckFree