Wow, and what a month it’s been for compliance! When I started writing this article, the furore over the LIBOR rate fixing hadn’t hit the headlines. When it did, probably like you, I was outraged by the conduct of banks and bankers who were embroiled in yet another fiasco. It seems only fitting then, that we should be considering compliance at a time when it appears to have failed so egregiously.
To me, several questions were apparent in light of this event. Over the coming weeks, months and even years, I expect many of them will be answered by the establishment in far more detail than I could ever do justice in the time available. But with an interest in this area and with the opportunity to tackle some of the issues, why not consider the following with me:
Before we delve a little deeper, my original aim was to address whether – you or your colleagues – run compliance audits either – mostly on a sample basis, or using spreadsheet analysis? The use of data analytics in compliance is already assured. So many departments have embraced technology like ACL’s AX server that it is here to stay. No question. But for those who haven’t, now is the time to consider it; if only to prevent yourself slipping behind the competition. Relying purely on spreadsheets and sample based audits is a risky and time consuming proposition. When it matters, data analytics deliver where other methods cannot. It needn’t be expensive nor time consuming, but with a little effort it can be made robust, fast and repeatable.
If your compliance department hasn’t yet embraced data analytics, then get them to consider our take on compliance. If they’d like advice on how we can help them catch up with their competition then please ask them to get in touch.
A very famous online encyclopaedia describes regulatory compliance as:
“In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that corporations or public agencies aspire to in their efforts to ensure that personnel are aware of and take steps to comply with relevant laws and regulations.”
Where failure to adhere to regulation leads to enormous fines, and untold reputational damage, one surmises that it is always in the company’s best interest to adhere to the rules. The role of the compliance department is therefore to ensure that the company avoids making any serious errors in this regard. This is done by educating and advising the business in respect of the rules. By engineering processes and controls such that the rules are hard to break, and to monitor business activities to ensure that the rules are not broken, or if they are, to identify breaches and to put remedial action in place. But is it ever that simple?
There are two ways that compliance can fail in an organisation: intentionally and accidentally. How that failure comes about dictates the size of the fine, but perhaps more importantly the fallout after the event. Responsible businesses recognise that they have an obligation to customers, and to themselves, to own up to wrongdoing. But of course recognising and acting are two different things. There are many factors that influence the decision to report. No business wants to be pilloried, or made a scapegoat for a wider failure within the market and for this reason businesses are sometimes reluctant to blow the whistle; not to mention the effect on ones glittering career when they do. Not everyone is willing to throw themselves on their sword.
Why does regulatory compliance fail? From my anecdotal experience, for the large part it’s accidental. From what I’ve seen, no one sets out with the intention of breaking the law. Of course, there will always be a small and persistent minority of people who bend and break the rules to suit their own ends, but wayward elements exist in all walks of life – you can’t regulate unscrupulous behaviour. Call me naïve if you want but, for the most part, I believe the majority of people and businesses are decent and honest. They would rather do the right thing.
So why does compliance fail? Budgets are constrained, processes aren’t fool proof; you can put regulation in place but, of course, it only works if people follow it. And, as the systems and processes are operated by people, they are just as fallible. What’s more, with the ever increasing complexity of law and regulation, businesses consistently fall short of the mark because they fail to keep pace.
But, I hear you cry… when it costs so much when things go wrong, why isn’t more being done to prevent breaches. Of course, there’s always more that can be done. But for many, the cost when they fail to meet their regulatory obligations is simply the cost of doing business. So long as fines are affordable and management isn’t personally liable, it is simply a balancing equation; the risk of a breach weighed against the continuing cost of prevention. And whilst businesses don’t set out to miss their regulatory targets, the balance that’s struck isn’t always the correct one.
On the one hand, some argue that paying for compliance is a bet against the business. The more you spend, the more you are drawing attention to the fact that you don’t trust your own processes. Others say that it’s wasted money, in that you’re trying to stop something from happening that hasn’t happened yet. Whilst many argue, that more should be spent on compliance, there is no ignoring the fact that budgets are constrained. But given the constraint, is there a way to improve how we conduct our compliance activities to make that money go further; to put it to better use?
The dilemma is this: There is always room for improvement. But to improve sometimes means admitting there are problems. The challenge then is to be open to change, whilst finding a way forward that doesn’t prejudice past practices.
Culture: The culture of the organisation dictates how employees approach regulatory compliance. This is always set from the top. If management doesn’t care, why should anyone else? Get the tone right at the top and one might expect everything else to follow suit.
People: Having the right team in place to manage regulatory compliance is vital. They are the people who police it, who put in place the apparatus to stop issues from arising, and to monitor the on-going situation. Get that right and you at least have a fighting chance.
Approach: The approach to compliance is set both by the culture and the people and, to an extent, by the budgets that are allocated to them. There are two approaches to compliance I would like to consider: reactive, and proactive.
Use of sample based and spreadsheet driven auditing is primarily reactive. It works as a deterrent but as a detection method achieves limited success. When it comes to assurance, organisations know that for the transactions checked, requirements were adhered to at the time of checking. But when things go wrong, there can be a significant lapse in time between when it happened and the point of detection; significant volumes of work will have been performed in detecting this anomaly, and now that it has been found the extent of a problem still needs to be established? Clearly then, more time and more effort are required after the fact.
Consider for a moment that a change to software allowed illegal trades to take place. The change occurred in March. Our audit took place in December, identifying problematic trades in June. Without checking every transaction how would we know when the problem had arisen, the extent of the problem, and what we should do about? Enter data analytics.
Over the years, many organisations have recognised that sample based auditing can leave holes in assurance that hides all manner of ills. When it comes to regulatory compliance of course, every transaction is in scope. Just one single wayward event can land the business in trouble. Spreadsheeting has managed to bridge that gap, allowing the scanning of transactions in bulk but, it is time consuming, resource hungry, and limited by the number of records in the spreadsheet, not to mention the capabilities of the tool to join and search data. In response, many organisations have incorporated continuous monitoring solutions such as ACL’s AX server into their compliance function; providing management and compliance departments with an early warning system of data analytics. The tool turns over every single event and transaction to look for problems; raising the alert before situations become serious. Solutions such as ACL won’t always stop collusion, but it can go a significant
Can we ever stop the rot? In truth, there is always more that can be done to bolster compliance. But so long as fines are affordable and management isn’t personally liable, compliance will always be a balancing act with, on the one hand, management weighing up the cost of continuous prevention, and on the other, their perceived risk coupled with what they think it might cost. We will never be able to prevent collusion, or legislate against the prevailing culture of an organisation, but for those who focus on doing the right thing, movement from reactive to proactive compliance, coupled with an investment in technology, means that budgets can go much further than they’ve ever gone before.
Technology is already here. To avoid slipping behind the competition, compliance department should already be considering use of data analytics, planning to incorporate them at the heart of their activities. Sample based audits, and spreadsheets have their place, but for departments that can see a place for fast and robust analytics, they would benefit from a discussion with us.