Similar to self-driving cars after the development of autonomous technology, business intelligence can sense the environment and navigate the compliance landscape with minimal human input.
By Hernan Huwyler, governance, risk and compliance specialist for multinational companies
Organizations are addressing numerous compliance challenges triggered by new regulatory requirements, aggressive enforcement, record fines, business transformation, emerging risks and large scandals in corporate governance. They are struggling to focus their ethics and compliance programs to respond to the continually changing risks and expectations of stakeholders while trying to avoid both, the compliance fatigue and the “paper” compliance.
Leading on from this, the importance of automating compliance has dramatically increased over the last years to expand the scope of monitoring. Manual testing of compliance controls are not cost-effective, or even possible, in the times of big data, cloud computing and emerging technologies. Compliance checklists working in silos are gone forever… and for good.
Business Intelligence includes tools, software solutions and technological strategies to interpret a large amount of data for the decision-making. It allows analyzing big data in all business applications to predict trends and risks get real-time reports and benchmark complex transactions against pre-defined rules. Similar to self-driving cars after the development of autonomous technology, business intelligence can sense the environment and navigate the compliance landscape with minimal human input.
How exactly do you automate compliance monitoring tools to support business intelligence?
A large number of solutions and consultancy services to support an integrated model for compliance monitoring is available from niche to large advisory firms. However, the real impact in the compliance function is not yet clear. Once an intangible buzzword, business intelligence is playing a role for compliance motioning by setting a transparent system to orchestrate control and testing activities across business processes. Moving beyond spreadsheets to business intelligence tools is not only critical for the compliance officer, but for all the C-Levels.
A business intelligence tool collects and aggregates a large amount of relevant data from the ERPs, CRMs, customized tables and other systems with structured and unstructured data to automate workflows. These workflows are modeled with control exceptions to address pre-defined compliance risks. Business Intelligence primarily helps the compliance function to visualize transactions to discover non-compliance cases among policies, contracts and fraud prevention controls. They can also produce exception alarms and dashboards to outline real-time transactions for further investigation or approvals. Business Intelligence also allows the compliance function to model the control framework to monitor performance and integrate assurance.
The diversity of emerging risks requires a grounded approach to support a “compliance by design” model.
The integration of reports, controls, protocols, and key indicators into a business intelligence tool facilitates the automated detection of risks and the audit of compliance controls across all enterprise applications. A major challenge is the inflexibility of this approach to maintain the control repository for a complex and dynamic environment while using a single solution. The diversity of emerging risks requires a grounded approach to support a “compliance by design” model.
The capability to capture and to change control requirements through a common tool framework facilitates the management of the controls. Business process management, a popular framework for business intelligence, allows enforcing compliance rules. It helps to link what needs to be done (nominative compliance approach) with how the control activities should be performed by the business process owners (descriptive internal audit approach). It is essential that business, compliance, and control objectives are jointly designed to converge into a common set of control rules. In practice, regulations, compliance rules and internal controls can be complex and vague. The subject experts should translate these mandates of permissions and prohibitions, often written in legalese or technical jargon, into business rules in a control repository. These simplified business rules can trigger violation alarms and control remediation protocols that may surface.
An example for U.S. anti-boycott compliance
The scenario given as an example covers a set of simple set of rules to integrate anti-boycott controls for compliance risks in a SAP company. In this case, the business intelligence software monitors the creation of letters of credit under SAP. If a letter of credit is linked to any country belonging to the Arab League and contains boycott vocabulary, the transaction is blocked and alarms are automatically sent to compliance, legal and export directors for further review. The rule also keeps track of the number of cases with control exceptions.
A set of rules in business intelligence acts as a continuous auditing and monitoring mechanism to avoid any substantive testing and prevent compliance breaches.
Synergies between business intelligence and machine learning
ERP and business intelligence software providers are adding machine learning to improve the accuracy of the alarms and workflows triggered by business intelligence. Machine learning can substantially reduce the number of false positives in the alarms. The results are extremely promising to focus the alarms and the remediation actions on actual risks.
Hernan Huwyler, MBA CPA, is a governance, risk and compliance specialist for multinational companies. He works in developing internal controls to address business risks and legal requirements in European and American corporations and is currently working for ISS World in Copenhagen to develop its center of risk management excellence. He previously served as Risk Management and Internal Control Director for Veolia, leading governance practices in Iberia and Latin America. Hernan frequently lectures on compliance, risk management, data privacy, GDPR and auditing at top universities and business schools. Follow Hernan on Twitter @hewyler
Note: The views expressed by the author of this paper are completely personal and do not represent the position of any affiliated institution.