The Financial Services sector considers itself one of the most heavily regulated. Understanding and complying with regulations such as Sarbanes-Oxley and the NAIC Model Audit Rule in the United States, Bill 198 in Canada, Basel II and Solvency II in Europe is a daunting task for most financial services organisations. But this is only the tip of the iceberg, in the US there is also the Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA) and a wealth of state laws that regulate the privacy of personal information such as California's SB1386, to say nothing of the myriad of other similar but radically different regulations globally. This web of complex, often confusing and ambiguous, global regulations poses significant challenges for almost all financial services organisations, whatever their area of business. It is evident from my research that the GRC solutions currently on offer do not help organisations understand and make sense of laws and regulations, as many are just sophisticated data and document management systems. Large financial service organisations may have the legal expertise to navigate the national and global regulatory maze, but the majority of organisations do not. Consequently, there is a real possibility that many financial services companies are unintentionally not in compliance with national and international laws and are risk of attracting the attention of either the Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC), Federal Financial Institutions Examination Council (FFIEC) and state regulators in the US, to say nothing of the myriad of national and international regulatory agencies globally. To make matters worse most organisations are managing complex compliance and risk activities using a combination of Excel spreadsheets and email - up to 70-80% of organisation have indicated this in various surveys. The other 20-30% are employing a range of standalone to enterprise-wide solutions that help them manage, but not completely understand, compliance with relevant laws and related risks. It seems logical to conclude that many financial services organisations are attempting to manage what they do not understand. This is surely an impossible task and one which leads to a false sense of security. This situation is made all the worse by the degree to which email and spreadsheets remain in parallel use with such systems, with the former being employed to make key decisions. This is the soft underbelly of compliance and risk - this is confirmed by my experience with the other most regulated sector, the IT manufacturing industry.
The nub of the problem as I see it is that individual laws are typically codified in large documents using legal jargon that typically defies common sense interpretation. Even with sophisticated GRC systems, laws and regulations that possess high levels of complexity are prone to misinterpretation, whether legal terms are defined or undefined, all of which leads to a high probability that poor or incorrect decisions will be made in relation to due diligence and compliance. Furthermore, the informal and social character of much decision making in organisations renders an audit of such decisions difficult, as the chains of evidence are buried in email threads. Research on GRC in the IT sector reveals that compliance and risks cannot be managed using such approaches.
Drawing on 5 years of empirical research with a number of Fortune 500 companies, it is clear that the missing piece of the GRC jigsaw is an information system that delivers structured data on the global regulatory environment to desktops in real time. Such a system would deliver structured legal data in context, along with expert commentary, so that users could understand complex laws, regulations and other sources that impact on GRC activities. The system would also provide sophisticated support to manage compliance related issues, provide speedy response to queries from competent legal experts. Compliance-to-Product (C2P) is, perhaps, the only information system that fulfils these criteria. Although designed to manage (inter alia) environmental compliance in the IT and related industries, C2P is being tested by GRC executives in a range of organisations across other sectors because it helps them understand complex laws and delivers the agility and ability to make compliance-related decisions transparent. Hence, users can make auditable decisions and provide accurate information to regulators and stakeholders. Moreover, C2P not only enables understanding, it eliminates the need to use email to make decisions. Remember, when the FBI and the SEC comes to the door the smoking gun of non-compliance will be found somewhere in your email server, not in your state-of-the-art Enterprise-wide GRC System. Furthermore, C2P's integrated Issue Management capabilities permit all communication and knowledge sharing around GRC decisions to be made within the application - obviating the need for email. And if you are still daring enough to be using Excel, remember Fannie Mae's $1 billion-plus underestimate of total stockholder equity in 2003 thanks to a spreadsheet error, or the $1.3 billion loss that was turned into a $1.3 billion at gain at Fidelity Investments in 1994 - a $2.6 billion spreadsheet error. In fact, most spreadsheet errors go unreported or unnoticed - all of which is indicative of compliance or due diligence problems. However, in my view one of the most import features of C2P is that it provides an organisation with a corporate memory on how and why decisions were made, thus enabling the double-loop learning that underpins competitive advantage. The most powerful example of having such a system is that in the past year one Fortune 100 company saw its NASDAQ share price rise as a result of information managed by C2P. The foregoing indicate why companies like Apple Inc. decided to adopt C2P as it enables them to (a) stay years ahead of global regulation and to design products for future markets: (b) to recognise and understand the inherent complexity in global regulations and to manage compliance and risks: (c) to save time and money - especially legal fees: (d) to deploy smaller and more efficient GRC teams; and (e) to be agile in making auditable decisions on complex regulatory issues at all times.