Understanding regulatory compliance

Dr. Tom Butler explains the need for information systems that provide sophisticated support in managing compliance related issues.

“This web of complex, often confusing and ambiguous, global regulation poses significant challenges for the majority of financial services operations, whatever their area of business”
-Tom Butler

The Financial Services sector considers itself one of the most heavily regulated: however, firms operating in the IT manufacturing sector would beg to differ. Nevertheless, understanding and complying with regulations such as Sarbanes-Oxley and the NAIC Model Audit Rule in the United States, Bill 198 in Canada, Basel II and Solvency II in Europe is a daunting task for most financial services organizations.

But this is only the tip of the iceberg, in the US there is also the Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA) and a wealth of state laws that regulate the privacy of personal information such as California's SB1386, to say nothing of the myriad of other similar but radically different regulations globally.

This web of complex, often confusing and ambiguous, global regulation poses significant challenges for the majority of financial services operations, whatever their area of business. IT-based Governance, Risk and Compliance (GRC) solutions are posited as solutions for organizations that wish to coordinate their governance, risk, and compliance processes, reduce the cost of audits, streamline compliance reporting, identify and reduce risks, and make better decisions.

It is evident from my research, however, that the GRC solutions currently on offer do not help organizations understand and make sense of any of these regulations, as many are just sophisticated data and document management systems. This is significant as individual laws are typically codified in large documents using legal jargon that typically defies common sense interpretation. Even with sophisticated GRC systems, laws and regulations that possess high levels of complexity are prone to misinterpretation, whether legal terms are defined or undefined, all of which leads to a high probability that poor or incorrect decisions will be made in relation to due diligence and compliance.

Furthermore, the informal and social character of much decision-making in organizations renders an audit of such decisions difficult, as the chains of evidence are buried in email threads.

Drawing on five years of empirical research with a number of Fortune 500 companies, it is clear that the missing piece of the GRC jigsaw is an information system that delivers structured data on the global regulatory environment to desktops in real time. Such a system would deliver structured legal data in context, along with expert commentary, so that users could understand complex laws, regulations and other sources that impact on GRC activities. The system would also provide sophisticated support to manage compliance related issues and provide speedy responses to queries from competent legal experts.

Compliance-to-Product (C2P) is, perhaps, the only information system that fulfils these criteria. Although designed to manage environmental (inter alia) compliance in the IT and related industries, C2P is being benchmarked by GRC executives in a range of organizations across other sectors because it helps them understand complex laws and delivers the agility and ability to make compliance-related decisions transparent. Hence, users can make auditable decisions and provide accurate information to regulators and stakeholders.

Moreover, C2P not only enables understanding, it eliminates the need to use email to make decisions. Its integrated Issue Management capabilities permit all communication and knowledge sharing around GRC decisions to be made within the application - obviating the need for email. However, most importantly, it provides the organization with a corporate memory on how and why decisions were made, thus enabling the double-loop learning that underpins competitive advantage.

This was the motivation for companies like Apple Inc. to adopt C2P as it enables them to stay years ahead of global regulation and to design products for future markets. It also allows them to recognize and understand the inherent complexity in global regulations and to manage compliance and risks, whilst also saving time and money - especially legal fees. It also enables them to deploy smaller and more efficient GRC teams and to be agile, make the right decisions, and to be able to quickly audit decisions and hit the ground running on complex regulatory issues at all times.                

Dr. Tom Butler is a Senior Lecturer at University College Cork, Ireland. Among his research interests are Environmental Compliance Management Systems and the evaluation of Governance, Risk and Compliance (GRC) applications. In 2009, he received a Research Fellowship from the Irish Government to conduct research on Green IT.