[Editor's note: This article was contributed to Corporate Compliance Insights by Mr. Brian Klemm, Senior Counsel & Corporate Compliance Officer at SAS. It was originally published on February 3rd, 2009. We are publishing it now because the advice is timeless and we want the many subscribers we have gained since then to have a chance to read it. Mr. Klemm can be contacted by email at brian.klemm@sas.com, or by phone at 919-531-7333]
**********
Many compliance professionals are increasingly focusing their attention on how they can prevent problems from occurring in their organizations. Perhaps the 2008 financial crisis has served as a harsh reminder that prevention is often a far less bitter pill for an organization to swallow than the cure.
While compliance professionals cannot and should not ignore the need to detect, react and respond to violations and suspected violations of law and policy, the art and science of preventing problems and the associated harm they befall upon organizations are fundamental to the mission of compliance leaders. Albert Einstein said “Intellectuals solve problems, geniuses prevent them.” This holds true even years after Einstein so noted, but today compliance professionals have one advantage that Einstein didn’t have: technology.
Technology is today’s genius (or at least a key ingredient of today’s genius). It can do things individuals cannot do unaided by technology. Technology plays a critical role in both preventing and detecting violations, as well as enabling improved, risk-informed business decisions. But no matter how robust the technology, there will always be ways one can circumvent technological tools and regulatory controls. Real organizational genius combines people, process and technology by strategically integrating human resources, ethics, processes, policies, controls and technologies to better understand what happened, what is happening, and what may happen, so problems may be anticipated and prevented.
The compliance function is no longer regarded as solely a legal function, but as a broader risk management one in which professionals routinely conduct risk assessments and cost benefit analyses. In order to effectively prevent problems and manage risks, compliance professionals are implementing controls and measuring and monitoring them with metrics to evaluate how well such controls are performing. They perform analytical assessments on their collected data, evaluate whether gaps exist, analyze failures and breakdowns, and implement appropriate preventative measures.
A growing number of compliance professionals in companies across all sectors are turning to automation, such as governance, risk and compliance (GRC) software, to address not only Sarbanes-Oxley compliance and related financial oversight, but also to manage an ever expanding list of risk exposures, such as e-mail management, data privacy, export controls and IT security and governance. Some GRC vendors offer solutions that address very specific tasks for a particular industry (silo applications), while other vendors offer targeted applications that are deployed across the organization as a platform (enterprise applications). There are advantages and disadvantages to each approach, but increasingly software vendors are moving towards enterprise applications that offer organizations a choice to purchase only those specific modules they need to satisfy their particular requirements.
Technology can enhance visibility into an organization’s risk landscape – including strategic, operational, reporting, compliance, market, credit and technology related risks – and provide compliance professionals with a means to assess and manage risks, control costs, achieve efficiencies, and, ultimately, provide support for decision making. Whether using anti-fraud or credit risk tools to detect sudden, unexpected spikes or to determine the probability of default, or other applications to support corporate goals and initiatives, such as sustainability programs, organizations can benefit by using analytical tools to better understand their businesses.
If technology is such a great compliance tool, why didn’t it prevent the 2008 financial crisis?
There are a number of factors that coalesced to cause the financial crisis, some related to technology and others that have more to do with the global financial system and human nature. With the benefit of 20/20 hindsight, we have seen that certain technologies (specifically credit risk scoring and related assessment tools) used by rating agencies, underwriters, and other players in the financial services industry did not fully capture or address all of the risk factors associated with the many and varied complex financial products traded in the markets.
In some cases, risk evaluation was hindered by technologies that lagged behind new and complex financial offerings. Credit derivatives, such as collateralized debt obligations (CDO’s) and other packaged offerings that contain a pool of loans with an opaque mix of risk, were improperly assessed using conventional tools and approaches that simply failed to measure risk appropriately. Because the true risk exposure associated with such securities was not correctly calculated, they were not properly valued, priced or managed as assets and liabilities. Credit default swaps were packaged within “synthetic” or structured CDO’s, providing an insurance hedge for the loans and obligations within the CDO’s, but the lack of transparency amplified risk because traditional risk classification and assessment models and processes employed by insurers were similarly inadequate and unreliable from an actuarial perspective, resulting in underestimated exposures.
Other contributing factors of the crisis include certain limitations inherent within the technology infrastructure of financial institutions, as well as the failure of such institutions to fully appreciate the role and limits of the technologies they employed. The genius required to prevent the financial crisis required a careful and considered blend of technological and subjective human assessments to supplement statistical models, especially when dealing with unconventional and potentially volatile products, such as CDO’s. [For an excellent report on what happened and why it happened, see Deloitte’s “Risk Management in the Age of Structured Products: Lessons Learned for Improving Risk Intelligence” produced by the Deloitte Center for Banking Solutions.]
What’s in store for compliance professionals in 2009?
The business community will face a very different regulatory and financial environment in 2009 with a greater emphasis on managing risk. Systems, controls, compliance, and risk management will take a front row seat and will be addressed at high levels in organizations. Senior level management and board members will need to review, synthesize and correlate information in a more useful, succinct way. They will expect their organizations to make effective use of technology in order to forecast and assess vulnerabilities and manage risk.
At the same time, global regulatory bodies will focus on helping firms emerge from the financial crisis and take action to prevent a recurrence. It remains to be seen what specific remedial measures will be pursued, but compliance and risk-related technologies will undoubtedly play a key role to help businesses prevent fraud, abuses, and other financial malfeasance. It would not come as a surprise to see some new systems, controls, data security, assessment, and reporting obligations imposed upon businesses to fill some needed gaps. Regulators should look for a balanced, prudent measure and be sensitive to the effects any approach may have on an already anemic global economy. Rather than a sweeping, extensive body of regulations, a targeted and practical model may be a more appropriate preventative measure.
Conclusion
Compliance and risk management professionals that effectively utilize technology can make the difference between successful and unsuccessful firms, but they must be mindful not to rely on technology in a vacuum. While technology is a key piece of today’s genius, it requires people and process to effectively prevent problems.
———-
Note: SAS is a software company that markets compliance, risk and other business analytics and intelligence software to customers worldwide, including financial services firms. The views expressed herein of those of the author and do not necessarily reflect the views of SAS.
Discussion Questions for Comment Section:
- Are there areas or gaps where automation might be a more useful compliance tool?
- How can technology be improved to enable and enhance the role for compliance professionals?
PDF 
[...] a very good blog post that talks about The Genius of Compliance Technology, which brings out nicely the fact that Compliance and risk management professionals that [...]