Technology developments in many business areas will have strong impacts on important aspects of risk and compliance management in 2014. This paper summarizes leading current risk and regulatory issues, as well as some key relevant technical developments and trends in four major industries. These are financial services, energy and power, information technology and telecommunications and health care.
Risk and compliance are increasingly important areas for corporate executives and Board members in many industries, notably including those discussed here. The Wall Street Journal recently published articles on challenges facing corporations in meeting compliance requirements from a rapidly growing number of regulations. The growth in the size of corporate compliance staffs and in their compensation illustrates this increasing importance. Furthermore, many new Chief Compliance Officers now have direct reporting relationships to top executives and their Boards. Because demonstrating regulatory compliance often requires providing sensitive corporate information to government and service provider organizations, the increase in secure compliance and collaboration platforms is another indicator of growth.
Technology developments lead both to compliance problems and to compliance solutions. Products based on new technologies may lead to unforeseen consequences and potential compliance failures. There are many examples of such compliance issues arising from new technology developments in several industries. One example that is common to many industries is that arising from the “consumerization of IT.” The growing trend of allowing the use of employees’ personal smartphones, tablets, etc. to access corporate information helps to enable convenient mobility for employees, but can also create a variety of security and privacy compliance problems. Many organizations address these issues with a combination of technology monitoring systems and new corporate policies and business processes. Their uses will be actively debated in 2014.
In this article, we discuss developments in the above four industries. While other industries face similar issues, these four are sufficiently significant to illustrate the challenges and developments that are most important in 2014.
Implementation of the Dodd-Frank legislation is beginning. The Securities and Exchange Commission (SEC), the Federal Reserve, the Commodity Futures Trading Commission and the Treasury Department have completed many new rules. The law firm Davis Polk operates a Dodd-Frank Progress Report website that reports that as of January 2, 2014, “201 of the 398 total required rulemakings have been finalized, while 110 rulemaking requirements have not yet been proposed.” These numbers do not begin to convey the complexity of the legislation and regulatory implementations that involve many documents with thousands of pages.
There are commercial and in-house systems that track changes in the legislation and regulations and present workflows for implementation and compliance tracking. Given the scale of this regulatory framework, it is clear that large-scale information systems are necessary for major corporations to achieve compliance and to mitigate associated risks. The success of systems implementation and operations in this dynamic environment is critical for corporations in 2014.
Significant in this legislation are the mandated stress tests that require banks to demonstrate that they have sufficient capacity to survive financial crises. Relevant technology developments include innovations for stress testing institutional positions and for analyzing and mitigating systemic risk globally. As the Congress developed Dodd-Frank, several firms in the capital markets risk and regulation business developed stress-testing offerings. Compliance with ongoing developments from Dodd-Frank is a high priority for financial services in 2014 and for many years to come.
There are many other areas of risk management and compliance requirements in the financial services industry. The SEC seeks to protect investors through their “National Exam Program.” SEC examiners test registered entities, including broker-dealers, investment companies, trading exchanges and many others for compliance with SEC regulations. The examination program stimulates compliance within the financial services industry, intending to protect investors and markets. On January 9, 2014, the SEC published 2014 priorities for the National Exam Program. Fraud detection is a notable priority.
The SEC will implement new fraud detection systems for their operations and evaluate firms for compliance with measures intended to detect fraudulent practices. New technology developments in “big data analytics” and “machine learning” enable significant improvements in fraud detection systems. Gartner estimates that the fraction of large global companies using big data analytics for fraud detection and related applications will triple in the next few years. Moreover, these companies will have positive returns on their investments within six months.
Such technology developments are essential for financial firms to manage risks and to meet growing compliance requirements. This year will be very active in these areas for financial services.
Energy and Power
Mitigating the adverse impacts of climate change has been a priority for the Obama Administration since 2009, and this priority is prominent in The President’s Climate Action Plan, published in June 2013. The most credible approaches to mitigating these adverse impacts are significant technology developments. Current regulatory proposals intend to stimulate research in many concepts and technologies and to create significant demonstration programs. These developments may come from improvements in alternative energy sources such as solar and wind generation systems, from improved efficiency techniques like smart grid systems and from improved energy storage technologies. The future of regulatory measures will reflect the relative successes in these alternative approaches.
On November 26, 2013, the White House published the “Current Regulatory Plan and the Unified Agenda of Regulatory and Deregulatory Actions.” The “Regulatory Plan” defines priorities and provides information about the most important regulatory actions that federal agencies, including the Environmental Protection Agency (EPA), plan for the coming year. The EPA plans focused mainly on addressing climate change, chemical security and clean air and water.
The EPA 2014 priorities include Rule 2060-AR33, “Standards of Performance for Greenhouse Gas Emissions from Existing Sources: Electric Utility Generating Units.” There are about 6,500 existing power generation plants in the U.S., and there are no legal limitations on their carbon emissions. The intent is to mitigate the effects of the emissions on climate change. These new regulations, based on authority under the Clean Air Act, will have significant impacts on electricity prices and on the reliability of the power grid. The EPA acknowledges that they “do not have any estimates regarding the benefits and costs of this action, but expect it to be a significant regulatory action with annual effects on the economy exceeding $100 million.” There are many new technologies in development for limiting greenhouse gases, notably including carbon capture technologies. However, there are many questions about their feasibility and cost effectiveness on a large scale. Consequently, there will be considerable debate this year on implementation possibilities.
Hydraulic fracturing, also known as fracking, is a process used to extract oil and natural gas. This relatively new energy technology has a potentially transformational impact on the U.S. energy industry and balance of trade. Fracking has dramatically increased the amount of natural gas accessible to drillers in the United States. In some cases, it is exempt from U.S. regulatory laws, but its potential environmental impacts are highly controversial and there are now some regulations in effect, often at the state level. Because of the potential for economic and environmental impacts, fracking and its impacts will be a very contentious area for risk management and regulation in 2014.
Information and Telecommunications Systems and Services
Cybersecurity threats and privacy concerns are major issues for providers of information and telecommunications systems and services. On February 13, 2014, the National Institute for Standards and Technology released the “Preliminary Cybersecurity Framework” in response to the President’s Executive Order last year. This framework addresses cybersecurity and privacy for critical infrastructure, which includes the major U.S. industries, notably those discussed in this article. Even though compliance is “voluntary,” some members of the American Bar Association say that a failure to comply could be a major issue if a corporation became involved in litigation or an investigation related to cybersecurity or privacy.
Additionally, new directives from the Department of Defense will require companies in DOD contract supply chains to implement new measures for securing their information. The DOD is attempting to increase the security of the defense industrial base through their acquisition program. Compliance with these new DOD federal acquisition regulations will be difficult for many of these companies, and there has been considerable reaction within the industry. However, it is also clear that some actions have been taken to improve overall cybersecurity in this industry.
The growth of social media, mobile and cloud computing has introduced new risks and compliance questions. There are many new technology developments to mitigate cyber risks and protect privacy, notably advanced encryption technologies that are both light-weight for mobile users and more resistant to code breaking. The pace of these encryption developments has increased since the NSA disclosures last June. However, technology developments alone will not resolve all of the issues in the current debates over security and privacy associated with information technology and telecommunications systems and services. New federal legislation in cybersecurity and privacy does not appear likely. However, these other approaches though executive orders and acquisition policies will create significant compliance challenges in 2014.
Health Care Services
The implementation of the Affordable Care Act legislation creates many new services and regulatory issues. The technical problems of the health.gov site illustrate some of the challenges in addressing the complexity of this legislation. A hearing of the House Committee on Science, Space, and Technology on January 16, 2014 entitled “Healthcare.gov: Consequences of Stolen Identity” highlighted some of the many technical problems with this system’s implementation.
Many new approaches to the delivery of health care services involve new technology developments, notably cloud and mobility technologies. The date for compliance with the HIPAA and HITECH legislation arrived last September after a four-year period following the enactment. Accordingly, these new developments must comply with these federal laws in this first full year under this legislation. Using improved workflow processes, mobile and cloud technologies can enable more engagement by patients. However, these developments must mitigate many cybersecurity threats, notably identity theft, and must address the many requirements for patient privacy. Compliance and enforcement in these areas are still new, and 2014 will see many developments.
While the details of compliance and technology developments in the above four industry sectors differ, they have certain characteristics in common. Notably, they are all experiencing increasing regulation and compliance requirements. They are all applying additional resources to address these issues. There will be many debates and even legal actions in order to resolve these many issues. 2014 will be a very interesting year for corporate risk management and regulatory compliance.
 R. Ensign, “The Morning Risk Report: Companies Trying Harder to Get Compliance Right,” Wall Street Journal, Risk and Compliance Journal, 17 January 2014.
 B. Taylor, “Use the Key Levers of Process to Ensure BYOD Success,” Gartner Inc. Report G00250199, 25 April 2013.
 No examples cited here since I do not want to imply endorsement
 A. Litan, “Reality Check on Big Data Analytics for Cybersecurity and Fraud,” Gartner Report G00257721, 16 January 2014.
 The White House, “The President’s Climate Action Plan,” June 2013 (available at www.whitehouse.gov).
 This follows the 2012 emission standards for reducing greenhouse gas emissions from new electric power plants.
 EPA, “Breaking Through? Evaluating Technologies for Greenhouse Gas Mitigation,” Science Matters, 2013.
 K. Hassett and A. Mathur, “Beneﬁts of Hydraulic Fracking,” Oxford Energy Forum, February 2013.
 C. Davis, “The Politics of “Fracking”: Regulating Natural Gas Drilling Practices in Colorado and Texas,” Review of Policy Research, Volume 29, Number 2 (2012).
 Inside Cybersecurity, “Attorneys discuss future of framework, cybersecurity regulations in 2014,” Insidecybersecurity.com, 14 January 2014.
 Secretary of Defense Charles Hagel, “Safeguarding Unclassified Controlled Technical Information,” 10 October 2013.
 Department of Defense, “Defense Federal Acquisition Regulation Supplement: Safeguarding Unclassified Controlled Technical Information (DFARS Case 2011–D039), Federal Register, 18 November 2013.
 B. Runyon, “2014 Strategic Road Map for the Real-Time Healthcare System,” Gartner Report G00253192, 19 December 2013.