Developing Technology to Address Big Data and Cyber-Security Challenges
By Paul Liebman, CCO, The University of Texas at Austin
Process Related and Substantive Risk Challenges
There are many emerging challenges in compliance. Some are process related and others relate to substantive risk areas. On the process front, the principle concerns facing most organizations are how to best apply limited or dwindling resources to an expanding portfolio of responsibilities, and how to fully align compliance activities with the business mission and model so as to be a catalyst for strategic success. On the risk area front, most organizations are required to ramp up quickly to address Big Data and cyber-security.
In some ways, these two issues are two sides of the same coin as organizations have the capability to collect and analyze large amounts of employee and customer information but often lack the systematic capability or willingness to adequately protect that information from unwanted attacks and leaks. This issue will only become more acute in the coming years as the hackers are become more daring, sophisticated and anonymous, and our ability to access information from corporate servers and the cloud from a multitude of existing (and as yet unknown) personal mobile devices becomes easier and easier.
Understanding Organizational Mission and Individual Roles
The easiest and most effective way to link with your organizational partners is to make sure that everyone has a clear understanding of the strategic mission and their individual roles, responsibilities, expectations and authorities in furtherance of the mission. That requires having and sharing knowledge of the business model and strategy so that the most important compliance risks can be identified and prioritized. From there, you can develop necessary policies, training, and controls for everyone as well as a plan to capture and investigate and remediate allegations of illegal or unethical behavior.
“The most effective way to link with your organizational partners is to make sure that everyone has a clear understanding of the strategic mission and their individual roles, responsibilities and expectations and authorities in furtherance of the mission”
By way of example, if you know that your products are being manufactured and sold in countries with a predilection for bribery—and you know how and who is actually doing the manufacture and sale—then you can develop very targeted policies, training, and controls to address the actual risk. And internal administrative functions (e.g., compliance, audit, legal, sales, human resources, operations, finance, etc.) can work together to most efficiently implement and enforce—and when necessary—improve the policies, training and controls.
Developing Customized Compliance Programs
Technology without a strategy and plan is usually a waste of money. There are no panaceas. You must first and foremost do the hard work of understanding the organizational mission and strategy so you can develop a compliance program around the risks most likely to derail that mission and strategy. Only after that is accomplished can you properly vet and acquire technology that might cost-effectively catalyze your effort. For example, there are a myriad of tools which allow you to continuously monitor, collect and sort control failures but if you haven't designed the controls to be effective in the first place or, if you are not committed to acting on information when it's captured, then you've actually made matters worse.
Moreover, if the cadence of the business leaders in your organization is not centered around dashboards and electronic databases, then don't purchase those tools or you'll be collecting information that nobody will actually look at and use.
Advice to Fellow Compliance Officers
Align compliance program activities with the business. Don't be redundant or irrelevant. Take the time to talk to business leaders about what it is that they're trying to accomplish and work with them to understand where illegal or unethical behavior could lead to consequences that would cause business loss or interruption. Prioritize risks so that you develop the most effective policies, training and controls and then work with your administrative partners to see if there is a pre-existing process that already works well which you might be able to also use to implement your activities. Don't create a new process or purchase anything new until you've canvassed the organization to see if you really need a new process or technology. Above all, focus on building a sustainable program aligned with the business around the actual risks facing the organization even if that means slower-than-hoped-for change. It's a journey, not a sprint.