Compliance is a grudge purchase!
The result – in most cases a minimal spend based on a tactical goal of addressing the bare minimum requirements for a particular law or standard. The key focus in most cases is on putting a manual process in place to address the letter of the law.
One Compliance officer complained recently that he spends until October every year “just preparing the reports” for his particular process. This leaves him with two months in the year for planning, or for process improvement!
My belief is that a tactical approach to risk and compliance projects is ultimately not cost-effective – simply because regulatory requirements are becoming more stringent and impacting on more and more business functions.
At the same time, there are many shared objectives across laws and policies. For example, processes and tools used to manage the PCI-DSS requirement to securely store credit card data can be reused for compliance with broader customer privacy legislation, such as PoPI.
More importantly, legislation can be catalyst for improved operational efficiency. A “single view of the customer” is a necessary enabler for risk management legislation such as the Basel and Solvency regimes (impacting the banking and insurance industries respectively), as well as for more general laws such as the Consumer Protection Act (CPA). An accurate client view is also key for an improved customer experience, and for cross selling and up-selling.
Companies should plan their compliance projects in terms of the broader impact and value that reusable components can bring to the business. The business case for automation, for example through the implementation of data excellence and data quality platforms, should be based not just on the short-term needs of a specific compliance project, but on the broader impact that these will have on business efficiency.
At the end of the day, automation will enable the compliance officer to produce his reports more quickly – and more importantly more consistently. Good corporate governance is about consistency and audit-ability – can we prove that we did it right and that we did it the same way as last time?
And as a bonus, it need not take 10 months to produce next years reports. What would you do with an extra four hours a day?
This was originally published on the dataqualitymatters blog