Risk valuation is required by financial accountability regulations, such as Sarbanes-Oxley (SOX) and Basel II. To comply, companies must document operational risks. To scope compliance efforts, they must determine a corporate risk threshold. And finally, there's the risk of jail time if you fudge your calculations. Compliance is a risky business, even if your business isn't risky.
Of course, risk is nothing new to corporate executives. It's the static electricity on the doorknob of opportunity: drag your feet, and it will zap you. Thus, with or without the impetus of legislation, most companies perform some degree of business analytics, and larger enterprises employ increasingly sophisticated business intelligence (BI) systems to identify and avoid costly contingencies. In fact, in the US alone, companies spent more than $5.5 billion on BI in 2004, a figure expected to increase to $7.3 billion by 2008, according to "Business Intelligence Driven by Compliance, Standardization, and Performance Initiatives," a Forrester Research report published last April.
Compliance and business intelligence are overlapping efforts on a continuum of enterprise risk management (ERM). Budgeting, ERP, CRM, supply chain management, and other business processes are integral to compliance, because they impact the financial systems to which regulations apply. They are also subject to the technical and process controls that compliance requires. It, therefore, stands to reason that risk management—whether it's expressed in terms of compliance or any other business process—should draw on the same data sets and share common analytical elements.
If you sense there's opportunity in the alignment of BI and ERM, you're right. Consider these potential benefits:
- ERM reporting becomes more reliable if it's based on a single version of business "truth" that also supports BI
- Use of existing reporting software reduces dependency on expensive manual analysis and problematic financial spreadsheets
- Access to drill-down reporting gives auditing committees and accountable executives greater confidence in results
- BI systems adhere to technical and process controls over the management of financial data
- Companies realize business value from ERM and compliance investments
- Businesses are better able to meet SOX section 409 "real-time" reporting requirements
- Analytical software provides early warnings of trends that might impact SEC filings
The flip side of the opportunity coin is the high cost of non-alignment. In 2005, public companies reported that the IT costs of compliance run from 30 to 50 percent of the total compliance bill. Often, these costs are inflated by redundant development and manual processing. Even where sophisticated BI reporting systems are implemented, companies still slog through spreadsheets for financial analysis—particularly for ad hoc analyses, but often as the main reporting tool. Spreadsheets rarely leave an audit trail, are difficult to secure, and are prone to error from manual manipulation. Such a practice engenders a greater likelihood of noncompliance, and probably higher audit fees.
But "year-one" costs are only part of the story. Manual compliance analytics will always be expensive and error-prone. Even companies that do automate compliance reporting in a vacuum, however, will also face scrap-and-rework costs for reconciling complex, incompatible reporting systems down the road.
Breaking the Compliance Quarantine
Clearly, technology is not the most significant barrier to integrated reporting. From the top down, companies must re-conceive the role of compliance in the enterprise and evaluate the processes, stakeholders, and development resources required to integrate compliance reporting into BI systems. Moreover, because BPM and compliance look differently on risk analysis, companies should also understand how reporting requirements differ.
For many, the initial hurdle is conceptual: overcoming the urge to quarantine compliance. At high levels, it's worth remembering that most regulations are good faith (if arguably misguided) efforts to standardize and mandate best practices. And, in fact, few companies deny the benefit of SOX, even if they deride compliance costs. At the end of the day, compliance is a business goal. In the same way that BI is evolving from data-focused analytics to process-driven reporting, compliance must morph from a box-checking exercise into an integrated framework for better business processes.
Companies should also strive to remove process prejudices. By nature, new legislation is disruptive: an alien imposition on the existing business mechanism. Accordingly, there's a tendency to treat each incoming regulation as a discrete project in order to minimize the impact on production systems and allow project teams to focus on meeting regulatory deadlines. The down side to this approach, however, is redundant development and ill-placed investment in incompatible solutions, the increased likelihood of error, and integration headaches down the line.
A more efficient approach views compliance holistically to standardize, simplify, and unify compliance efforts and ease the integration of compliance requirements with existing systems.
In terms of IT, most corporate legislation has recurring themes: for example, technical security, risk management, records management, operations management, measurement and reporting, among others. Each theme encompasses a number of controls which can be internally defined or follow an external standard, such as HIPAA, COSO, or CobiT. Any given control might apply to multiple regulations or already exist on enterprise systems. (Several resources, including ITCi's Compliance Convergence Initiative, WEDI's crosswalks, and ISACA's Information Security Harmonization seek to document control-level alignment.)
Deconstructing existing IT processes and incoming regulations into standardized control definitions allows companies to identify control gaps and overlap processes, where possible. The alignment of compliance and BI reporting is just one example of where this sort of alignment might produce concrete benefits.
A final conceptual hurdle is the use of a single system to meet disparate types of goals. Executives want to see BI beyond the scope of compliance, and they're required to sign off on financial information that BI doesn't directly factor. Reporting requirements are different. Additionally, BI strives for improvement; whereas compliance settles for fulfillment. But none of these disparities make BI systems unsuitable for compliance—or even ineligible for dashboarding, as vendors such as Hyperion and DecisionPoint demonstrate.
They say the truth will set you free. BI analytics put power in the pedal, helping companies recognize and avert business risk. In the bigger corporate picture, however, the stakes are even higher. A single version of the truth based on integrated risk analyses can help keep you free when regulatory enforcers come knocking at your door.
This article originally appeared at itcinstitute.com. Copyright 2008, 1105 Media Inc. Reprinted with permission.