Profiting From Following the Rules

Stephen DeAngelis

November 17, 2009

When I first started Enterra Solutions, I thought the business would primarily focus on helping companies comply with a growing number of regulations by automating business processes associated with compliance. By helping make them more effective and efficient, I knew that I could provide them with a competitive edge in a highly competitive world. Enterra remains engaged in that business sector even as it expands into the nation-state development sector and more recently the renewable and alternative energy sector. Although that may sound like a diffuse set of business areas, there is an underlying synergy that keeps them connected. Development requires businesses that are both effective and efficient (i.e., compliant with national and international regulations) and reliable electrical power supplies. Enterra is better placed to help nation-states with their development strategies than some other companies because it can help them establish world-class businesses and build state-of-the-art energy grids based on environmentally-friendly technologies.

In the past, I’ve written a lot about development and renewable & alternative energy. In this post, I’d like to address the subject of compliance. According to Stephen Pritchard, “businesses are starting to see the opportunities that come along with following the rules” [“Compliance tools can also deliver financial benefits,” Financial Times, 2 November 2009]. He writes:

“Given the turmoil that has engulfed the financial and business world since the collapse of Lehman Brothers, it is hardly surprising that dealing with risk has moved swiftly up the enterprise agenda. This new emphasis on managing risk, as well as regulatory compliance, is shaping the IT agenda, and not just in financial services. Last December, Forrester Research, the IT analyst firm, predicted that governance, risk and compliance (GRC) would be one of the priorities for business leaders in 2009. But tighter regulations in the financial arena are only part of the story. As Forrester’s Chris McClean points out, there is a wider issue of how businesses, and their employees, behave. Risk management goes beyond meeting the demands of financial regulations, and extends into areas such as environmental compliance, supply chain integrity, the traceability and authenticity of goods and even whether staff are keeping to their employers’ ethical codes.”

In the past, the best that companies could do in the compliance arena was to throw more money and people into the division that dealt with compliance or outsource the challenge to an accounting firm. All of this added to overhead, reduced profits, and increased the complexity of doing business. But the collapse of companies such as Enron and Lehman Brothers (helped along, in some cases, by people in the companies that performed their audits) made investors wary and the general public suspicious of large corporations and the promises they make in their prospectuses and advertising. The compliance challenge Pritchard is writing about was the same challenge that motivated me to start Enterra Solutions. Pritchard too believes that IT processes can help meet that challenge. He continues:

“The challenge for IT departments is to support the business’s broader compliance needs, rather than simply designing or deploying point solutions. Businesses have tended to view each regulation and compliance requirement as an isolated project, rather than developing an overall approach to GRC. This was, at least in part, a reaction to the previous round of financial scandals at the end of the dotcom boom, and the legislation, such as the Sarbanes-Oxley Act, that followed.”

The problem with treating each compliance requirement as a separate challenge is that it compounds the complexity of doing business and leads to gross inefficiencies. As compliance requirements grow, so do the inefficiencies. Eventually, those inefficiencies create an overhead burden that is simply too large to bear.

“‘The first wave [of regulation and compliance technology] was a sticking plaster,’ says Seamus Reilly, a specialist in enterprise risk in the technology and security risk services practice at Ernst & Young. ‘It was very ineffective but it was a reaction to timescales. But we are now seeing organisations look for programmes that deliver efficient and effective compliance, but also deliver benefits such as providing more insights into their customers.’ One way organisations can do this is by combining data sources or by creating data marts that provide a ‘single version of the truth’ for regulation and compliance purposes. This provides more accurate data, quicker decision making and, ideally, better customer service. Someone buying a service from a bank, for example, should not have to provide the same paperwork several times over.”

In a sidebar, Pritchard talks about how Barclays “wanted to move to a best-in-class sanctions screening system, based on the latest algorithms” and it also wanted “to create a centralised system.” Barclay’s changes make sense. IT systems should make it simple for bank employees to access necessary data bases when opening new accounts and the process should be fast enough so that customers don’t even realize that other activities are underway while they are providing essential information. Barclay’s system has one other critical feature — flexibility. According to Pritchard, the system allows the bank “to integrate new rules, or sanctions lists.” That’s critical since, as one bank executive put it, “Regulations are coming in at a frequent pace. You have to have technology that is not just flexible, but copes with changes in the regulatory framework.” Systems designed by Enterra are inherently flexible. Customers, management and employees are all better served when a system operates quickly, efficiently, and automatically. Investors are also happier because such systems can save money, especially if it centralized so that costs can be shared among a number of firms but privileged information can nevertheless be protected. Pritchard continues:

“Businesses are also operating in an environment where public scrutiny is the norm, suggests Douglas Stewart, a senior manager in risk services at Deloitte, the professional services firm. Increasingly, public companies are being asked to publish information such as statutory filings in near real time. Regulators are encouraging more openness, Mr Stewart suggests, and businesses will have to respond with more efficient systems for releasing information on compliance. But organisations are also looking to technology to improve the effectiveness of internal controls and, in particular, audit and regulatory compliance functions. ‘Risk and compliance teams are using data analytics tools to predict trends and spot outliers,’ he says. ‘That allows regulation work to be more focused. You can’t replace people with technology, but you can use the technology to target your resources.’ The use of business analytics in compliance is a move away from the conventional, sampling-based approach to audits.”

The challenges that Pritchard is discussing all beg for automation. When processes are automated, they are less prone to human errors (or manipulation). It is much easier for regulators to certify that a particular automated process will generate accurate and honest audits than it is for them to certify that a certain firm can do so. As business leaders know all too well, it only takes one bad employee to ruin a reputation.

“At present, though, only a small number of organisations have moved beyond localised compliance systems – which are largely process-based – to ones that can identify trends and patterns in masses of data. One reason, according to Donie Lochan, a partner in the Sydney office of Bain & Co, the management consultants, is that IT maturity and complexity is holding them back. ‘Technology is enormously useful,’ he says. ‘Without it, it’s nearly impossible to do the kind of regulation and compliance you need in financial services.’ But complexity has become a bottleneck to better compliance, he suggests. Too great a proportion of IT resources – as much as 80 per cent of budgets – is being taken up by managing and maintaining existing IT infrastructure. If the business needs extensive IT support to improve compliance, the resources might not be available. ‘This is something most companies know about, but something always trumps it. It is viewed as something we need to tackle, but not right now,’ says Mr Lochan.”

All of Pritchard’s points are correct. If there had been anything like the automated business rules for compliance that I envisioned already in place, I wouldn’t have started Enterra Solutions. I didn’t see anything then and technologies are only being invented that permit automated compliance algorithms to be written now. It’s an interesting and difficult challenge, but one that Enterra is tackling with forward thinking companies like Conair. Pritchard continues his article by noting some of the ways that compliance software can actually become a competitive advantage and not just more overhead.

“One answer could be to use compliance systems as a vehicle for a wider-reaching update of IT systems, and to find ways to bring a direct return on investment to the business. In financial services, initiatives such as ‘Know Your Customer’ force banks and other deposit takers to have a much more joined-up picture of their account holders, and if nothing else this provides a strong marketing opportunity. ‘If you look at it more strategically, organisations [undertaking compliance work] will have a rich set of data that is valuable to the business. So the question is how to get more business value out of it,’ says Mr Lochan. Compliance tools can also play a wider role in corporate governance, with technology playing a greater role in spotting unusual behaviour. The sheer volume of transactional data in most businesses is now too great to be sifted by people, whether identifying a client applying for a mortgage they cannot afford, or a member of staff making unusual payments or filing suspicious expenses claims. The third wave of compliance is to apply data analytics to these problems, suggests Ernst & Young’s Mr Reilly. ‘We can’t yet find the smoking gun,’ he says, ‘but we can bring some insight.'”

A truly comprehensive automated system might be able to provide the smoking gun, automatically alert management before threats turn into disasters, and allow CEOs, COOs, and CFOs sleep more easily at night. The work we are doing with Conair is helping the bottom line in another way. All manufacturers are faced with a growing array of requirements established by retailers such as Walmart. If they fail to meet those requirements they are subject to significant penalties that can erode profits. The process we are working on with Conair will automatically focus people on problems that could trigger compliance penalties in time for them to do something about it. The savings for large manufacturers could amount to millions of dollars annually. As technology improves, the range of conditions under which automated business processes will prove useful, especially those that are centrally managed and can provide cost savings, will only grow. Companies that implement later rather than sooner will ultimately find themselves behind the power curve and chasing their more enlightened competition.