There are two major challenges facing compliance teams and auditors: establish what happened and put in place controls to prevent bad stuff happening in future. In a nutshell, that sums up compliance at the coal face, and as a former auditor I well remember my supervising partner’s maxim, “Remember, we record history, we don’t make it!”
Such is the life of an auditor, but there is a great deal going on behind those simple statements.
Establishing what happened involves the who, the where, the when, the how, but most importantly it needs to figure out the why something happened. If we can establish the reasoning behind a procedural failure, we can move to eliminate or manage it, but without the “why” of something happening we are doomed to repeat the same failure, perhaps in a different guise, but still the same failure.
While establishing what has happened is usually fairly straightforward, though tedious, costly, and time-consuming, we tend to be able to figure out a picture of what has been going on. If we are fortunate enough, we can work out why something happened too, and it is a fairly simple step beyond this to work out what needs to be put in place to control behavior in future.
Then we leave with the problem solved and a smile on our faces.
Until we come back the following audit cycle, or an identified failure results in a material incident that puts senior management focus on the problem (and not in a good way).
Lean practitioners, especially those following the DMAIC system, are all too familiar with the problem of controlling what happens after the improvement team packs up and leaves. Reversion to the old, broken process state occurs all too often, and typically involves an increase in shadow processes further reducing control and cohesion beyond what was originally found.
For auditors and compliance professionals, tasked with identifying issues with compliance processes and improving them, this too is a common and thorny problem. This has led to the idea of “baking in” compliance, such that people and process drive compliant production and behavior. However, without an “all seeing eye” to keep everyone honest, variations and idiosyncratic habits will inevitably creep in, even with the most disciplined and well-intentioned of teams and leadership.
In my view, the challenge for compliance professionals has moved beyond figuring out and establishing “what happened”, but the ability to instill compliance control at the place and time work is conducted has eluded them.
For readers thinking it “can’t happen to them”, I point you to the following recent highlights from the banking sector alone:
- Wells Fargo Fake accounts scandal – $185M fine is a fraction of the cost to the bank
- Agriculture Bank of China Fined $215M by NY regulators
- Merchants Bank of California Fined $7M by CA state regulator
- Deutsche Bank Currently awaiting fine announcement from Federal Reserve re Forex manipulation
- Barclays Bank CEO Jes Staley sees pay slashed after bank board censure him for seeking to unmask whistleblower
We can also add to the current compliance environment, especially within the financial services sector, that compliance budgets are being scaled back as the economy emerges from the Great Recession, and memories of the 2008 collapse recede into more distant and comfortable memory. The election of President Trump and the purported relaxing of financial regulatory rules may also be encouraging this trend.
So, to be effective compliance teams need to be able to establish a control as a leave-behind for process compliance, but they also need to be able to manage compliance issues with fewer people and resources.
How HighGear Promotes Compliance in Practice & Reduces the Burden and Cost of Complying
There are three key compliance features working to reduce compliance cost and burden using HighGear as a Lean BPM work platform:
- HighGear enforces process policies and controls as the work is carried out;
- A complete audit trail is maintained in real-time of every work action performed upon the Lean BPM work platform, recording who did what and when, automatically including a time stamp in a secure, unchangeable record; and
- Notifications & Reporting can be conducted in almost real-time, with alerts being created to highlight edge cases, or when non-standard actions are conducted, with workflow being used to automatically escalate or notify issues to management or compliance officers directly. As the data is recorded in a digital format, this allows for automated or ad hoc reporting to be carried out at a far faster pace than has historically been the norm.
How HighGear Bakes In Compliance As Work is Carried Out
From a compliance perspective, we want to ensure that the right person is performing the right actions at the right time (or by set deadlines), and that this is all recorded in a way we can rely upon and trust.
By establishing permission groups (Role Based Permissions) you can control who has access to work and the information that is generated around it. I may have full admin rights and can see everything on the platform, however a customer may be given restricted access that allows them to see only what pertains to their account, and even then, only what I want them to have access to and what rights they have to edit or simply view. As a finance manager, I may have access to valuation reserve information, but I should not be able to access payroll information. Role-based access which can be customized to the most granular level, ensures that only those people with authorization to information can access it, and even then the ability to change that data may be restricted to simply read-only. I can now be sure that only the ‘right people” are performing work actions and have data access.
For many workers, even knowledge workers, the majority of their work will follow a set of established processes (even if not entirely visible or under management control). Where there is a compliance issue under such circumstances, the problem is usually more of a process design failure or inadequacy. For instance, someone spots a loophole for checking cash amounts and temptation turns an otherwise honest person into a dishonest one. The issue here is to design and implement processes which can be followed by workers, but also protect the organization, customers, and assets.
HighGear allows for customized forms to be created and which contain fields required to be marked as closed, or have an appropriate entry made by the responsible staffer before the task can be moved to the next stage of the workflow. Uploading work papers can be made a mandatory action before a task can be closed, for instance uploading an Excel spreadsheet which has been recovered from a DR backup. Even uploading a photograph of work product by a cell phone camera can be mandated, as for instance traffic wardens now commonly do when handing out tickets to evidence the infraction.
Forms can be designed such that they change dynamically as the work proceeds through the process, for instance displaying a new set of fields which are automatically added to the work form because the closing the prior task down triggers their display for the benefit of whoever will be working on the item next.
Where a work activity becomes non-standard, an extension of the workflow can be created which handles such an edge case, or the issue can be automatically escalated or moved into a completely different set of processes which have been created to handle such instances. In any case, the Lean BPM work platform will continue to record everything which occurs, no matter who is involved with it, and by encouraging collaboration and acting as a knowledge repository, HighGear serves to leverage institutional wisdom and indeed, add to it.
By ensuring that at every stage of a workflow the person doing the work knows exactly what they must do, what they must sign-off and include and also what evidence they are required to produce before the work can be considered closed by them. At the same time, there is a concurrent and contemporaneous record (Audit Trail) of every action taken, and which identifies who performs the action as well as adding a date and time stamp.
Where deadlines are approaching or have indeed passed, HighGear can automatically remind the appropriate employee, notify their supervisor, or indeed have the issue escalated to whoever is deemed appropriate (another team member, supervisor, compliance officer, VP of department, or all the way up to the CEO).
HighGear enforces data security and access through role-based permissions and a secure sign-in, ensuring only the right people gain access to work and data. It then ensures that the right work is carried out at the right time, with the right resources by the right people, and along the way it compiles a full log of every activity performed, by whom, and time stamps everything.
How HighGear Establishes What Happened
The Audit Trail is a powerful feature of HighGear’s Lean BPM platform, because it records absolutely everything and cannot be changed. The audit trail provides an automatic, digital record of every keystroke and action performed on the Lean BPM platform, and identifies who performed them and when, and it also maintains multiple versions of data for change management purposes.
Not only does HighGear provide the boundaries within which workers must operate, but it also records what they do within those boundaries, and more importantly, what they do when they go outside them.
The major features of the Audit Trail are:
- Every record has a full audit trail
- Every user has an activity log
- There is a system-wide access record (including failed login attempts)
- System-wide configuration change log
- There is an archive of multiple versions of data
- User security and integrated authentication restricts access and secures data
- Integrates with CAC (Common Access Card) smart security systems (including military)
- Data and access security complies with Sarbanes Oxley, ITIL, NIST 800-53, SAS 70, and other major compliance standards
How HighGear’s Lean BPM Efficiently & Effectively Manages Escalation & Reporting
There are two aspects here: firstly, handling escalation or notification, and secondly, reporting on activities and putting this information at the disposal of those who are authorized to have it.
Escalation and Notification are really the flip side of the same coin in that notification simply deals with the advising someone of something, usually the person responsible for doing the work, but also notifying their supervisor, compliance officer, or as high up the hierarchy as deemed appropriate.
HighGear quickly and simply allows workflow to be created which establish timers or deadlines, and handles them either as absolutes or in a dynamic fashion. For instance, you can have a deadline set as being the 5th of the month, a specific, named date (May 5th, 2018), or handled as x days after last task was performed on work subject, and many variations thereof. As an old tax hand in the UK, we had some very arcane and complicated deadline calculations for responding to estimated tax assessments, based on a combination of quarter months and counting days from issuance of the assessment. This was very difficult to manage and control, as well as being expensive to in terms of time and money.
HighGear uses a range of logical operators, which will be very familiar to anyone using Excel spreadsheets, which can be used to create formulas for calculating a deadline, or pre-set notification date. Approaching or meeting this date or time range, can be used to trigger a simple email or text (notification), or remove the work entirely from the assigned staff and reassign it to a supervisor and notify them (escalation).
Escalation can also be triggered by a specific outcome encountered on the Lean BPM platform. For instance, if a test is performed using a valuation model and the results are out of bounds, then this status can automatically trigger a workflow to carry out further investigation, and/or a notification to whoever needs to be alerted.
Reporting is time consuming and very expensive for any audit or compliance team, as well as disrupting the department or organization which is being subjected to inspection. Compiling data and presenting it in a format required by the user imposes a heavy burden on those responsible for preparation. By the time a report is completed, the information is indeed “history”, and unsuitable for a proactive compliance approach. Furthermore, once the reports or audit package have been created, managing who gains access to what is frequently highly-sensitive information is problematic at best, and arguably insecure as a norm.
HighGear tackles these issues by leveraging a combination of digital data management, the recording of all activities and actions on the Lean BPM platform (audit trail), and the ability to use role-based permissions to govern who gets access to data, while applying rules in a dynamic and configurable way.
As the data collected and collated by the platform is digital in nature, this allows for very fast dissemination and manipulation. We have already seen that every activity on the Lean BPM platform is automatically recorded, creating a digital audit trail, so what is required is a means to access and collate this information, and finally to then put it into the hands of those with authority to access it.
HighGear provides a wizard-based reporting system, which allows for routine, scheduled, and ad hoc reports to be created on the-the-fly. Reports may also be distributed electronically, or converted into PDF, Word, or Excel formats, and include static and animated graphs and charts. Using an open data model and the reporting API, data can be exported or shared with third-party systems which may be used to either contribute to HighGear reports, or to have data passed through to it from the Lean BPM platform and manage the reporting itself.
Reports can be created and automatically scheduled, or one-off reports may be run to handle a specific case or instance. However, HighGear further enhances data security by ensuring that reports are automatically distributed containing only that information each recipient based on their access authorization. Access authorization is in turn managed by role-based permissions, together with any custom rules established to preserve data security.
Summary – The Three major Benefits for Using a Lean BPM for Compliance
The three major benefits of reporting using a Lean BPM tool such as HighGear are:
- Cost effective and very fast report preparation, which means a greatly reduced compliance burden and minimal disruption to the organization;
- Automatic distribution to authorized recipients on a timely basis, which significantly speeds up compliance reviews and audits in practice; and
- Enhanced data security and access control, which means that sensitive information is kept secure and accessed only by those with the appropriate authority.