Click to learn more about author Ian Rowlands.
I was in some absorbing conversations at the FIMA Conference in Boston last week. There was much concern about the cost of Data Management for compliance.
There’s an alphabet soup of regulations – AIFMD, BCSB239, CCAR, CCEL, Dodd-Frank, … MIFID II, … Solvency II … Some have unique data gathering and reporting requirements, some overlap. The cost of compliance increases year by year. Data Governance gets more complicated as the regulation of data and data-related activities expands.
The problem gets worse as regulators become more sophisticated, wanting to understand the data environment more deeply and even comparing results across compliance programs. The cost is two-fold (at least). There’s the cost of governance and compliance, and there’s the opportunity cost of activities not undertaken because compliance activities have consumed the resources.
One view, which perhaps reflects current received wisdom, is that compliance is compulsory – so that you can manage the efficiency of the program, but you have to get the job done.
One suggested response was a risk-based approach to compliance cost management. Set a budget for compliance, and use that to govern activities. A related idea was the notion of greasing the squeaky wheel – focus compliance efforts on the regulator making the most noise. It’s a thought with a lot going for it but with some “gotchas.” There are five primary considerations: cost of penalties, damage to reputation (which can affect stock price), loss of revenue, cost of remediation, and possible cost of conforming to consent agreements. If you can quantify the risks, and have a good idea of the probability of regulators detecting a compliance breach, then you can put a value on the risk.
The other reaction was associated with some discussion of the evolving role of the CDO. The idea was that third generation of CDO’s is arriving. I think I buy that idea. Generation 1 were “defenders” — regulating the data estate for compliance. Generation 2 are the “supporters” managing the data estate to support the business largely “as is”. Generation 3 are the “transformers” exploiting the data estate to create the digital business.
How do the two themes connect? It’s about attitudes. Generation 1 CDOs tend to the “Compliance is compulsory” point of view. Generation 2 CDOs seem more interested in the “risk-base” approach, or at least doing just enough to skate by. Generation 3 CDO’s are different though. Managing the data estate for compliance is not the focus. Knowing what data is available, how it moves and how it changes is the foundational data intelligence underpinning transformation.
Compliance is almost a by-product. The way data supports business processes should imply compliance organically and build value for the business (yes, I am an optimist). They are looking for new ways to make the magic happen. One promising approach might be the combination of policy management and machine learning to detect and resolve problematic data events.
One thing is common to all the approaches to compliance. None of them work without a mastery of Data Intelligence – knowledge of the data inventory and its connection to business policies and processes, the way data moves and is transformed, the way data items are connected, and all the other information that allows the best use of data. It always comes back to that.