In my previous post "Financial Compliance Controls - Shield of Steel or Expensive Comfort Blanket?" I proposed a shift away from the traditional approach to compliance risk management (i.e. apply a series of specific controls that each work on a narrow set of information targeting a particular piece of legislation) towards a methodology that places more credence in analysing the people who ultimately pose the risk of causing a compliance breach.
I signed off that post by promising to outline the advantages of the proposal in my next. However having thought about it I feel I owe a bit more of an explanation as to what the approach entails before I extol its virtues, and so I’ve re-purposed this post to attempt to do just that. Apologies for the false advertising but I hope the following is of some interest in any case.
If we accept the premise that a broad section of compliance controls are essentially aimed at managing the risk posed by individuals (or groups of individuals) misbehaving, then it follows that monitoring and inspecting those individuals, and then applying the findings in formulating an appropriate response is a legitimate way to go about mitigating that risk:
People produce a footprint of digitally observable information as they go about their day; for the most part tech monoliths such as Facebook, Google and Apple are the main beneficiaries of people emailing, chatting, searching the web, "checking in", connecting to WiFi hotspots, uploading photos, tagging friends, using mapping applications, "liking" posts etc. etc. etc. But in the working environment (particularly in highly-regulated industries such as financial services) more traditional businesses are also able to observe and record significant amounts employee activity from which to construct a detailed picture of their professional lives.
From this point forward I will use the term "entity" rather than “person” to refer to the producer of observable information; a group of people may be part of an organisation that is opaque to the observer meaning that the activity of the group cannot be attributed to a particular individual and the observer has no choice but to associate it with the organisation as a whole. The term "entity" covers both individuals and groups such as this.
The concept of monitoring “Observables” as part of compliance risk management is nothing new to the financial services sector. By way of example, all large institutions involved in trading on the markets have some form of “surveillance” function which (primarily) monitors the trading activity and communications of relevant members of staff. Despite the name, these departments do not tend to operate in a fashion that organisations for whom surveillance is part of their core business would recognise. Generally speaking these functions rely on feeding trade and comms data into one or more “detection” systems, each of which is designed to search for evidence of a breach of a given set of rules and produce an “alert”, alerts are then assessed by human compliance officers designated with the task of establishing whether the alert genuinely represents a breach. There may be a limited amount of contextual analysis done in the pursuit of processing the alert but the focus is always on determining whether the particular alert is valid, and any wider consideration of the trader to whom the alert is attributed is almost incidental.
Context is critical in decision making; the more contextual information available to the decision-maker the greater the chance that the resulting decision will be accurate. This applies whether the decision-maker is human or a piece of software, and so performing either the decision on whether to raise an alert or the subsequent decision as to its validity in isolation will be less reliable than it could be; a statement evidenced but the huge volumes of false-positive alerts that are generated by existing detection systems.
Observables provide context for other Observables (sticking with the Trade Surveillance scenario, an email from a client could provide useful context for deciding whether a trade breached market abuse regulations) and all Observables occur within the context of a wider set of “environmental” reference data (in this example the prevailing market conditions): The more observable and environmental information that is collected the more context is available to decision-makers, and therefore the greater the potential for accurate decision making. However, simply possessing that information is not enough; it must be arranged in a fashion that enables efficient exploitation by the decision-maker. Given that it is the entity that is the common factor in these decisions (after all it is the source of the risk we are attempting to mitigate) and it is the producer of the observable data we are collecting, the only sensible way to achieve this is to orient the collated data around the entities … or to put it another way “take an entity-centric perspective”.
I would contend that as a minimum, an entity-centric attitude to organising and assessing information encourages the consideration of additional context in analysing potential compliance breaches, which leads to more informed, more accurate decisions and ultimately a more effective set of controls.
Adopting a truly entity-centric methodology though, requires a more fundamental shift in mindset whereby the question posed by compliance officers changes from “Has a breach occurred?” to “Has this entity caused a breach?” and eventually “Does this entity present a significant risk of a breach occurring in the future?” (which obviously opens the door to the possibility of risk mitigation becoming more proactive). In this paradigm the output of “detection systems” is not by default considered an “alert” that must be formally processed with a full audit trail, but as the identification of an item of interest that supports a compliance officer in answering those entity-focused questions.
I have largely avoided talking technology thus far but clearly it has a critical role to play here; in fact the full benefits of the approach are actually only derived from the composite of the collection, curation and analysis of the available data, the technology employed to facilitate that process and the entity-centric disposition. My hope is that outlining the entity-centric strategy in this post has provided you with context for deciding on the merits of the statements regarding those benefits in my next...
I am currently working with Matt Pockson and a team from DMW in defining an intelligence-led, entity-centric approach to managing the risk posed by market abuse and conduct regulations at a global FS client, so if anything in this post has a struck a chord or piqued your interest feel free to get in touch to find out a bit more.