Compliance, Operational and Financial Risk teams face complex challenges in creating appropriate “control” environments. Many factors impact and influence our ability to provide valuable oversight and insight to the discrete risks we face daily. These include:

✓ Increasing transactional volumes
✓ Required transactional data existing on numerous platforms and systems
✓ Inconsistent data formats
✓ Manually intensive monitoring and testing protocols that yield little or
no value to our business partners

The Manual Approach
To a certain extent, many organizations are still auditing and reviewing financial and transactional data manually. It is still very common for risk management functions to utilize “flat files” (and yes – Excel spreadsheets) in an effort to pinpoint potential issues. While surveillance and monitoring efforts are needed, these manual approaches are marginally effective at best. Even more troubling is that in many instances - Compliance, Operational and Financial Risk teams aren’t exactly sure which “behaviors” they are trying to identify. Outside of standardized scenario analysis, what other anomalies and trends are in need of review and investigation?

The logical next step in solving these issues is to implement automation of internal processes. This can eliminate duplication of efforts and significant time spent slicing and dicing information manually. That said, we all know how hard it is to get prioritized in the IT Project queue. Most IT resources are allocated to revenue generating projects and initiatives. Unless a project is regulator-mandated or your organization is “out of compliance,” it’s not likely you’ll go to the top of the list. This is not something we like to hear in the risk management space – but it’s the reality of the world we live in (especially in a tough economic cycle).

Question: What are the chances of getting IT resources allocated to embed “tests” into production systems?
Answer: Not likely!

Next Question: What are the chances if your requirements are not fully vetted or pinned down?
Answer: I can think of a couple of colourful metaphors. However, I will refrain and keep it clean. So all I will say is - Good Luck!

GO BIG OR GO HOME? – Not Quite…

Without internal IT support to build and support functionality, more and more organizations are turning to vendor based solutions. Since most organizations are seeking a “magic pill” or “panacea” or “one stop shopping” to solve all of our risk management oversight issues, they often look at mainstream solutions that are expensive, oversized, inflexible or are not designed to address the specific issues their organization is trying to solve. Organizations can find themselves “over-buying” and wind up not implementing many of the features of a platform. It’s tough enough to build a business / use case for these tools, without the danger of purchasing costly but unneeded functionality.

There is Another Way!

Compliance Risk Concepts recently partnered with Nomos Software, an innovative technology company that builds testing protocols for business and customer data. With the Nomos solution in place, an organization can quickly and economically build lightweight web-based applications that automate the testing and monitoring executed manually by risk management, operations, compliance and audit professionals on a daily or other periodic basis.

Additionally, the Nomos solutions provides complete transparency and visibility, enabling risk professionals to have “behind-the-scenes” access to the logic and parameters utilized in each of the testing and monitoring protocols.

State of Flux?

Not a problem! Nomos can roll out small changes to the tests very rapidly while the overall requirements are pinned down. Once finalized, the suite of tests and monitoring protocols can be integrated into straight-through processing systems to provide a fully automated solution set.

Uses / Applicability

The Nomos solution can be used for any file-based financial or transactional data. Examples of use cases include:

✓ Payments
✓ Corporate Actions
✓ Securities and Derivatives Transactions
✓ Any other types of information that needs to be tested,
monitored or audited.

How does it Work? - Roles and Responsibilities

CRC and Nomos work closely together to provide a seamless integration of testing and monitoring protocols into an organization’s production financial and transactional data.CRC works with the client to define core data requirements, scenarios and tests, red flags, use cases, issues management and resolution. Once defined, Nomos will create a testing protocol that enables the client to evolve their once manual testing / monitoring environment into an automated and efficient process.

Want to Learn More?

If you would like to learn how you could automate your manual testing / monitoring environment, please feel free to reach out to us directly to set up a complimentary discovery meeting with CRC and Nomos. You may contact us by email at mavnet@compliance-risk.com or by telephone at (646) 346-2468.

The post Don’t Hate – Automate! appeared first on Compliance Risk Concepts.

When I first heard the term "Big Data" a few years ago, I immediately thought it was some industry "jargon" and didn't pay much attention to it. In fact, the more I heard the subject of Big Data being raised, I would equate it to a comedic sketch conjured up on a Seinfeld episode – imagining it as some fictitious product fabricated by George Costanza, sold by Vandelay Industries. Nevertheless, though I didn't understand all the noise surrounding the Big Data topic, I eventually became intrigued, and just like the big project assigned by Mr. Wilhelm to George, I was aimed at figuring out the meaning of Big Data – even if I had to go all the way downtown!

It's Not a Show About Nothing!

Big data is a buzzword, or catch-phrase, used to describe a massive volume of both structured and unstructured data that is so large that it's difficult to process using traditional database and software techniques.Over the past several months, I have actually started to pay closer attention to companies in the Big Data space and have quickly come to realize the potential impact they can have within Financial Services, Healthcare and other verticals. In fact, a few of these companies are positioning themselves extremely well to help Compliance organizations optimize their current Compliance Monitoring, Surveillance and Reporting tools, increasing the overall effectiveness and efficiency of the various "scenarios" executed by these environments.

Given the massive amounts of data that needs to be accessed, managed and leveraged within organizations, Compliance Departments are seeking broader "what-if" capabilities to augment and enhance their current production and sandbox environments. Analysts desire an environment where they can quickly and easily incorporate additional data sources and attributes to find new patterns and practices of behaviors within their existing scenarios.

The current processes utilized within standard monitoring scenarios rely on structured data models that require months to modify and extend to support unproven data requirements. The high cost to onboard new data limits the analyst's ability to test new, unproven hypotheses.

•  Scalable Environments

A new "what-if" environment should enable analysts to efficiently and effectively test new hypotheses and find hidden patterns. This is where the Big Data companies are seeking to help organizations. Using a scalable "graph analytics" approach, analysts should be able to identify and onboard new data sources in a straightforward and rapid fashion, enabling real-time, interactive analysis. As part of my Big Data knowledge quest, I learned that graphs are gaining a foothold in the Internet world, given that their data is full of relationships and connections. However, enterprise risk functions are not truly leveraging the power of graphs just yet. Think about the power behind this technology; if organizations were to leverage graphs and look at data, relationships and connections this way, this could impact the manner in which we detect fraud, money laundering, front-running, trading on material non-public information, etc. The possibilities are truly endless!

That risk management stuff you wrote for me is killer… It's gold, Jerry, gold.

•  Graph Analytics at Work – Finding Needles in a Haystack

Many Big Data problems are about searching for things you know you want to find. It's challenging because the volumes of data make it like searching for a needle in a haystack. However, a needle and a piece of hay, though similar, do not look exactly alike…

Discovery problems are about finding what you don't know. Imagine trying to find a needle in a stack of needles-that's even harder. How can you find the right needle if you don't know what it looks like? How can you discover something new if you don't know what you're looking for? In order to find the unknown, you often have to know the right question to ask. It takes time and effort to ask every question and you keep learning as you continue to ask questions.

At the end of the day, this is an essential component to an organization's overall risk management strategy. Our ability to challenge our scenarios and learn to separate good behaviors from bad behaviors will ultimately impact our ability to pinpoint, measure and effectively mitigate our risk.

And You Want To Be My Latex Salesman
As referenced in my previous article – GRC - "Governance Risk and Chaos?," it's critical that organizations understand the Big Data vendor landscape and have the ability to assess the most viable players in this space. With several Big Data companies emerging, how does one go about choosing the right support partner?

•  How Can Compliance Risk Concepts Help?

Helping organizations build a business case to support a Big Data implementation strategy is a new and critical component to the CRC support model. We believe the use of graph analytics will ultimately help organizations turn "noise" into meaningful and impactful information, enabling a robust and dynamic Compliance Risk Management process.

As of part of our growth strategy, CRC recently partnered with YarcData. The YarcData team has years of experience in data management and a reputation for hardware performance and reliability that stretches back decades. YarcData provides the highest performance processing capabilities and visionary data management resources. Together with the talented team at YarcData, we believe that we can offer organizations compelling argument that supports the build-out of these capabilities to bring greater efficiency, clarity and understanding of enterprise regulatory and compliance related risks.

We are very excited about our partnership with YarcData and the value proposition that both organizations bring to our customers and prospects!

The post What's the Big Deal about Big Data? appeared first on Compliance Risk Concepts.

Beware of "Snake Oil Salesmen"

As is the case with any growing industry sector, the opportunity to provide support and services to organizations in need will draw new entrants to the market. A significant number of technology service providers have emerged in the EGRC space. Determining the best fit for your organization can be a daunting task; I am often asked what to look for and assess when seeking the right EGRC support partner for an organization.

Here are a few critical tips that will help you maneuver through the noise:

1. Any EGRC provider that tells you it can provide support across every risk discipline in your organization is a liar.

There is not one provider (at least today) that can be all things to all people. You should look to a provider that can meet 80-85% of your needs right out of the gate. Your organization can then look to solve for the remaining 15-20% as part of your long term strategic approach toward Compliance Risk Management.

2. Content is King!

Do not underestimate the value of regulatory content (i.e., new rules, laws, regulations at a Federal, State and International level). A large percentage of providers in the EGRC space do not have access to nor own the regulatory content you will need to effectively assess, distribute and mitigate regulatory risk. If you choose one of these providers, you will most likely need to source regulatory information from another third party source. Just my two cents – but I think there is tremendous value in "one stop shopping" for an EGRC solution with regulatory content.

3. DO NOT purchase technology for the sake of purchasing technology!

If you think that simply buying a piece of software will solve your Compliance Risk Assessment and Reporting problems – think again. If this is your strategy, don't bother. The amount of time, energy and resources you will expend to undertake building the business case, gaining management support and approval, and implementing will not be worth the price of admission – and when this strategy fails, you will be left holding the bag.

One of the key components in making a decision to move forward with an EGRC strategy is the opportunity it affords organizations to reconcile their existing internal processes, conduct capability assessments and use the results to inform, modify and amend processes and protocols to best align to the technology being implemented. This is a critical part of project oversight and governance, offering an opportunity to challenge the status quo and ask the question, "If a process made sense 5 years ago – does it still make sense today?"

4. Internally Built and Supported vs. Externally Hosted Cloud Based Solutions

Is this simply a case of "You say tomato and I say tomahto ? Not quite. Historically, organizations were inclined to think that they could build technology better and cheaper than vendor based approaches. The fact is, the ongoing IT support required for internally built Compliance tools makes it tough to support a business case from a cost and ongoing resource perspective. I don't know about your organization, but the last time I checked, there aren't many IT folks hanging around Compliance departments asking for extra work to fill their spare time! With that said, many IT organizations have come to terms with the fact that they do not have economies of scale to build and support GRC solutions.

They have warmed to the notion of relying on vendors or support partners who focus on these solutions exclusively. It makes all the sense in the world. As a buyer of these services, you then become a beneficiary of upgrades, shared industry knowledge, best practices and "running with the pack." You can build credibility with your regulators when they have a comfort level in the tools and solutions you are utilizing within your organization. There is value in familiarity!

How Can Compliance Risk Concepts Help?

EGRC implementation is one of the critical components to the CRC support model. We help organizations turn all of the "noise" into meaningful and impactful information that enables a robust and dynamic Compliance Risk Management process. From capability assessments to gap analysis to vendor identification, we can be an integral support partner to your Compliance / Risk organization – helping to turn the "chaos" into a long term, successful risk management strategy. Please visit our website for further details.

The post EGRC Solutions or Snake Oil ? appeared first on Compliance Risk Concepts.

Thank You for your interest.

I look forward to connecting with you at the next CRC Compliance Roundtable.

One of the primary drivers for Compliance Risk Concepts (CRC) is to raise the awareness level and thought process related to real world compliance and risk issues in a “down to earth,” realistic and relatable way. The Compliance Roundtable serves as a great platform to make that happen.

As we continue to grow, I  personally thank all of you for the continued support, enthusiasm and confidence demonstrated toward CRC and the brand we are building within the industry. As always, we’d love to hear how you think we are doing.  Feel free to suggest topics or issues you would like to see discussed.

I invite you to download our FREE Compliance in Financial Services white paper: HAVE YOUR CAKE AND EAT IT TOO: Improve Efficiency and Turbocharge Your Threat Discovery.

Sincerely,
Mitch Avnet
Managing Partner
Compliance Risk Concepts

The post THANK YOU appeared first on Compliance Risk Concepts.