A 360-degree approach to data governance.What's keeping today's financial executive awake at night? More and more, the answer is the fast-growing demands of regulatory compliance--especially in the U.S., the rigorous financial reporting requirements of the Sarbanes-Oxley Act--and the rising risks of failing to address those demands effectively. Anyone who reads the business section of a daily newspaper is well aware of the risks of regulatory compliance failure. Consider just a few recent, highly publicized pub·li·cize tr.v. pub·li·cized, pub·li·ciz·ing, pub·li·ciz·es To give publicity to. Adj. 1. publicized - made known; especially made widely known publicised examples: * A material understatement of the cost of goods sold Cost of goods sold The total cost of buying raw materials, and paying for all the factors that go into producing finished goods. cost of goods sold by an online retailer, caused by a spreadsheet calculation error, resulted in the loss of 25 percent of the company's share value--and the CEO's job. * A major power transmission provider was forced to take a $24 million charge because of what it described as "clerical errors" in spreadsheets. * A major European bank lost $691 million because an employee manipulated the spreadsheets used to monitor his unit's activities. * A mortgage lender took a "write-down" of $3 billion because of a change-control error in a key spreadsheet. * A spreadsheet "cut-and-paste" error cost a Canadian energy trading company $24 million. These incidents had very different causes, from deliberate criminal misconduct to simple human error. They also affected very different types of organizations: publicly traded companies publicly traded company A company whose shares of common stock are held by the public and are available for purchase by investors. The shares of publicly traded firms are bought and sold on the organized exchanges or in the over-the-counter market. operating in the U.S. (subject to Sarbanes-Oxley), foreign-based businesses and even a not-for-profit educational institution. But they all resulted in serious financial and reputational damage, and all for the same reason: Senior management failed to exercise effective governance over the data contained in their information technology (IT) systems. Financial executives and other stakeholders--including corporate auditors and outside consultants--are understandably accustomed to thinking of the data they need as the data they are aware of. This includes the information that is found in corporate and departmental databases; document management systems; enterprise resource planning See ERP. (application, business) Enterprise Resource Planning - (ERP) Any software system designed to support and automate the business processes of medium and large businesses. (ERP (Enterprise Resource Planning) An integrated information system that serves all departments within an enterprise. Evolving out of the manufacturing industry, ERP implies the use of packaged software rather than proprietary software written by or for one customer. ) and customer relationship management (CRM (Customer Relationship Management) An integrated information system that is used to plan, schedule and control the presales and postsales activities in an organization. ) systems; and accounting applications. Virtually every major corporation today uses end-user computing End User Computing (EUC) is a group of approaches to computing that aim at better integrating end users into the computing environment or that attempt to realize the potential for high-end computing to perform in a trustworthy manner in problem solving of the highest order. (EUC EUC Extended Unix Code EUC Emergency Unemployment Compensation EUC End User Computing EUC End User Council EUC International Conference on Embedded and Ubiquitous Computing (IFIP International Conference) EUC European Union Center ) applications as part of its financial planning Financial planning Evaluating the investing and financing options available to a firm. Planning includes attempting to make optimal decisions, projecting the consequences of these decisions for the firm in the form of a financial plan, and then comparing future performance against , modeling, schedules, consolidations and financial closings. Unlike the larger financial systems and technologies such as the ERP systems and primary database management systems (DBMS (DataBase Management System) Software that controls the organization, storage, retrieval, security and integrity of data in a database. It accepts requests from the application and instructs the operating system to transfer the appropriate data. ), EUC systems are generally less visible, highly distributed and not tested as often (if at all) by corporations. That means that an extraordinary amount of highly sensitive Adj. 1. highly sensitive - readily affected by various agents; "a highly sensitive explosive is easily exploded by a shock"; "a sensitive colloid is readily coagulated" , risk-intensive information is held in databases, applications and systems that lie well beyond the reach of most businesses' financial, regulatory and IT controls. These data assets are usually not documented at a companywide level, and are often effectively invisible to anyone but their individual "owners." These assets are typically held in reports and forms on individual employees' desktops, desktop databases and spreadsheets. A 2004 Baseline Consulting survey of 250 senior IT managers showed that an average of 32 percent of their companies' corporate data was stored in spreadsheets or databases on employees' computers. These systems are usually not subject to corporations' standard controls, and are in fact usually not even tracked, either by IT departments or by the departments responsible for regulatory compliance. This makes them extremely vulnerable to fraud and other types of misconduct, and also to human error. It is almost impossible to overstate the extent or the seriousness of data error in spreadsheets and databases. One study of blue-chip companies' spreadsheet models, conducted by an international accounting firm, found that an astonishing a·ston·ish tr.v. as·ton·ished, as·ton·ish·ing, as·ton·ish·es To fill with sudden wonder or amazement. See Synonyms at surprise. 90 percent contained calculation errors. Moreover, these problems extend into some of the most sensitive and risk-intensive areas of any company's operations. Another survey, this one by an international management consulting Noun 1. management consulting - a service industry that provides advice to those in charge of running a business service industry - an industry that provides services rather than tangible objects firm, studied 21 major financial institutions' tax records. The consultants found that 92 percent of the companies they surveyed had accounting errors--and that 75 percent had errors that could be considered "significant." Few companies can afford that level of error when dealing with tax authorities. Compliance clearly is a growth industry. AMR (1) (Adaptive Multi-Rate) A variable rate speech codec selected by the 3GPP for the 3G evolution of the GSM cellphone system (WCDMA). Using the Algebraic CELP (ACELP) compression technology, AMR provides toll quality sound at transmission rates from 4.75 to 12. Research estimates that business spending on compliance will exceed $80 billion between 2005 and 2009. According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. AMR, the average U.S. company is now spending $4.4 million and 35,000 person-hours--equivalent to 17 employees working full-time--on compliance. One major network equipment manufacturer actually estimates its annual compliance workload at a breathtaking, and breathtakingly expensive, 250,000 hours. This compliance burden is by no means equally shared among businesses and industries. The most immediate concern, of course, is for publicly traded companies subject to Sarbanes-Oxley, and especially Section 302 (which requires standards and controls for financial tracking and reporting); Section 404 (which defines required internal controls, backup processes and required "alarm" systems); and Section 409 (which requires real-time disclosure--something most companies' IT systems are not adequately equipped for). However, similar risks are shared, to a greater or lesser degree, by virtually every type of business in virtually every industry. Regulatory compliance is of greatest concern in highly regulated vertical industries, such as financial services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. , pharmaceutical manufacturing and life sciences. Pharmaceutical and life-sciences companies are especially sensitive to compliance demands, because they are subject to strict U.S. Federal Drug Administration (FDA FDA abbr. Food and Drug Administration FDA, n.pr See Food and Drug Administration. FDA, n.pr the abbreviation for the Food and Drug Administration. ) rules. But industry observers have come to recognize that any publicly traded company must invest heavily in compliance-related issues, or risk serious consequences. Businesses that fail to address the demands of data governance Data governance encompasses the people, processes and procedures required to create a consistent, enterprise view of an organisation's data in order to:
It should come as no surprise that technological solutions have begun to emerge for this largely technological problem. For many years, regulatory compliance processes have been largely manual, but the complexity and sheer size of the problem makes this approach unsustainable. Data governance and regulatory compliance must become largely automated functions, but businesses must also take a holistic, 360-degree approach that considers not only data, but metadata. This means they must take into account not only specific data points, but also the relationships between those data points, and the changes in data flow and structure over time. [ILLUSTRATION OMITTED] Some technologies that are now available can partially automate a company's complex, labor-intensive and expensive compliance processes. But these technologies assume that the company, its executives and its auditors know everything they need to know to make sound compliance decisions. This assumption could not be more mistaken--or more dangerous for the company. Technologies for managing data governance and regulatory compliance must: * Discover: Locate all sources of financially relevant information--including information hidden from conventional controls. This gives the company a complete onetime "snapshot" of the information held by the company, across servers, desktops and--perhaps most importantly Adv. 1. most importantly - above and beyond all other consideration; "above all, you must be independent" above all, most especially , in this increasingly distributed corporate environment--notebook computers. * Relate: Map the relationships between key data sources, so that it is possible to determine what connects to what, who "owns" the application and its contents, and what data flows between applications. * Compare: Examine changes to the metadata, comparing multiple "snapshots" taken over time to identify changes in structure, references or properties. * Audit/report: Present the results in a usable, prepackaged pre·pack·age tr.v. pre·pack·aged, pre·pack·ag·ing, pre·pack·ag·es To wrap or package (a product) before marketing. Adj. 1. form to financial executives, risk managers, auditors and regulators. By providing an up-to-the-minute, companywide view of financially relevant metadata, these technologies can dramatically reduce the risk of inadvertent error or deliberate misconduct. And by automating what remains, for most companies, an essentially manual process, they can sharply reduce the prohibitive cost of effective regulatory compliance. Businesses that fail to address the growing demands of compliance with effective, automated governance technologies will continue to face enormous risks. And financial executives who fail to take a comprehensive, 360-degree approach to information governance and regulatory compliance can expect many more sleepless sleep·less adj. 1. a. Marked by a lack of sleep: a sleepless night. b. Unable to sleep. 2. nights. Paul Bach, a veteran software-industry executive, is President and CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. of Compassoft Inc. in Scotts Valley, Calif., a provider of regulatory compliance management and auditing software. He can be reached at 831.427.8101. RELATED ARTICLE: takeaways * The fast-growing demands of regulatory compliance and the rising risks of failing to address those demands effectively are worrying executives. * Many problems have a common theme: Senior management failed to exercise effective governance over the data contained in the company's IT systems. * A key risk issue is the volume of risk-intensive information held in databases, applications and systems that lie beyond the reach of most businesses' financial, regulatory and IT controls. * Automated compliance systems have emerged to help companies handle this risk. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion