information governance capabilities are a critical enabler ... · educaonal *event * spring * 2015...
TRANSCRIPT
Educa&onal Event Spring 2015 What Are the Regulators
Really Expecting?
James K. Watson, Jr., PhD and Scott Swanson, CFE Doculabs, Inc.
Information governance capabilities are a critical enabler to addressing regulatory concerns.
James K. Watson, Jr., PhD CEO and Founder
About the Presenters
Sco: Swanson, CFE Vice President and Prac6ce Leader
FDIC
DOJ
OFAC
FRB
NCUA
SEC
FinCEN
OCC • Compliance with
Domes6c and Foreign Regula6on
• Compliance Training and Communica6on
• Code of Conduct and Repor6ng
• Compliance Strategy & Program Mgmt.
• Complaints and Whistleblowers
• Third-‐party Rela6onships
• Key issue: Risk Exposure, Legal, and Regulatory ac6ons while Collabora6ng, Controlling, Safeguarding and remaining AGILE and PROFITABLE
• Document aPri6on (collec6ons lost when employees leave, change roles, etc.)
• Compromise of confiden6ality, integrity, and availability of cri6cal internal or customer informa6on THE MORE YOU REQUIRE, THE MORE YOU ARE RESPONSIBLE FOR
• Non-‐compliance with records management policies or regula6ons
• Explosive e-‐discovery cost and risk; with “X”+ years of company-‐wide over-‐reten6on, just one significant li6ga6on can severely impact the organiza6on
• Conflicts, overlaps, and gaps
IG from the Financial Service Global Risk and Compliance View
GOVERNANCE RISK COMPLIANCE
• They will ASK – Enforce governance—Is it effec6ve to dictate behavior?
– Mi6gate risk– Is it correla6ng to business opera6ons?
– Ensure compliance– Are the proper controls in place?
• They will SEEK – Dishonest behavior to the point of profit from unethicality
– Naiveté – Inefficiency
• They will FIND – Documenta6on of communica6ons, policies and procedures, ac6vity
3 Enforcement Targets
1. Most organiza6ons are missing several pieces
2. Three types of missing pieces: 1. Directly impact compliance 2. Necessary or highly pragma6c enabling
condi6ons for compliance 3. Enable compliance, posi6vely impact other
requirements
3. Align compliance program with informa6on management and governance
Quick Takes on Your Security and Compliance Situa6on
From Informa6on Governance to Enterprise GRC
Information governance is the control of information to meet your legal, regulatory, and business risk requirements
Enterprise GRC INFORMATION GOVERNANCE
RECORDS MANAGEMENT
ENTERPRISE DATA MANAGEMENT
ENTERPRISE CONTENT
MANAGEMENT
INFORMATION SECURITY
E-‐DISCOVERY
Case Study: Financial Ins6tu6on Big Bills and Small Controls
ENGAGEMENT – Gather and Review Documenta6on – Assess rela6ve health of organiza6on’s
AML/BSA programs – Determine weaknesses and gaps – Iden6fy illicit ac6vity
BACKGROUND – AML/BSA/OFAC/FRAUD AUDIT – $XXB in revenue, XXXX employees – Decentralized informa6on models – Poor governance, controls, policies, and procedures – Frequent regulatory visits
RESULTS – 40% of the cost was in document capture and review – Conclusions were worse than reality because there was no documented proof-‐-‐-‐only observable behavior – Knowledge and informa6on reten6on was poor and high risk for aPri6on or data loss – Branches and affiliates were opera6ng at rogue levels – Poor informa6on / data flows resulted in red flags across product lines and business units unwirng to
AML and Fraud departments (FrAML model was recommended)
Why develop an integrated approach to risks such as Fraud and AML (FrAML)?
• Informa6on sharing, storage, and governance frameworks were cornerstone to risk management and compliance.
Case Study: Results of an Integrated Risk Framework
Non-‐compliance and poor governance is no longer a cost of doing business. Lawsuits and prosecu6ons are targe6ng individuals. Where do you stand-‐-‐-‐on the stand?
Case Study: Financial Ins6tu6on with Lacking or Delayed Informa6on
HEADLINE EXAMPLE – KYC/CDD: Arab Bank Ruling: If banks have a client, ins6tu6onal
rela6onship, or correspondent bank affilia6on that is NOT on a screening list, but ends up being iden6fied as an illicit rela6onship-‐-‐-‐wirng or unwirng, they could face hesy civil sePlements in addi6on to the federal penal6es. Such discoveries will lead to addi6onal inves6ga6ons and likely more fines.
– Coopera&on: SEC charged that Wells Fargo unreasonably delayed its produc6on of documents and omiPed key documents during the SEC’s inves6ga6on. The Chief of the SEC Enforcement Division’s Market Abuse Unit, stated that Wells Fargo's ac6ons "improperly delayed our inves6ga6on and... interfered with our search for the truth.” A few weeks ago, this very issue was highlighted since [SEC/DOJ] "opinion is based on the percep6on of the inves6gators."
Case Study: Hot Mess-‐ CDD/KYC, Governance, Fraud, AML, Sanc6ons
Everything must be documented and available for review. Delays are costly and set the tone for percep6ons. • Board Minutes • Trainings • Reviews • Communica6ons • Programs • Samples • Policies and Procedures
Case Study: They Showed their Compliance, and Saved
• Good: Informa6on governance is the control of informa6on to meet your legal, regulatory, and business requirements. (Robert Smallwood)
– Great start because it's accurate and simple -‐-‐ it avoids the trap of being a laundry list wriPen in legalese.
• Be:er: Informa6on governance is the control of informa6on to meet your legal, regulatory, and business risk requirements.
– IG doesn't address all your business demands -‐-‐ its primary focus is on "defensive" business requirements as opposed to "offensive" business requirements.
– IG’s primary focus should be on controlling the risks and costs (primarily risk-‐related costs) of your informa6on.
What’s the Scope of Informa6on Governance?
1. The digital landfill problem. – TBs or PBs – How do you sort through it and responsibly retain or dispose within your constraints?
2. The “systems of engagement” fragmenta6on problem. – How do you do IG on your dynamic, some6mes chao6c “systems of engagement”? They
use social media, mobile devices, and the cloud. – Your problem has three parts:
1. How do you meet your IG demands with your internal use of systems of engagement which you use for collabora6on, interac6ve community building, etc.?
2. How do you meet your IG demands with your use of external SOE beyond the firewall, with vendors and the public?
3. How do you meet your IG demands in how you’re integra6ng your evolving SOE into your more mature systems of record, which help to run your core processes?
3. The discovery problem. – How do you prepare for and respond to regulatory audit, li6ga6on and other discovery,
given #1 and #2 above?
Three Big IG Challenges for 2015
1. Overall IG Program Strategy 2. IG Governance Team and Opera6ons 3. IG Process Design and Implementa6on 4. Informa6on Architecture 5. IG Architecture and Technology 6. IG Communica6ons and Training
Plan and Manage IG with a Program Framework
The Assessment Categories
Maturity Curve Trailing Majority LeadingCurrent
OVERALL PROGRAM STRATEGY• Partially developed and partially implemented strategy and roadmap• Partially developed and partially implemented strategy addresses ECM, RM, ED
and EMM at the enterprise levelGOVERNANCE AND OPERATIONS• Governance and operational structure partially developed and partially
implemented • “Rules” – policies, procedures, guidelines – partially designed, implemented, and
practicedINFORMATION ORGANIZATION• Partially developed and partially implemented taxonomy and retention plan, with
methodology for further development and maintenance• Partially developed ESI-Repository Map PROCESS DESIGN AND IMPLEMENTATION• Discovery processes evaluated and partially designed or partially implemented• ILM processes evaluated and partially designed or partially implementedARCHITECTURE AND TECHNOLOGY• Partially developed and partially implemented architecture strategy for core ECM,
ED, RM, and email management where required (though not for EMM at GECA)• Partially implemented adequate and consolidated technology portfolioORGANIZATIONAL READINESS• Partially developed and partially implemented communications and training
strategy• Organization is somewhat prepared to implement ILM improvement program
OVERALL PROGRAM STRATEGY• Developed and implemented strategy and roadmap• Developed and implemented strategy addresses ECM, RM, ED and EMM at
the enterprise levelGOVERNANCE AND OPERATIONS• Governance and operational structure implemented and operational• “Rules” – policies, procedures, guidelines – implemented and practicedINFORMATION ORGANIZATION• Developed and implemented taxonomy and retention plan, with methodology
for further development and maintenance• Developed and maintained ESI-Repository Map PROCESS DESIGN AND IMPLEMENTATION• Discovery processes evaluated, designed, implemented, monitored, and
maintained• ILM processes evaluated, designed, implemented, monitored, and maintainedARCHITECTURE AND TECHNOLOGY• Developed and implemented architecture strategy for core ECM, ED, RM, and
email management (where required)• Implemented adequate and consolidated technology portfolioORGANIZATIONAL READINESS• Developed and implemented communications and training strategy• Organization is adequately prepared to implement ILM improvement program
OVERALL PROGRAM STRATEGY• No adequate strategy and roadmap even partially implemented; may be
partially designed• No perceived need for strategy to address ECM, RM, e-discovery (ED), and
email management (EMM) at the enterprise levelGOVERNANCE AND OPERATIONS• Governance and operational structure at most partially developed • “Rules” – policies, procedures, guidelines – at most partially designedINFORMATION ORGANIZATION• No adequate taxonomy or retention plan even partially developed• ESI-Repository Map at most partially developed (for most businesses)PROCESS DESIGN AND IMPLEMENTATION• Discovery processes not evaluated or even partially designed• Information lifecycle management (ILM) processes not evaluated or even
partially designedARCHITECTURE AND TECHNOLOGY• Architecture strategy for core ECM, discovery, RM, and email management
(where required) not even partially developed• Adequate and consolidated technology portfolio not even partially
implementedORGANIZATIONAL READINESS• Communications and training strategy not even partially developed• Organization is unprepared to implement ILM improvement program
Note: Bold blue text indicates characteristics that apply to ACME.
Category Summary Scores
Overall Program Strategy Benchmark Scoring:
Benchmark Average
ACME Score
Target ACME Score
2.7 3.3 4.0 1 5
Lowest Ra6ng Highest Ra6ng
Strengths • Strong organiza6on based on federated model • Innova6ve approach to addressing
transac6onal vs. func6onal records • Highly capable staff in place as managers and
leaders
Recommended Ac&ons
Ra&onale / Impact • Ability to present a clear and comprehensive
story at all levels of the organiza6on • Program sustainability • Ability to project longer term costs and benefits
Risks • Ability to impact/manage
supplier risk • Ability to maintain
program momentum
ECM Presenta&on
Process and Collabora&on
Informa6on Management Capabili6es in a Reference Model
Content Middleware
Repository Management
Capture
Collabora&on
Enterprise Search
Document Security
Document Exchange
Document Management
Digital Asset Management
Records Management
E-‐forms
Workflow
Taxonomy Management
Informa&on Rights Management
Integra&on
Document Image Management
Technical Doc Management
Email Management
User Interface
Process Automa&on
Document Comp/Publishing
E-‐discovery
Digital Signatures
Web Content Management
Output/Report Management
Storage
• GRC programs and processes are inextricably linked to informa6on governance
• Enforcers require you to Prove not Explain
Summary
• James Watson, Jr PhD [email protected] 312-‐881-‐1620
• ScoP Swanson, CFE [email protected]
312-‐659-‐3000
Thank You