Where is Compliance Hidden in your Enterprise ?

Rupert D.E. Brown, CTO & founder, Evidology Systems

 

The Corporate Shopping Trolley

 

Since the advent of distributed computing platforms in the late 1980s most major corporates have made significant investments in “Enterprise Platforms” to manage and automate common transverse functions that are largely independent of their particular business sector.  Some well-known examples are:

Identity and Roles:Microsoft Active Directory
General Ledger/ERP:Oracle, SAP
CRMSalesforce
HRPeoplesoft
Service & Incident Management:Service Now
Data Governance:Collibra

 

Much of the categorisation of this market has been led by Gartner and its Magic Quadrant approach to classifying the capabilities of the major vendors and trying to bring fashionabilty and churn to a very dull marketplace.

 

The Untamed Integration Wilderness – Messaging, Scheduling and Workflow

 

Having spent many millions on enterprise licenses for these products, corporates have then had to spend many times more than the capex value of each platform to get them to talk to their in-house and smaller niche domain third party applications.

To achieve this, they need to transfer data between these systems in real time with the interactions triggered by transactions (messaging), set points in time (batch) and human activities/instructions (workflow).

Unfortunately, not all enterprise platforms support the same integration mechanisms – partly due to accidents of history and partly because of the agendas of some vendors, e.g. IBM (MQ), Tibco (EMS), to promote their middleware as yet another enterprise standard.

Worse still, many “cutting-edge” corporates, especially in the financial sector, built their own, bespoke TCP/IP messaging middleware platforms for specific types of information interchange and to participate in the low latency trading arms race.

By the early 2000s IT departments had become paralysed when trying to implement significant re-engineering efforts such as reference data consolidation and having to absorb the results of major corporate mergers and acquisitions.

For a time, many CIOs tried to place faith in enterprise architecture/office of the CTO teams, who in reality spent most of their time fighting interdepartmental political battles to try and establish agreed content and technology standards. If they survived that fight, they then had to try and remove the components that had been deemed legacy. This had to be achieved with little political air cover and no budgetary resources, especially once the 2008 crash had pulled the last comfort blanket from underneath them.

 

Lost in the mist – Where are the Controls?

 

Whilst IT departments continue to struggle with making sure that they know how all their systems actually talk to each other (NB – there is no mapping standard to document this accurately), the users of the IT systems quickly spot gaps in the corporate fabric, while the more criminal and desperate ones choose to exploit them.

Leeson, Kerviel and Adoboli, perhaps the three most notorious of the major perpetrators of recent banking frauds, all relied on gaps in access permissions and timing holes between when trades were booked and then cancelled to camouflage their real trading losses.

In Adoboli’s case in particular, the control platforms that were meant to identify unusual trading patterns failed because of IT disinvestment and outsourcing after the 2008 crash.

The more recent Wirecard and Patisserie Valerie frauds can also be traced back to a lack of controls tracking transfers between business units, enabling the illusion of consistently strong balance sheets at a fixed point in time.

 

Out of Control = Non-Compliant

 

As we saw above, most corporations lack effective controls on business processes which they would like their customers to believe have been transformed into “real-time, agile and digital” simply because they don’t really know how their systems and informal personal interactions are connected.

Moreover, they cannot get any sort of an up-to-date picture without a change freeze and significant manual effort (usually for a significant fee from one of the Big 4).

Those brave enough to admit they don’t really know what is going on, seek compliance solace in a “risk register” that in reality is used as a plea-bargaining tool during annual audits to demonstrate that management teams are aware of their failings and are planning/trying to do something about it.

Whilst public corporations have a statutory duty to highlight significant balance sheet risks to shareholders and potential investors, few, if any, have a consistent public reporting process for measuring the size of their risk register year-on-year and usually resort to a “Top 10” approach.

 

At last we get to Regulations…

 

So far this discussion has been approached bottom-up, from the coalface of IT systems that now dominate most business sectors.

As well as not knowing how the bowl of data interchange spaghetti is wired-up and operated, when challenged, most corporates cannot list the domestic legal statutes within which their business has to operate.

The last decade has seen a significant change in the number of regulations all business sectors have to operate within – these have been driven by both risk mitigation (criminality, climate, credit, and last, but not least, Covid) and geopolitical realignment – Brexit, Trump and Putin.

So corporates who are already struggling with compliance issues because they don’t know how their enterprises really work are now being whipsawed with regulations that impose both more controls and the need for deeper discovery and reporting within their organisations.

 

Shining a light with Evidology Systems QED

 

Evidology Systems’ QED platform is the first platform that enables operational controls to be properly defined and designed to reference compliance evidence that is buried deep in existing corporate enterprise platforms.

Key to the definition of these controls is the direct linkage to the underlying regulatory texts to fully demonstrate comprehension of a regulation’s requirements.

QED only uses the ubiquitous Internet standard HTTPS protocol to enable direct referencing and connectivity to these enterprise systems, so it introduces no additional technical complexity when introduced to an enterprise.

Regulatory and control specification change is handled by QED using the ubiquitous “Git*” based version control approach and we support both the closed source commercial GitHub and open source GitLab enterprise platforms out-of-the-box.

* Git is a version control system for tracking changes to files.