Data III – The Sustainable Compliance Challenge

This is the third of three articles on Continuous Data Modelling. This describes the complexity challenge that affects all capital market firms – large and small. A specific and practical data modelling solution is outlined, and the benefits of the solution explored. The author has purposefully removed all reference to specific tooling and named technology products. For further information, please contact Norton Edge. For a technical reader, this may provide some business context and rationale for best practice. For a business reader, this may provide greater understanding of the operational and technical hurdles that come about by not following best practice.

The last few decades of technology advancement have been transformational, increasing real capabilities, speed and scale but also increasing operational and technical complexity.  Many times, mismanagement of technology and misunderstanding of the business will have compounded problems and created organisational friction. In our analysis, this complexity causes three core challenges (1) the Production Support Challenge – where many firms are at a tipping point, and infrequent technical outages and issues are exceptionally hard to troubleshoot. And (2) the Quality Assurance and Testing Challenge –  where testing strategy and frameworks are often detached from the “too difficult to replicate” live environment, and can be relegated to a crude checkbox culture. And finally, (3) the Sustainable Compliance Challenge – where partially documented Policies and Procedures (P&P) are out of date, impractical, and burdensome. In each of these three specific challenges, the solution requires an ongoing commitment to understand the data and operating model. Particularly, in today’s climate of increased cost pressure, it’s all too easy for firms to ignore these complexity challenges. However, by maintaining focus on the data model and also by embedding the right data model tooling, these challenges can be readily solved.

This article will briefly introduce Data Modelling, and then outline the third of these complexity challenges – the Sustainable Compliance Challenge.

Data Modelling: to begin with, Data Modelling always appears difficult. Management want to obtain insight, but don’t want to get “too into the weeds”.  Junior staff struggle to understand the business context of specific activities & infrastructure, or struggle to articulate it in business-friendly language. An impasse occurs, and widens over time. Applications are endlessly adjusted and integrated, responding to fluid business & regulatory requirements. A perpetual cycle of migration, enhancement and retirement is set in motion.  At no time, is there a pause, where the business can stop and take stock of the situation, in order to identify common ongoing problems and work out how they can be solved. Can the analysis be done in parallel or as part of BAU?

Continuous Data Modelling: if the business cannot pause to review, then it needs to be done continuously. Data modelling is the mapping of process across technical architectures, business silos and shared services. Done correctly, it measures change over time, providing auditability, and can drive standardisation. A by-product includes data dictionaries and business glossaries, ensuring all staff benefit from using a common taxonomy. Data modelling can provide the building block for true digital transformation, identifying common process and candidates for microservices, aiding the command & control analytics that business owners need. In short, you need to know your business, to change your business. There is no logical impediment for this to be done continuously. At a basic level, it already exists in restrictive change control (depending on how much this is a checkbox exercise or abused for a dilution of responsibility), but ideally it should be embedded into the day to day business activities to provide further value. Policies and Procedures (P&P) are part of the very fabric of financial institutions, guiding the day to day operations. Depending on whether they are seen as red tape, or optimised as part of the entire system will determine both their efficacy and their efficiency.

The Sustainable Compliance Challenge

Background: in the last few years of increased cost and regulatory pressures, and the threat of disruption, the finance industry has begun to wake up to its own internal complexity. This exists in legacy technology and the joins between components, as well as complexity from outsourcing and managed services for non-core functions (through all aspects of interaction & the hand-offs – even for SaaS vendors!). Complexity also exists because of growing business and regulatory operational demands. Digital Transformation along with its facets of Big Data, AI & Machine Learning, Robotic Process Automation and Microservices all attempt to make sense of the complexity or try to reduce it. Just as legacy technology, or siloed business lines create barriers to an effective business, so too can the inheritance of years of regulatory obligations translated into poorly written P&P. Similarly, bureaucratic tinkering under former employees and different regimes also create frictions. Wrongly, policy can be seen as a one off box ticking exercise, keeping regulators & regulators satisfied, but not something integral to the business activity itself. The artefacts, the physical documents may not be stored centrally, nor properly versioned, not owned, let alone reviewed or consulted regularly.  P&P should act as a line of defence, not just as evidence of controls and guidance, but something to be used, tested and updated. P&P will cover multiple aspects of business operation, including for example, some of the below areas:

  • BCP/Resiliency (such as focusing on workaround to unavailable systems or functions)
  • Capacity and Stress Testing (of specific trading and risk systems, or clearing and settlement architecture for example)
  • Cyber Security (including external access defences, or User Access and Entitlement, monitoring for aged and obsolete access or toxic combinations)
  • Data Privacy (covering GDPR and regional requirements, keeping personal contact data appropriately and within a controlled system)
  • Regulatory Reporting (such as transaction reporting for securities financing or OTC derivatives, or commodity position reporting)
  • Best Execution (and proving fair and appropriate arrangement of transactions and services for clients)

Creation of Policies for any of these should be designed to fit within current business activities and capabilities. These will change over time, and so the policy should be reviewed and updated (within regulatory boundaries of course). It should also be tested, to ensure it is current and reflective of latest regulatory guidance and best practice. Finally, it should be independently validated.

Solution: If you’ve read the previous two articles on Data Modelling, you have probably guessed the approach to solve this – making compliance through P&P sustainable, and not simply adding bureaucratic red tape. The business’ Data Model can be integrated (with key fields captured and identified) and a Business Glossary defined and managed. In the creation and management of P&P, the Data Model can be embedded as a referenced and living artefact. Functions, teams, applications, processes can all be referenced and linked to the Glossary. The use of these in various P&P can also be pulled out, and dynamically represented. Ensuring consistency of terminology, and accuracy of current state can be easily achieved if the right tools are used. The extracted detail can be represented in P&P Dashboards for monitoring, periodic reviews (like Control Assessments) or for specific audits. This enables “compliance by design”.

Benefit: These are many – focused on efficacy of the P&P as well as the efficiency of creating and managing them (which is often a full time or overlooked task). The solution to link the data model (as articulated above) acts as an assurance mechanism, helping review and validate policy outside of and ahead of the audit process. It improves management visibility of P&P, helping new joiners and new regimes understand what has gone before. It goes some way to battle policy fatigue. The tracking of changes over time (traceability) is a useful tool and can also be used to help evidence or explain certain changes (a particular favourite of auditors).

In summary, reasons abound for why firms should focus more on data modelling, and do this as a continuous ongoing exercise. Many institutions both large and small will appreciate that complexity has been a side effect of the recent, rapid technical advances. A specific scenario is the challenge providing sustainable Compliance through effective Policies and Procedures (and not seeing  them as bureaucratic red tape). Sustainability means both effective and efficiently created and managed P&P. Industry complexity is at a tipping point, with underinvestment in aging mainframes and unloved systems, as well as the constant regulatory change. P&P is a line of defence, and needs to represent the current state. However, this can be costly in terms of effort, and often is a reactive process (to auditors and to problems). The solution is embedding the living Data Model in the P&Ps themselves – both in creation, management and review. The referencing of consistent terminology and accurate alignment to current process ensures effective policy. The digital mechanism linking the data model means efficient and ongoing management of P&P. Ownership of policy becomes more likely, and the automated feedback loop improves their quality, as well as providing assurance. This realises the ultimate goal of Digital Transformation. It improves the fabric of the business itself, making it more responsive, more controlled. It enables compliance by design. It encourages greater understanding and control of your business which is only possible through continuous data modelling. Reiterate the mantra – know your business to change your business.

More information on continuous data modelling and how it applies to your organisation is available upon request.

Norton Edge provides Subject Matter Expertise from seasoned, industry practitioners, helping you know your business to change your business.