Operationalizing Compliance Controls – (Controlling Compliance Control Compliance)

Dwight Russell
Sr. Business Analyst

At Information Asset we understand the challenges associated with the ever changing compliance environment. Whether the compliance is driven by external regulation or by internal corporate strategy, the state of compliance can sometimes consist of unknowns and best guesses.

Organizations may have a clear understanding of what needs to be complied with and the supporting polices, and standards may have been developed. The challenge often facing organizations is ensuring these policies and standards are being adhered to and that the scope of the adherence is comprehensive. This is where controls play a key role.

The development and use controls to oversee the implementation of policies and standards is nothing new. However, merely authoring controls and mandating their use does not ensure they are being followed. How do we know the controls are being adhered to? How do we know the controls are still current? How do we know that controls are aligned with the appropriate subject content?

Recently, Information Asset partnered with a multinational financial services organization that needed to ensure compliance to financial regulations and internal policies. Their challenge was to ensure the correct controls were overseeing the correct content in the correct procedural context.

Our approach was to look at the various procedural components as distinct business constructs. This included:

  • The policies and standards that inform the control;
  • The resulting controls;
  • The content which is subject to control;
  • The processes / procedures that generate or consume the respective content.

We then represented these components as distinct business objects in an appropriate tool, thereby enabling active management and governance including:

  • Lifecycle management – The use of workflows to govern the creation, vetting and approval of the business objects;
  • Ownership and accountability – The assignment of business object ownership to respective role players;
  • Establish lineage – The mapping of relationships between the policies and standards with the controls that enforce them. The mapping of relationships between the controls and the content to which they oversee. The mapping of relationships between content and the processes/procedures in which it is was involved.

Once management and governance were in place, the opportunity to measure and monitor compliance presented itself.  A given control could be viewed in multiple contexts; what policy or standard it was monitoring, what content it was overseeing and what processes/procedures were involved. Similarly, a given process/procedure could be assessed for what content it generates or consumes and what controls oversee them.

As noted, the implementation of workflows allowed for the management of business object lifecycles. Workflows were also leveraged to ensure continuous monitoring of the control framework. The recertification of controls was imposed at set intervals and the addition of new content was subject to review to ensure the appropriate controls were associated. Dashboards were created to measure control coverage and identify relevant content not subject to control.

Information Asset can help your organization with the development of a control framework including the identification of new controls, the codifying of existing controls and the building of a comprehensive control lineage. Reach out to us today!

Share on facebook
Share on twitter
Share on linkedin

Let us know how we can help you.

Looking for a new career?

View job openings.