Compliance made easy

Business intelligence isn't just about enhancing performance, says Danny Bradbury - it can help your company keep the regulators happy, too.

Business intelligence (BI) - sophisticated analysis of corporate data - is often seen as a way to improve performance and increase revenue. But with industry regulators clamping down on companies, some are starting to use the technology to prove their compliance - and in some cases, to hone it.

Alison Whitby, business intelligence practice head at Diagonal Consulting, says: "Regulations like Sarbanes-Oxley have companies realising that they're managing their businesses on very suggestive data. So the general push for those companies has been to demonstrate that they have more rigour in terms of their budgeting process and forecasting system." Many compliance experts are seeing BI as a way to hone that.

Take Richard Price, for example. The head of risk at the Chelsea Building Society used BI software to help tackle his Basel II banking requirements. The regulations place strict requirements on the mitigation of financial risk through judicious planning. He found himself having to marry concise business data with less tangible information for forward-planning purposes. The evidence of such planning can run into reports of up to a hundred pages for a moderately sized financial institution like his, he says.

Much of the focus with Basel II reporting has been on managing credit risk, explains Price. His company has had to think about issues such as feeding credit risk data into solvency calculations which measure how much capital you have against how much capital you should have to cover your lending.

He explains: "From an institution's point of view, that high level understanding - how much capital you're supposed to have - is where business intelligence comes in." That kind of planning requires extensive what-if analysis, he says: "An important consideration is how you'll manage under conditions of stress. If we had another severe recession, how would we manage our capital?"

The Chelsea Building Society already had a business intelligence system in place from vendor Infor, which it had used to build a financial model of the business over roughly 15 years. The system includes its own programming language which makes it easier to handle complex analyses, Price says.

Financial data is extracted from a mainframe-based data warehouse, and married with other inputs. He says: "The most important things that go in are the assumptions from heads of management about things like volumes or severity of house price falls. It's easy to produce actual information but it's harder to produce a coherent forecast."

One of the most significant implementation problems from a compliance perspective is retaining all the documentation surrounding the report, Price explains. The report, published in a format called the Internal Capital Adequacy Assessment Process, has to be retained for six years.

Price says: "It's hundreds of megabytes of data and you have to do it annually or as business conditions dictate. Most businesses are updating their business plans as they go through the year." Consequently many finance institutions will present two or three of these reports per year at least.

Conducting analytics for forward-looking statements is one way to meet compliance requirements but regulators also need companies to look backwards.

BI can help with auditing too. Diagonal's Whitby explains: "Normally compliance is ensuring that you have the right security around your data. BI systems now can not only set up different security levels but can even personalise them." Pieces of information can be associated with specific individuals, for example, which enables you to more easily build an audit trail of events and transactions leading to a particular business event.

However, Todd Paoletti, director of client self-service solutions at BI vendor Actuate, argues that for companies to build effective audit trails using business intelligence, a clear path must be defined between the report, the business application and the source data.

Paoletti says: "You must avoid data being 'cleansed' into a different or inconsistent format with the original source, or being out of date." One way to avoid this is to create a middleware layer between the reporting application and the disparate underlying data sources.

Ideally you will use existing performance management tools to help satisfy your compliance reporting requirements, argues Cate Zavod, who works in solutions marketing at Actuate. Reusing parts of existing BI systems enables you to guarantee that the same performance management information will be used for compliance purposes but it will also prepare you for future regulatory impact.

Zavod explains: "There are thousands of regulatory issues pummelling the financial services industry across the world today. So the more object-oriented your approach in developing these reports and applications, obviously the more reusable they will be, 'future proofing' you for the next one that comes down the pipe."

While some companies use business intelligence tools for reporting to the regulators, others use them operationally to help meet compliance requirements on a day-to-day basis.

Diagonal's Whitby suggests companies could use alerting systems that can be triggered when certain thresholds are met, as a way of policing internal controls. In a financial services setting, alerts could be set to prevent traders over-extending their position, for example.

Whitby says: "Rather than having to read through the data every week, the systems push information a lot more. So you can set it up to say that you have typical traffic light-type coding that says this is a trend we don't like, take action." The next stage is to trigger workflow that will escalate the problem and stop it becoming a regulatory issue, she adds.

Business intelligence software is already used in many organisations to monitor effectiveness, so it seems like a no-brainer to extend that to keeping a regulatory eye on your operation - and reporting on it after the event.