Risk and Compliance

Like security, compliance should be something you "build in," not "bolt on"

The concept of compliance is changing. Even as U.S. companies deal with the Sarbanes-Oxley Act, European companies deal with Basel II, and Japanese companies deal with the Financial Instruments and Exchange Law (commonly called J-Sox), compliance has taken on a whole new role. Within the broader business concept of governance, risk, and compliance (GRC), we see compliance as an enabler of business processes.

How does that work? Consider how many places in your company you have human intervention to ensure that a business process operates smoothly. Consider, too, how many places in your company you would like to have some sort of intervention, but can't currently afford it.

Intervention translates to protection—and it doesn't have to be protection from hackers or malcontents. Sometimes the problem is simple human error. Consider the example we heard from the chief security officer of an oil company. In a corporate promotion, the company offered a bonus of $1 million each to 1,000 gas station owners. Sound generous? It was. The bonus was supposed to be $10,000; $1 million was the entire pool of money budgeted for the promotion.

Imagine if your business had networks and applications intelligent enough to guard against those kinds of embarrassments. That's how people are beginning to look at GRC: a collection of policies and procedures that a company can put in place to govern itself and improve operations. Simply put, it's about making sure that bad things don't happen and that good things do.

Suppose your company has concerns about intellectual property. If you have a system that deploys intelligence throughout your system, you can implement rules about who can send information where. Say your e-mail system sees a transmission with an attachment that has a list of 10-digit numbers. It could readily check to see if they are social security numbers. Perhaps it's an e-mail going to China with an attachment. You could set up policies to stop it, based on whether or not the e-mail is going to a company you do business with. You could check the attachment to ensure it doesn't contain design specifications. Or you could route the e-mail to someone who can manually determine whether it's a case of espionage or simply bad judgment.

You could apply the same kind of restrictions in conjunction with other business processes, such as digital rights management or service level agreements, and electronically audit whether items were shipped on schedule, for instance, or that intellectual property is protected when it's posted online.

Most companies use personnel to manage such processes, and it's very inefficient. One company reportedly spent $700,000 on a compliance team that ended up letting certain important issues slip through anyway. Take the unexciting but important concept of managing retail returns. It's a labor-intensive, manual process, with a certain set of policies and procedures that involve inventory and finance. Using serial numbers and other information to confirm that the person returning the product is actually the person who bought the product—and that it's a product you sell—not only improves customer service, but also helps your profit margin.

GRC is not about any one application, it's about all the policies and procedures that you put into place, some of which are unique to your business. Automating those procedures removes the human error and oversight from the traditional part of the process, and frees up personnel to focus on events that need human consideration.

We believe that GRC is the next big business innovation. It's the idea of having electronic eyes look at activities across the enterprise, correlate them, and allow some activities to happen while it prevents others before they can cause problems. For business, GRC is like a neighborhood watch program that senses when something is awry. We believe that the network—because it touches everything—is the best place to facilitate GRC. Processes occur everywhere across an extended enterprise, and it's important that any system has a broad perspective and can deal with the heterogeneity of applications.

Amit Chatterjee is senior vice president of the risk and compliance management unit at SAP. Bill Ruh is vice president of advanced services at Cisco.