A range of legislation aimed at improving corporate integrity in conjunction with shortages in risk and compliance staffing has led to an up-tick in demand for software to help scope risk. Shaun Drummond assesses how organisations are coping
As many that made big investments in the dotcom era would attest, a piece of software is not a magic wand that can just be waved at a major logistical task, but in the right hands it can make a big difference to narrowing down where you begin.
Following the commencement of the Sarbanes-Oxley Act (SOX), with its ticker-box nature, a mass of companies sprang up in the US, and big software vendors rebadged their offerings as a panacea for the compliance woes of corporate America.
Here, many companies are now in the throes of updating or introducing risk- and compliance-related software to comply with a range of new laws. A recent survey of the energy sector by Protiviti, for instance, found 60 per cent of respondents said it was either highly probable or possible that they would significantly modify, upgrade or replace their compliance software in the next 12–18 months.
Michael Rasmussen, a corporate governance consultant, and former vice-president at Forrester Research, is an advocate of the use of information technology to help efficiently manage risk. The value of the risk-related software market has doubled in 18 months to about US$5 billion ($5.5 billion), he says, although he points out it is still dwarfed by the professional services/consulting market, on US$40 billion ($44.2 billion) this year. But in the US, he says the growth is in large part due to the much maligned SOX, which led many to dive into investing in IT systems that are sold as compliance and risk management tools, but often need extensive customisation or are just not appropriate.
One of the key differences he has noticed between Australia and the US, is a lower propensity here to see IT as a way to deal with compliance and risk. That may be in part due to the different regulatory regimes, but he says perhaps in some ways technology has been used too little.
“Banks worldwide, for the most part they’re pretty mature in adopting platforms to document risk,” he says. “But the banks I talked to here in Australia are still struggling with understanding some of the software platforms out there to help you document the key risk indicators and organisational controls and manage that.”
He says there has been a greater propensity to overhaul legacy systems in the US, in part driven by the prescriptive compliance regime, but another factor could be what he saw as a lack of collaboration between risk management and IT parts of the business in Australia. “Risk management talk is run independently, and collaboration and coordination with IT could be improved.”
Still, he says US companies have been guilty of treating technology as a silver bullet. He says software can drive sustainability, consistency and efficiency in risk processes. “But you have to have the right organisational design approach to risk management and one of the issues in the States is that a lot of these software vendors have built their technology on some perceived notion of risk management,” he says. “Some are good and some are bad, but the problem is in the States, they’re too quick to adopt technology and they haven’t defined exactly what they’re trying to achieve before they’re looking for software.
“The worst thing to do is let a technology define your risk program. It is a huge mistake – there are many platforms that were built with a specific view of risk in mind (such as SOX) and they may not have been designed to model your view of risk.”
But in the end, he says spreadsheets are not adequate to deal with the level of assessments for risk and compliance that most organisations face. “To date the greatest adoption has been in applications that provide content and workflow to streamline assessment processes. The growth in capabilities is focusing on more modelling, analytics, as well as business process management,” he told Risk Management.
Others say that over the past year there has been an up-tick in demand for software in Australia to help organise disparate data, particularly from legal departments keen to reduce legal bills that can be heavily inflated by lengthy electronic discovery when subject to litigation due to the huge amount of information now flowing in and out of organisations.
The demand has been sparked by several major court cases that have been critical of general counsels’ role in the destruction, and limitation of access to documents through professional privilege claims. These include the “mega” C7 case, and the AWB and the HIH royal commissions.
In the US, one major case, Zubulake v UBS Warburg LLC, led to a raft of reforms on electronic discovery in the courts, including the new Federal Civil Procedure Rules, which require material to be in electronic form. As a result, the electronic discovery software industry has been forecast to more than double from US$2 billion ($2.2 billion) last year, to US$4.9 billion ($5.4 billion) by 2009.
This has resulted in a rash of new vendors offering forensic software, and existing large software and professional service firms moving into the arena to take advantage of the growth in demand.
Deloitte’s Australian office is one of the latest. It followed its overseas offices’ example, and last year purchased a Forensic Data, Australia’s longest running company in the data recovery, data conversion, electronic discovery and computer forensics area.
Anti-money laundering (AML) laws, which are being phased in at the moment, are leading to some of the biggest investments in Australia, even for companies that utilise a lot of technology already to track risks.
Neal Jeans, head of the AMP group at National Australia Bank, says some of the biggest costs of the AML laws are in “warm bodies” to maintain the monitoring of transactions, and this is not a one-off expense.
As evidence, he cites a 2005 London School of Economics study which found the costs of compliance for City of London firms rose by 40 per cent in that year, with 60 per cent of that increase attributable to AML staff.
However, for such a large organisation as theirs, and one with potentially high exposure to money laundering activities, upgrading IT systems has been the biggest single investment they have had to make.
The exact figures he says are commercial-in-confidence, but they are “significant”. Banks have always had to identify their customers through the 100-point check, for example, but he says this has had to be extended to other parts of the business.
“The legislation requires you to collect more data, to do things with it, the collecting and restoring requires changes to current business processes. It requires you to look at software that is on the market … to improve transaction monitoring and identify risk within our customers,” he says.
“So we’re putting, to a degree, more rigour – we were quite rigorous beforehand – but we’re putting more rigour around those data elements so we can actually identify everybody that works at the casino or works in the gambling industry, for example,” he says.
The software also looks for customers that are “politically exposed” people. This involves taking customer data and running that against another list they have acquired to look for a potential match. “It’s also looking for customers that have addresses in high-risk jurisdictions,” he says.
Jeans stresses the technology is just the first step used to identify where risks might lie. “Obviously these aren’t sort of black and white, organised criminals. It’s just an indicator of risk.” Once identified, they need to explore it further, and that often means more manual processes involving staff. “This is the first step in [identifying risks], which, as I say is taking the data and using systems to effectively run it through the system to identifies the risk elements.”
The AML laws are now prompting many more sectors to seriously consider increasing their investments in systems that help them to corral and analyse customer data.
The costs are lower than they might have been for many smaller organisations that must provide compliance reports to AUSTRAC due to the risk-based approach of the new law. But in order to determine the risks faced it has required many to look closely at their exposure to laundered funds.
Tabcorp, which owns Sydney’s Star City Casino, reported a 9.1 per cent increase of $84 million in costs at the end of last year, which it said reversed a record of “cost containment”, with increases in expenses of just 1.5 per cent in 2005–06 and a reduction of 0.3 per cent on 2004–05. This included an extra $7 million in the casinos, and $14 million in wagering – some of it for improved risk-based assessments.
Employee costs were the biggest component of overall expenditure, but technology and communications came in second, growing by 21.5 per cent on 2006, compared to a 3.1 per cent increase for employee costs.
The $130 million spent on technology and communications services was made up of support and maintenance increases with CPI, network expansion of services such as Keno NSW and Trackside as well as “disaster recovery and risk reduction”.
Software companies are now finding a market for risk-related applications outside the big end of town. However, James Field, managing director of Premium Advisory, which offers small- to medium-sized companies risk and compliance software via a SaaS delivery model – or software as a service, meaning his company hosts the software online – says while the big banks have been the main spenders on risk and compliance software, outside the financial sector, using software to monitor risk has been slow to catch on, but believes there is a big latent market out there.
He says many smaller companies barely have a real risk management plan at all and a large proportion of Australia’s listed companies have risk management and compliance programs that are largely “symbolic”, and first need to properly look at what their risks are before they start to think about systems to list and monitor them.
“A lot of them have a risk statement somewhere – but they’ve pretty much paid lip service to the whole risk and compliance process; they’re not committed to it. So if you ask to see a copy of their risk policy, they’ll actually say it’s largely symbolic – if you ask for a copy of the risk register, they may be able to produce something, but it generally won’t have treatments and controls,” he says.
“I know just on the financial services industry complaints site, there are over 600 managed investment schemes that are listed there. Many of them are tiny, but they all have to do risk and compliance, and for a large amount of them, they probably don’t do too much.”
Those that do have detailed policies for dealing with risk in place he says are the ones that quickly realise that a spreadsheet is not going to be sufficient to monitor the risks they are exposed to and especially the controls and treatments to deal with them.
“Say they come up with 100 risks, each one of those risks might have say two controls, and each one of those controls may be asked on a monthly or quarterly basis,” he says. “If you do the multiplication there, suddenly you’re ending up with over 1,000 incidents every year that you have to monitor, to see whether you’re controlling the risk.”
The software required to monitor AML, on its own is “bloody complicated”, he adds. “If you’re running a retail brokerage for example, you’ve got to be monitoring each client and every profile over time. They’re going to have to invest in a technology solution, otherwise they won’t be able to do what it sets out in the guidelines.”
Regulators update risk models
Targeting organisations that face the greatest risk of non-compliance with their requirements is the approach of choice for many regulators now, and is no doubt favoured by governments keen to contain expenses.
This is especially the case with regulators that are tasked with overseeing a very large number of organisations.
From the beginning of its new task to administer the national model laws for the legal profession that commenced in July last year, the Queensland Legal Services Commissioner has introduced a “self audit” procedure based on “10 commandments” that the new incorporated legal practices (ILPs), a law firm structure introduced under Queensland’s Legal Profession Act 2007, must consider.
For the past six months they have been asking incorporated practices to respond to questionnaires on the makeup of their company, board members and their business activities. These are added to a database which is being used to help build up a picture of where the agency’s efforts can be best applied.
They are also asking for information about the size of the firm, the nature of the law practice, who the shareholders are and who the directors are.
“We are trying to get some good information that will enable us to profile the people other than legal practitioners that might be exercising influence, [such as] directors or other officers of ILPs,” he says.
“That’s also so that we can begin capturing relevant information and in the fullness of time be developing some sort of instruments that will give us some risk indicators, if you like, so that we can be targeting our resources much more effectively than the sort of standard scattergun audit approach, which has been used with, for example, trust accounts in the past.”
The second milestone of the new AML laws passed on 12 December last year, when AUSTRAC’s present 20,000 reporting entities were required to have implemented an adequate anti-money laundering/counter-terrorism financing program, including documenting how they have identified, mitigated and managed the risk of money being laundered through their organisation.
For AUSTRAC itself, given the number of entities that must make reports, they have had to not only utilise the internet to receive compliance reports (all of which are due by the end of March) and disseminate information about the new laws, but alter internal IT systems to assess where their time will be best spent.
According to their chief of compliance and enforcement, Darryl Roberts, AUSTRAC is likely to be visiting about 2 per cent, or 400, of those 20,000 over a five-year period.
Helping them make the assessment to narrow it down to these, the existing AUSTRAC Regulatory Risk Assessment System (ARRAS) will be augmented with a much expanded capability. According to AUSTRAC CEO, Neil Jensen, ARRAS is used to track transactions, and for “data quality purposes”, but the update, to be complete by the middle of this year, will allow them to better select a sample of higher risk entities for more intense supervision.
At a recent Australasian Compliance Institute conference, AUSTRAC’s head of compliance and enforcement, Darryl Roberts, outlined their already complex risk modelling procedures, which go under the acronyms CRESS and PROCESS.
However, he said given the size and diversity of the organizations under AUSTRAC’s supervision, the “scores” produced from these systems “would inevitably be imprecise and highly indicative” and ultimately they were based on subjective assumptions.
News