At a glance
Sometimes when things go wrong, they crash and burn so spectacularly that they rewrite the law books.
The collapse of US company Enron in 2001 is a good example of this, and it serves as a reminder of the importance of effective regulation to provide oversight and prevent non-compliance.
The Sarbanes–Oxley Act of 2002 comprehensively reformed business financial practices and set new standards for public accounting and corporate governance in the US. Yet it is a classic example of the traditionally reactive nature of regulation – taking a “big stick” approach after the fact.
The corporate failures of the past few decades have prompted regulators to start taking a more proactive position by gathering data to help prevent non‑compliance in the first instance.
The practice of “risk-based regulation” – also referred to as “intelligence-led regulation” – is increasingly being used by regulators across a range of markets. It is a concept that businesses can apply to ensure compliance requirements are met.
Response to non-compliance
Risk-based regulation takes the guesswork out of promoting compliance and supports regulators to focus their resources on the highest non-compliance risks, says Stephanie Morrow, specialist adviser in compliance and enforcement at Essential Services Commission Victoria.
“It sounds really obvious, but this is quite a contemporary idea. Traditionally, regulators would not know what was happening in the market unless people complained to them,” Morrow explains.
“There is a sense that we need to be active in monitoring the market we are regulating. If we are proactively identifying where the emerging issues and greatest harms are, we can prioritise resources accordingly and use our compliance and enforcement interventions in a way that will reduce harm most effectively,” she says.
Regulation oversees services that affect everyone, such as safe drinking water, home loans, food products, taxation, telecommunications and transport.
This why the amount of data collected by regulators is huge, and data collection is a task not without its challenges, says Morrow.
How to improve your risk management framework
“Regulators have access to huge troves of data. Some is publicly available, and some requires special permissions or because you require people to report regularly to you. Some you have access to because you have the power to give someone a notice and force them to give you information.
“For all these reasons, regulators are drowning in data, and the data is virtually useless unless you know what to do with it,” says Morrow.
Andrew Wilson, managing director and consulting lead at Accenture, agrees that this is a common problem.
The data overload needs to be addressed by both regulators and businesses taking a proactive approach to embedding technology skills in the workforce, Wilson says.
He points to the Australian Prudential Regulation Authority’s (APRA) five‑year roadmap for transforming its approach to collecting financial industry data from the more than 2000 entities it regulates as an example of a regulator taking steps towards a digital future.
“Regulators are leaning in to support a better utilisation of technology, which is encouraging. They are upskilling and ensuring that they have the right technology and roadmap to better utilise the data they are collecting,” Wilson says.
Kevin Smout, partner and global leader for governance, risk and assurance services at KPMG, says regulators are also changing their approach and starting to look at behaviours and analyse data. This allows them to see the lead indicators or trends in different sectors and demographics.
“They are talking more and more about how they can support organisations to do the right thing,” Smout says. “They are looking at the data to see how it informs problems that they need to focus on. Equally, they also require an organisation to show they are using scenario planning to manage risk.”
It is not just regulators that can take an intelligence-led approach, says Wilson. Businesses also know that effective risk management frameworks need to utilise data and technology.
“Organisations that are invested in technology are invested in upskilling their people and in building teams with the right skills. They are clear on how data can help with their compliance requirements.
“Through better use of data, automation of controls, real-time identification and mitigation of risk, organisations can move from just detecting risk in the business towards predicting where risk might arise and prevent it from occurring,” Wilson says.
However, to make the most of the data, they need to be able to analyse it. That means joining the dots and using real‑time data to change course if needed.
“It is important to understand we are on a journey – data will keep on being collected and technology will keep evolving. We just need to be clear about what we need it for and what we do with it,” Wilson says.
Accenture’s latest study of compliance risk surveyed compliance leaders in banking, capital markets, energy, insurance, life sciences, utilities, travel, telecommunications, hospitality, health and public services, and software and platforms.
The findings confirm that compliance functions across the globe are feeling the heat of accelerated transformation and the need to respond to an expanding compliance agenda.
“Ninety-three per cent of respondents agreed or strongly agreed that new technology such as artificial intelligence and the cloud make compliance easier. They can see that technology is going to improve compliance into the future. Forty-eight per cent are also turning to big data and analytics to strengthen their compliance functions,” Wilson says.
Risk management framework tool
The big picture
For Smout, using intelligence to help with compliance paints a broader picture than numbers alone can provide, and it should be developed in conjunction with a rigorous risk culture.
“Enron, along with other corporate failures, triggered a whole range of increased regulation, oversight and data collection.
When you look at it, after so many years we’ve got a lot of data, but it does not mean that we have fixed the problem of organisations identifying the right things,” says Smout.
That will not happen unless businesses develop a strong risk culture that allows the right risk topics to be identified and discussed.
“Having a risk management culture where people feel safe and encouraged to speak up is important, because then you can deal with the root cause of the problem and fix it.”
Accountants and finance professionals all have a role to play, says Smout.
Examining the root causes of corporate failures is crucial, particularly based on what the data and analytics indicate. This should include looking at the causes from a behavioural perspective as well.
“If we look through the numbers to find the story, we will be able to address problems and change the behaviour behind it,” he says.
An ongoing evolution
Change can be slow in the regulation space, admits Morrow. Yet over the past two decades there has been a definite evolution in compliance methods.
“If you look at any Australian regulator’s compliance and enforcement policy, there’s a very high likelihood that somewhere in that policy, you’ll see a pyramid of ways compliance is enforced. This starts with warning letters on the bottom rung and leads up to prosecution and licence cancellation at the top. That pyramid is still being used, but it is now increasingly complemented by other data-driven insights,” she says.
Smout also says the regulatory space is evolving.
“I think we are starting to move to the right space, which is how to get the right kind of risk culture and risk management over financial and non-financial metrics. Just regulating, requiring returns to be completed and having oversight in multiple ways does not help you see the wood for the trees,” he says.