Let's not measure the tape. Measure the time it takes to comply
Updated: Jan 25
Speaking at a RegTech Association webcast on Tuesday, the Hon. Victor Dominello MP, Minister for Customer Service spoke openly about the need for a more transparent and open approach to the implementation of regulatory compliance.
Whilst the focus of the discussion was on government providing what he described as "good regulation", there are parallels that can be drawn from this into the private sector and regulatory body's role in compliance.
Minister Dominello described good regulation as regulation, that due to good systems and processes, can be implemented quickly. The message here is that regulation is put in place to protect stakeholders and the obligation to comply is one that needs to be taken seriously. And as equally important as the regulation itself, the speed to implement regulation becomes a critical measure of its success in regulating what matters.
Outlining the state government's vision for better regulation, Minister Dominello called on public agencies to rethink their deregulation model: "Don't be a caveman and measure the tape, be like Einstein and measure the time in a post-Covidian world."
Speaking of the inefficiencies in complying with current [government] regulation Minister Dominello, he spoke about businesses not needing governments from federal, state or local, asking them the same questions over multiple visits. "In that world, imagine if we had an inspector-general, hypothetically. So one person went out, one inspector, and asked all the questions that needed to be gathered at any given time.”
Businesses expect to tell any branch of government once, and that data is shared inter-department. But we can only do that if we manage our data well. Minister Dominello calls it the ‘tell us once’ approach. Sounds good doesn’t it?
The introduction of APRA's Prudential Standard CPS234 for Information Security has created similar challenges for its regulated bodies and material suppliers. As data remains one of the most valuable assets to regulated entities, APRA is of the view that managing data risk is imperative for these entities to be able to continue to meet their overall business objectives while remaining compliant.
The standard states that material providers to an APRA regulated entity must also be able to prove compliance with strict guidelines on how they manage their data and the potential impact on an APRA regulated entity. Whilst unable to measure compliance directly, APRA has release the Prudential Practice Guide, CPG235 Managing Data Risk to provide 3rd party entities a framework and clarity on how they impact an APRA regulated entity. It has been released as what they state is good business practice and what they hope will become the default standard for business in Australia.
Herein lies the problem.
We have interviewed and met with countless executives working for financial services organisations in the supply chain for APRA regulated companies (think Loan or Insurance Brokers e.g.) who have a material impact on the management of data for that APRA regulated entity. Following the Banking Royal Commission and the spotlight being placed on Information and Cyber Security, APRA regulated company's have increased their demands on their suppliers to be providing regular and specific information as it relates to how they manage and secure their data.
And each of them do so, independently of the other, resulting in countless hours of unproductive and non-core activity being spent reporting back to their customers. And often in cumbersome reporting tools or bespoke spreadsheets, requiring the duplication of effort and information and dare I say it, introducing further risk into the data management lifecycle.
To Minister Dominello's point, the private sector can and should be doing a better job of ensuring regulatory compliance is not simply passed down to suppliers, but where required to do so, such as with CPS234, is made as easy as possible to comply. An "Inspector General" of sorts.
We can put in place an "Inspector General", with appropriate systems and processes, implement a cleverly designed "continual compliance" solution to ease the burden on business and proactively "report" compliance. And even better, only report exceptions once we have a trusted system in place. Minister Dominello goes on to state that smart regulation is, digital, smart & systemised and based and delivered on trust. That is, the delivery of good regulation must be based on 3 core elements:
Information Security & Cyber Hygiene; and
All wrapped in an ethics.
Compliance is one thing. Implementing compliance and managing it on an ongoing and continual basis, is another. Among other factors such as the role of executive leadership and cultural change, supported by world class systems, the implementation of a GRC (Governance, Risk & Compliance) platform and using a smart controls framework to do so allows organisations the ability to build trust between each other and relieve the pressures of regulatory compliance to maintain focus on core business activities - not regulatory compliance.
After all, let's not act like cavemen and measure the red tape, let's measure the time it takes to comply and the ease with which we can continually comply.
For more information on FirmGuard's GRC Platform and Compliance and Regulatory Solutions & Services, please contact us on firstname.lastname@example.org.
Dan Ussher is the Founder and CEO of FirmGuard, a GRC & Information Security Specialist working with organisations to navigate the complexity of regulatory compliance obligations and requirements. You can contact FirmGuard on email@example.com or 1300 FIRMGUARD (1300 347 648)