Conflict of interest is a serious business in the financial services world and even a hint of it can put a company's reputation, and future, on the line. For Deloittes, which audits accounts and records for many of its extensive client list, and which employs many auditors on numerous projects, managing such potential conflicts became easier with automated business rules.
Deloitte has an internal policy which dictates staff cannot own shares in companies they audit. Peter Williams, CEO of Deloitte's e-business consulting arm Eclipse Group, said such independence rules, if breached, would be the greatest source of risk.
"We register shares we currently own on our intranet: those shares are then matched against a database of audits Deloitte has won so employees are automatically excluded from auditing projects which involve companies they have shares in," Williams said.
"The service is Web enabled so when people put in a conflict search it is aggregated and sent to employees daily so we can ensure conflict is prevented at that point. Web services allow us to more easily extract data from and integrate it to other systems, as well as moving operational data into portals and exposing it in a dashboard to the chief risk officer or the equivalent," William said.
"Web enabling, from a risk and compliance framework uses IT to reduce the arms and legs needed. There is a landscape of applications out there; the best way to manage information is to pool it together and make relevant information available for different people - an operational manager in a manufacturing plant has to manage the risk around a line shutting down and the CFO needs to know what the financial impact is if the line goes down.
"Business rules are about consistency - I have found large corporates work with Sarbanes-Oxley as a documenting process to show consistency and use compliance and the adhering business rules for greater alignment in business process."
However, Williams warned about creating and implementing systems that bind business rules with compliance without first creating a culture of compliance.
Without a culture of like-minded people aware of why they are working to such rules, users will not adhere to the system, he said. "Big ticket" compliance items like Sarbanes-Oxley require a cultural change within an organization. And the systems need to be automatic and include real-time reporting features so the information the business rules capture gets to the right people at the right time.
Darryl Butler, Deloitte enterprise risk services division partner, said given the volume of compliance and regulation to come out over the last four to five years, only a few organizations in Australia are in a position of knowing that their day-to-day business rules and operations adhere, where appropriate, to compliance needs such as Sarbanes-Oxley.
"Business has been working like crazy to even get their head around what specifically applies to them. I am not being critical of organizations because there are so many rules to comply with, but a lot of them are only now looking at how to make business rules sustainable and effective and those that are in this position in Australia are definitely early adopters. It is a similar effort to Y2K which took business a lot of effort to understand the risk and then respond, often at a very difficult stage," Butler said.
"Capturing all the necessary reporting information with business rules has one key element: implementing risk management or compliance measures within an organization and sustaining them. There is a huge cultural change to the whole process and what is interesting is this also gives IT a great opportunity to help drive and enable it."
Butler said the reason such attention is being paid to automatically meeting compliance now is that in the past it was just assumed businesses aimed to do so. What is important now is demonstrating the organization has a structured way to manage both risk and compliance.