What is your COMPLIANCE strategy?
Risk-based approach to survive the audit or a cleverly crafted by-product of your analytics/AI strategy execution?
We invite you to discuss the pros and cons of these tactical alternatives.
As the innovation & management consultancy of IAV Group, we are currently involved in a number of client projects which aim to implement compliance frameworks and processes in engineering and software service organizations.
For global OEMs, tier 1s or engineering service provider organizations, compliance is a massive multi-project undertaking. It takes up a substantial amount of leadership time on all levels in the organization and at a time, when companies find themselves on the crossroads of pandemic counter measures and digital business transformation challenges.
The Compliance Solution Objective
Governance. Risk. Compliance.
To enable an automotive organization to reliably achieve objectives, address uncertainty and act with integrity, an integrated collection of capabilities defined as a three-tier approach called GRC is needed: Governance, Risk management & Compliance.
In most companies we see, governance is implemented in quite a mature state. In addition to governance, risk management constitutes three lines of defense. The first line of defense are people in operative business units which continuously assess development activities and risks for potential incidents. In order to do this, they utilize guidelines, standards and methods provided by the second line of defense. This second line is made up of dedicated compliance- and quality assurance teams in the organization. They not only define standards, they also track and control the compliance of these standards. The third line of defense is formed by an internal audit organization. They monitor and ensure seamless collaboration of all stakeholders in all lines of defense.
The Compliance Solution Challenge
Clear objective. Unclear solution architecture.
In all cases we see, GRC objectives are framed in a way which is quite stringent on the question of “what” to achieve. At the same time, they give absolutely no indication on the “how” to achieve the GRC goals.
With no automotive industry blue print available nor best practices for the age of digital IoT ecosystems, creating a GRC solution concept in for an automotive company causes two major problems for affected companies, at the same time:
a) the highest level of alertness and stress in top management and
b) a more or less completely unstructured discussion in the management team on how to manage and coordinate the work.
I believe every single one of you understands and feels empathy for a group of top executives who are used to having great answers to all questions in the book – and are now suddenly thrown into a situation where they are unsure where to start, how to identify key factors and how to bond together as a team. After all: executives have all learned not to show weakness nor lack of competence.
The natural impulse of most organizations facing an unstructured problem is to appoint “a great guy” to address and solve the issue. While very human, we see this strategy fail quickly, once the management team realized, that every organization is affected by change. And every change needs to be carefully thought through. And no executive is willing to let a chief compliance officer (CCO) decide the fate of the organization they are responsible for. At this point and time, management teams realize, that they cannot and must not delegate leadership when it comes to re-inventing the business or addressing corporate risk.
„Process Driven“ GRC Execution Strategy
Rules. Standardization. Training. Auditing.
In this scenario, the solution is comprised of “standard” ingredients which are already available and established in the organization:
- New roles are established without really changing the existing roles: “Chief Compliance Officer (CCO)”, a number of “Head of…” roles to lead the GRC house, etc.
The upsides of this measure are clearly appointed and defined responsibilities, which can be easily communicated using existing communication channels and these people can be easily held accountable.
- Standard processes & procedures are added to the corporate framework on the bases of the newly defined GRC concepts.
The upsides of this measure are easy integration into the corporate efficiency scheme, they can be easily integrated into the existing systems and “tracking & tracing” is easily implemented for each process.
- Training is the obvious companion of changes in roles and processes. In automotive, we have invested heavily for decades in physical and online training of retail and production personnel to achieve high quality and perfect repetitiveness in quality of service.
The upsides of this measure are a plausible, stringent, tough, professional appeal which hardly anyone dared to challenge or doubt. Auditing has always been the crown jewel of automotive quality assurance. Next to producing a call to action they do intimidate and leave a long lasting mark on the psyche of managers and employees. Which is, in all honesty, an intended side-effect.
Auditing has always been the crown jewel of automotive quality assurance.
Next to producing a call to action they do intimidate and leave a long lasting mark on the psyche of managers and employees. Which is, in all honesty, an intended side-effect.
Limitation of the Approach
Latency. Hindsight. Scale.
If your objective is simply to keep your job, the process-driven approach a very sound strategy.
If your objective is to honestly solve the compliance problem, I believe that the process-driven approach by itself may not get you there.
A process driven approach tries to create a culture of ethics among all employees and implements a track & trace mechanism which is dependent on human compliance. This creates a latency between the moment when a problem or an offence occurs and when it is reported. We could argue that, in many cases, this system could still work well. And I grant you this. But just a single case of failure may drag the entire company down. In a process-driven approach, problems are identified late and solutions are more often than not applied in hindsight.
In addition to the hindsight limitation, the approach does not scale well, at all. It is slow and very expensive to implement. It is labor intensive. Therefore it is very expensive to execute on a day-to-day basis. And even though it is slow and expensive, it does not really improve a company’s ability to identify a compliance risk quickly and take counter action. In my business value system, the process-driven approach is a very bad return on investment.
If I look at the underlying solution paradigm, I would argue that a process-driven compliance solution is an old solution scheme applied to a new problem.
You could argue, compliance is “cost of doing business”. I believe this is always true.
Let us backtrack:
- A compliance offence, big or small, in my understanding is an offense, most likely a criminal offense.
- In automotive and mobility, we have entered the age of digital platform economy with rolling-devices in the internet of things.
- If this is true, the majority of value creation will from now on happen in the software creation or continuous operation process.
- If this assumption is true, the majority of compliance cases will have a touchpoint with or even be based on the platform-, analytics- or AI value creation stream.
- As a consequence, almost every offence could be classified as a cyber crime.
- If again this turns out to be a correct assumption, the nature of compliance will likely become a cyber crime prevention challenge.
From everything I know today – and I invite you now to challenge me on this – I believe it makes no sense to spend all of our money and effort on Fred Flintstone’s stone-age process weaponry.
What could be the alternative?
„Context Driven“ GRC Execution Strategy
Data-driven analytics / AI monitoring. Real-time counter measures.
The starting point of a context driven approach is similar to both: the process-driven approach and the cyber crime prevention & solving approach:
- What are the use cases we know today or anticipate from our understanding of other industries?
- What strategies could offenders from outside or inside our corporation apply to our employees, our processes, our systems, our products, our services, to achieve an undue advantage?
- From our experience with hindsight analysis, in what sources, systems or combination of systems would we see an early indication of this?
- What would our best compliance investigators and subject matter experts do, to evaluate the initial findings.
- How could we translate this type of analytical thinking and activity into analytical, deep learning and AI functions which can be infinitely scaled?
- Where can we find “learning data” to train these analytical compliance cyber-crime solutions?
- How can we build the high performance team and -competence which is needed to put human excellence on top of these system identified and / or employee reported initial findings?
- How do we put the learnings from each examined incident into the system to further improve it?
The difference in paradigm in this line of thought is that real-time/near-time identification and counter measure execution is raised to the highest priority of the entire solution scheme. This is due to the core assumption, that from now on, it will always be a cyber race between compliance offenders and prosecutors. While the race will never be decided for long, in all cases, time to identification and solution are the key success factor.
Does this mean, we have to start a completely new analytical program to execute this?
I would not recommend this.
We already started to build platform based analytical & AI ecosystems for our customers. We then realized, that we need security & privacy to be a defining element of our corporate solution architecture.
We will put in place separate teams which will use analytical and AI means on this common infrastructure to :
a) continuously create and integrate OS and feature software (=customer perspective)
b) provide protection against consumer misuse and criminal attacks on vehicles & services (=security perspective)
c) provide transparency on & protect personal data against misuse (=privacy perspective).
Would it not make good sense to add:
d) continuously track, trace and investigate compliance violation & support human and system-based counter-action (=compliance perspective)?
By doing this, we still need to build the competence in the company on what is right and what is wrong. We still need to define guidelines and standards, just like in the process-driven approach. But when it comes to implementation, we leave behind the old ways and choose to the fastest, most scalable, most effective and still human approach available to us. And we leverage corporate synergy across all digital business transformation efforts in the corporation.
You may still have a “Head of Compliance Team” person. But compliance will not be the responsibility of this person. It will be woven into the DNA of the company. It will be a responsibility of every employee, manager and system of the firm at the same time. And it is enabled and secured by the fastest, most scalable and most flexible technological solution know to us, today.