Achieving Regulatory Compliance – the devil is in the data

I will be sharing my experience and ideas on “Achieving Regulatory Compliance – the devil is in the data” at an IDQ Seminar Series event in Dublin next month.  I would like you to help me prepare.

I would like you to share your past experience with me, your ideas on the current situation, and most important, your view of the future.

Is Regulatory Compliance a mere box ticking execise?

What industry do you work in?

Is regulation increasing in your industry?

Is regulation merely a box ticking exercise?  Does the regulator simply accept what you say.

What role does data quality play?

What role does data governance play?

My initial thoughts are as follows:

  • Regulation is increasing across all industries
    e.g. Within Financial Services, the list includes:

    • BASEL II
    • Anti Money Laundering AML
    • Anti Terrorist Financing AFT
    • Sarbanes Oxley SOX
    • MFID
  • Regulatory compliance is often seen as a box ticking exercise, since it is physically impossible for the regulator to check all the information provided.
  • Regulators will increasingly seek to challenge, audit and query the Data Governance processes used to gather the information, and critically the controls applied within those processes.  (I have written a series of posts on common Data Governance Issues – see Data Governance Issue Assessment Process)

I hope to write a number of posts expanding on the above ideas.  My argument is that “To achieve Regulatory Compliance, the devil is very definitely in the data, but the evidence is in the Data Governance process”.

Whether you agree, or disagree, I would like to hear from you.

9 thoughts on “Achieving Regulatory Compliance – the devil is in the data

  1. Ken,

    I agree completely, the devil is in the data, but to ensure compliance you need a repeatable, auditable process, and it is that process that gets ‘ticked’ off.

    I firmly believe that a lot of ‘compliance’ based reporting is done as a tick box exercise. However if you sit back and look at the detail of each regulation you will find a large amount of common sense and good practice.

    If you implement compliance reporting or governance as part of a wider business improvement exercise you will get a lot more tangible benefit and buy-in from the initiative. Rather than having the overbearing feeling that you are only ‘doing compliance’ because it is being demanded of you.

    • Charles,

      Thank you for kicking off the feedback.

      I agree with the points you make. However…as you know, one of the greatest challenges for the data quality profession is making the business case for good data quality (which can only be achieved, as you say using “a repeatable, auditable process”, or Data Governance).

      In my own experience, selling the benefits of “data quality” has always been difficult. Being able to say “It’s the law”, has an amazing ability to focus the mind, and attract the support and funding from senior management.

      Thanks again for joining the debate.


  2. Ken,

    One area where there compliance and regulation are very closely interlinked is in the regulated utilities and transport sectors in the UK. Here the devil is in the detail and where good cases for funding have not been presented, then the funding is not allowed which can have an impact in the order of £hundreds millions.
    Recent high profile prosecutions and fines (Severn Trent, Thames and Southern Water to name three with multi-million fines) mean that compliance is now very high up the agenda in this area.

    Would be interested in your perspectives on this.


    • Julian,

      Thanks a million for your input, and for the examples of fines and prosecution. This is just the type of material I am looking for.

      I completely agree – fines of multiple millions within an industry certainly focuses the mind. One school of thought is that the current world economic situation resulted from regulators failing to regulate. As a result of this, I believe we will see regulators showing more teeth in future, and more heavy fines.

      In my opinion, good, common sense “Data Governance” processes are industry independent. Data Governance issues that a regulator may view as a compliance failure are also industry independent. I hope to explore these issues in the course of this debate – I have written previously on this in Data Governance Issue Assessment Process

      Rgds Ken

  3. Ken,
    I agree somewhat. Regulation is a great driver for a Data Quality initiative. But I’m not sure if the existence of a defined, repeatabel, stable etc. process is a good indicator for quality. I’d prefer to see “results” rather than “work” .. how many problems were discovered, how were they solved, how is re-occurance prevented etc.
    The crux with this is that it is much more difficult to evaluate than a “generic” Data Management process .. you have to look at the data and get your hands dirty. But that will ultimately be of much more use than just defining a process. The process has to be put in place, but in my opinion more as a by-product of actually solving issues.
    What are your thoughts?

    • Hi Thorsten,

      Thank you for your input, much appreciated.

      You are correct – “results” are more important than “work”.

      I, like you, would like to see (and a regulator or auditor will expect to see):
      – How many data problems were discovered?
      – How were they solved?
      – How is re-occurance prevented?

      The above will not just “happen” in an organisation.
      A “Data Quality Management” process is required to ensure that it does happen. This process must have “controls” that:
      – Identify the occurrence of problem
      – Record how problems were resolved
      – Perform causal analysis to identify root cause
      – Implement changes to prevent recurrence

      A Data Governance process ensures that a “Data Quality Management” process is in place to address the above.

      I agree with you that the best way to learn about the quality of information and data in an organisation is to get one’s hands dirty.

      I have gotten my hands dirty many times, on many regulatory programmes. The Data Governance processes I recommend are a by-product of actually solving issues.

      In conclusion, I believe both the “results” and a “process” to manage the “result finding” are essential.

      Rgds Ken

    • Phil,

      This is great!
      This is just the sort of experience sharing that I was hoping to generate. I have read your blog post – excellent.

      Thanks for your input,


  4. Pingback: Craig Newmark on Information Quality « Ken O'Connor Data Consultant

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s