COLUMN

Compliance and BI: Same mission, different approaches

By Wayne Eckerson 19 Jul 2006 | SearchCIO.com IT news and analysis for CIOs Digg This!     StumbleUpon     Del.icio.us

Compliance and business intelligence (BI) initiatives are designed to standardize the delivery of business information, yet both are afflicted by a lack of semantic consistency that they are designed to solve. So how do you successfully define these different types of initiatives and ensure they effectively work together to achieve the same goal within your organization?

In my opinion, BI is the flip side of compliance. And as a result, BI professionals have a heck of a lot to contribute to compliance efforts inside their organizations.

More on BI and compliance BI Resource Center Compliance Resource Center

For the past decade, I and the rest of the faculty at The Data Warehousing Institute have proclaimed the importance of standardizing data to run the business more efficiently and effectively. Essentially, we have preached the business benefits of delivering secure, standardized and accurate reports for decision making. The compliance industry, on the other hand, emphasizes the penalties of not delivering secure, standardized and accurate reports for decision making.

In other words, both industries have the same goals, but different approaches for getting there. Both desire to deliver accurate, valid information to decision makers. However, the BI industry offers a carrot, the compliance industry a stick! Organizations that have heeded the call of BI already have the expertise, if not the processes and tools, for complying with new, informationcentric regulations.

Role of BI professionals in compliance

It would be wise for organizations embarking on compliance initiatives to leverage the work of BI professionals. One way to do this is to extend an existing data warehouse or data warehousing architecture to deliver financial reports. Well-designed BI environments already have the infrastructure, tools, processes and checks to collect, validate, integrate and populate financial information into database management systems designed to support financial analysis and reporting. This infrastructure is invaluable and can help organizations accelerate their progress toward meeting Sarbanes-Oxley Act and other requirements.

If your organization does not have an existing data warehousing environment or one that does not lend itself to delivering financial reports for some reason, then you should consider recruiting BI professionals onto your compliance team. BI professionals have struggled to standardize semantics, definitions and rules, and to deliver consistent information to business users. Getting metadata right is the key to minimizing a large portion of risk addressed by new regulations.

BI professionals also have mastered a major weakness in most compliance initiatives to date: the lack of automation. Lee Dittmar of Deloitte Consulting LLP estimates that 85% of compliance controls are manually tested and compiled for reporting purposes. Until organizations automate the testing and reporting of controls, they will spend an inordinate amount of time and money adhering to regulations. The lack of automation means they will fail to minimize risk since they won't recognize problems until it's too late to do anything about them.

Some slight differences

Despite the similarity of their missions, the BI and compliance industries differ slightly in approach. BI professionals who are making the journey into compliance land should make note of these differences:

• Compliance focuses on how to minimize risk, while BI focuses on how to maximize gain (i.e., reduce costs or increase revenues).
• The compliance industry provides frameworks (such as COSO, named for the Committee of Sponsoring Organizations of the Treadway Commission, and CobiT, or Control Objectives and related Information) for the things that should be measured. The BI industry provides no such frameworks although it can be argued that most industries and business functions largely measure the same things in the same way.
• Regulations require organizations to measure compliance with established policies or face penalties, whereas there are no laws requiring organizations to measure business performance or productivity.
• External users (i.e., auditors) measure performance toward achieving compliance objectives, whereas internal users measure performance toward achieving goals defined within BI metrics.
• A majority of compliance metrics are manually counted or assembled, whereas most BI metrics are automatically populated with data.
• Compliance metrics are counts of binary states -- the event was "in" compliance or "not" in compliance (i.e. number of noncompliant passwords in use) -- whereas there is much greater diversity among BI metrics.
• The most important aspect of a compliance metric is the target or "risk threshold," whereas many BI metrics don't have targets. (Those that do are often called key performance indicators.)

If you believe, as I do, that compliance is the flip side of BI, then the best approach to managing information assets is to implement a BI program to improve organization efficiency and effectiveness or hire BI professionals to work on your compliance project. When you put BI first, compliance comes along for the ride.

Wayne Eckerson is director of research at The Data Warehousing Institute, a provider of in-depth, high-quality training and education in the data warehousing and business intelligence fields. He can be reached at weckerson@tdwi.org.

Tags: Enterprise business intelligence software,  Information technology laws,  Compliance strategies and best practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise business intelligence software Enterprise business software and services guides for CIOs SaaS BI vendor LucidEra's demise harkens to ASP downfalls Putting your business intelligence strategy to the test CIOs take business intelligence applications, strategy to next level BI services and solutions for enterprise CIOs Integrated business intelligence strategy spans app, BI developers Next-generation BI software: It's all in the interface Five steps to unfreeze a business intelligence strategy How CIOs are enabling business activity monitoring with existing tools Business intelligence strategy success a matter of alignment Information technology laws Information security and risk management guides for CIOs Health care security, HIPAA compliance on deck for CIOs in Obama era Avoiding gotchas of security tools and global data privacy laws E-discovery and litigation guide for CIOs Document retention and disposal strategy Top 10 reasons to give thanks you're in IT PCI compliance deadlines have retailers scrambling Customized e-discovery tool lightens law firm's litigation load Firms bridging the gap between IT and the law Avoid lawsuit nightmares: New rules of engagement for e-discovery Compliance strategies and best practices Leveraging log management for IT and business process efficiency Information security and risk management guides for CIOs Email archiving solutions and strategies for enterprise CIOs Miscues abounded in Boston email retention policy, practices Health care security, HIPAA compliance on deck for CIOs in Obama era Enterprise risk management solutions for CIOs Addressing compliance requirements in cloud computing contracts Avoiding gotchas of security tools and global data privacy laws CIO turns to identity and access management to solve business problem Log management tool, SIM boxes combine to form security architecture

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary GRC (governance, risk management and compliance) software  (SearchCIO.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary