Information Risk and Compliance- Published in www.businessintelligence.com July 2004

I can see the headline now: "Chief Information Officer Imprisoned for Poor Data Quality." If you are a CIO and you think it can't happen, think again. As more businesses rely on their information asset for more intelligence-related activities, there is a lurking issue that should be growing in priority on the CIO and CFO agendas, and that is the way that information risk is characterized, documented, and measured as a means to what we will call information compliance. I will use this term to refer to any situation in which bodies external to any company impose requirements for tracking, controlling, and validating statements derived from information or the processes by which information is captured and managed.

In the United States, information compliance appears in numerous forms, although many of these are not typically viewed as information issues. What at first glance appears to be policy management or behavioral activity compliance may actually hide requirements for information compliance. As I am more familiar with United States regulations, my examples relate to US law, but clearly the issues occur in every country where the government's lawmakers try to protect their citizens through the legislative process. Here are some examples:

1. The Federal Anti-Kickback statute, relating to the health care industry, which prohibits payments or compensation of any kind to any person in return for referrals. The goal of the law is to protect patients from fraud by preventing the use of money as a way to exert undue influence on making health care decisions. An example might be if a pharmaceutical company funds a particular research lab with many grants in return for that lab's recommending the use of that company's products.
2. The US Food and Drug Administration code has a section (Title 21 of the Code of Federal Regulations, Part 11, also referred to as 21 CFR Part 11), relates to electronic signatures and the transmission of electronic records.
3. The recently-passed Sarbanes-Oxley Act, which (in a nutshell) dictates corporate responsibility for financial reporting by requiring the CFO and CEO of a company to certify the "appropriateness of the financial statements and disclosures contained in the periodic report, and that those financial statements and disclosures fairly present, in all material respects, the operations and financial condition of the issuer."
   

While each of these examples is more likely to be relayed to the corporate counsel instead of the IT department, it is worthwhile for the CIO to sit up and take notice, since his or her head may end up on the chopping block, since the inability to properly manage the use of information can result in a regulatory violation, some of which carry both fines and jail time. Let's look at these examples more carefully…

In the first example, consider a drug company that funds research at many medical labs and hospitals. But interacting with a large number of grantees requires careful management of grantee information; in a recent customer engagement, a red flag was raised when it became apparent that multiple grants (possibly totaling enough money to reflect possible "undue influence") could have been issued to the same recipient only because the recipient's contact information appeared multiple times within their Parties database. In other words, grants could have been given to the same party yet logged as separate transactions. While this may stay hidden to the information manager's eyes, the keen eyes of an auditor might catch that much more quickly.

With respect to 21 CFR Part 11, the real issue lies in maintaining information audit trails, finely grained record management and retention, information validation, validation of the correctness of the systems used for record keeping, and governance of all record copying. In fact, a system designed to track compliance with Part 11 may resemble a data warehouse, with audit trail and transaction information being logged as the means for data and system validation.

The third example, Sarbanes-Oxley, provides a much greater example of how information governance has risen in importance. Section 404 of the act requires the management of the company to create a report on internal control that is to be integrated into the annual report. This control report should document the management's taking responsibility for information governance, asserting the effectiveness of that governance, and to have an external public accountant attest to the validity of the internal controls. The result is that senior management has to certify the correctness of the information that is released as well as be able to provide proof of the validity of the processes that create that information.

This is related to business intelligence in two ways. The first is that in the presence of a BI program, a data warehouse or data marts are probably used as the sources for activities such as financial reporting that are subject to external regulations. Because of this, the integration of data generated through the BI process is subsequently subject to information controls, which means that for an organization to properly document their information compliance, the mechanisms for information validation have to be built directly into their systems.
The second way this topic is related to business intelligence is that a BI infrastructure can be used as the model for building a system for documenting information compliance. This can be done via a data warehouse that maintains data ownership responsibilities, enterprise metadata, as well as audit information, and tracking data. Most importantly, the business processes, business policies, and the internal controls can be characterized as business rules, archived within the BI infrastructure, and then used for the validation process.