Microsoft Financial Services White Paper Compliance September 2004

Analytics and Data Management

Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Unstructured Data and the Rise of Electronic Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 The Challenge of Data Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 The Need for Management and Analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 Reducing Risk Through Enterprise-wide Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Acknowledgements Microsoft would like to offer its thanks to the following people and organisations for contributing to and assisting in the production of this white paper: Kalypton Limited. Lars Davies, Consultant, Kalypton Limited. Buttonwood Tree, a financial services technology consultancy. Financial Architects, a provider of business intelligence and financial reporting software.

Intelligent Apps, a provider of corporate performance management applications. KVS, an information management specialist. Meridio, a provider of enterprise document and records management software. MIS, a business intelligence and analytics provider.

Compliance: Analytics and Data Management

3

4

Compliance: Analytics and Data Management

Introduction

In the first paper in this series, compliance was defined as ‘meeting all the legal and regulatory obligations that a commercial concern faces’. The second paper in this series on money laundering highlighted an important example of a legal obligation placed on any person or organisation, though it is most visible in the financial sector. This third paper about analytics and data management deals with another vital area where a company needs to retain records that it might not have otherwise thought were required. As seen in the previous two papers in this series, demonstrating compliance is about more than simply managing, storing and retrieving some records. It is about the systematic and controlled retention of all relevant records, whether specified explicitly or more generally required, to allow organisations to comply with legal and relevant regulatory obligations.

The problem of structured versus unstructured data arises with analytics, just as it does with electronic mail and general commercial records. This creates a problem for automated document processing systems which are geared to handling structured data. All original records, whether structured or unstructured, must be retained, in addition to their interrelationships.

decision making processes relating to those transactions. The factors that were taken into account and the parameters that were involved should also be retained. Though important in any commercial sphere, this is especially so in the financial services and other regulated industries where the decision making process can also form part of the required evidence for compliance.

Analytics concerns the analysis of data relevant to the way an organisation conducts business and makes business decisions. This enables the management board to carry out its regulatory and fiduciary duties, to make informed decisions and to control the organisation’s risk exposure.

Analytics therefore forms an important part of the process of meeting the requirements of financial services regulation. Basel II and the requirements set out in the FSA Handbook Interim Prudential Sourcebooks are cases in point.

Analytics adds a further dimension to the record keeping requirements by compelling an organisation to not only keep transactional records, but also records of the decisions and the

Compliance: Analytics and Data Management

5

Unstructured Data and the Rise of Electronic Records Increasingly, organisations rely on unstructured data in electronic documents, such as e-mail information, as evidence of their business activities and transactions. In some cases businesses have made a conscious effort to replace paper records with electronic versions. However, digital replacement processes have frequently been introduced with little regard to information management, storage or retrieval. Structured data, such as forms, is relatively easy to store and retrieve due to set fields of information. Unstructured data, however, presents a different challenge that requires designing processes to ensure the information contained in e-mails, word documents or videos can be retrieved. “Over 90 per cent of the information held by organisations is unstructured and if you can’t access it in a structured way it may as well not have been stored in the first place,” explains Bob Ward, Marketing Manager at electronic document and records management specialist, Meridio. “You may know it’s there and eventually you might find it, but without the right systems in place it’s

a needle in a haystack, which with shorter regulatory reporting times means automation is a must.” E-mail in particular is now a missioncritical business application and the sheer volume of digital information created and stored by organisations continues to grow. For example, the number of e-mail messages sent per day is expected to double to 60 billion by 2006.1 Regulations require that all relevant records, without exception, are captured, in their original form, and retained unchanged for the complete retention period. The key phrase is ‘all relevant records’. This means not only a contract, form or legal document but all surrounding records that support why a particular decision was made. These encompass an entire range of formats including company forms, regulatory filings, word documents, e-mails, instant messages, and videos. “Traditionally structured data sources are only part of the picture with the advent of distributed applications,” says Mark Kimber, product director at consultancy Buttonwood Tree. “They are fundamental parts of an organisation’s data hierarchy and need to be managed with the same degree of rigour as conventional data sources.”

Electronic documents now hold the same validity as their paper equivalent with the legal and regulatory controls that apply to paper documents now also applying to electronic documents. Recent high level cases provide evidence that users can be held liable for electronic documents including their creation, their content or their deletion. In 2002, five Wall Street firms were each fined $1.65m for failure to maintain e-mail records for the required period2. In addition, Merrill Lynch was fined a total of $150m when internal e-mails revealed that analysts had publicly recommended stocks while privately disparaging the same companies.3 With legal admissibility of electronic documents determined, regulatory controls on the retention of documents and information has shifted the focus to the reliability, or evidential weight, of the records. The problem is that electronic information is easier to alter or delete than paper-based information as changes can occur seemingly without a trace. Financial services organisations therefore need to ensure that information is correctly captured, stored and retrieved, in order to minimise any uncertainty over its integrity and existence.

1 IDC "Worldwide E-mail Usage Forecast, 2002-2006: Know What’s Coming Your Way" 2 CNN Money, December 3, 2002: Deutsche Bank Securities Inc., Goldman Sachs & Co., Morgan Stanley & Co. Inc, Solomon Smith Barney Inc and US Bancorp Piper Jaffray each fined $1.65m 2 http://www.edgarsnyder.com/securities_fraud/henry_blodget.html

6

Compliance: Analytics and Data Management

“The challenge is to be able to find a particular e-mail, or document when it is required,” explains Andrew Barnes, Marketing Director at information management specialist, KVS. “Five years ago letters and faxes were used for contracts and now e-mail has replaced that, a massive rethink is required over the role of e-mail for compliance.” Barnes explains that it is not simply a single e-mail or document that is needed in a dispute or legal case, but a transactional set to provide the context of a particular document.

Dirk de Beule, CEO of FinArch, a provider of business intelligence and financial reporting software, agrees that the management of unstructured data is critical if an enterprise is to achieve the correct management of data and ensure compliance. “This is particularly critical in reengineering processes to create the audit trails that are needed under Pillar 2 of Basel II, explaining why the calculations have been done in that way and linking to the underlying data used for those calculations.”

“When something is in dispute all the relevant documents are required, showing the negotiation, interpretation and implementation and that means a transactional set is required, containing multiple formats, all of which a system will need to find,” he adds.

Compliance: Analytics and Data Management

7

The Challenge of Data Management Financial services organisations face a daunting challenge to manage rapidly increasing quantities of information. The value of this data to the business needs to be fully realised, while minimising the cost of maintaining and managing the IT infrastructure. Neither document management nor compliance are new concepts. However, the introduction of new regulations and the sheer volume of information that must be managed, stored and retrieved have bought its role and that of analytics into sharp focus. The complexity, pace and impact of new legislation challenges financial institutions’ capabilities and call for a comprehensive evaluation to determine how to manage them all effectively. Consequently, data management has moved away from a pure IT focus. Risk and Compliance Officers are playing a more important role as influencers over financial services organisations’ purchasing decisions. For the financial services industry, risk and compliance have always been an inherent part of doing business. But in recent years scandals and market uncertainty have put risk and, by association, the consequences of poor management, in the spotlight. Regulations ranging from Basel II, the Sarbanes-Oxley

8

Act and the US Patriot Act clearly state the importance of having document management and analytical systems and processes in place to manage risk. This has led many organisations to focus on immediate-term IT solutions to meet looming compliance deadlines. Mergers and Acquisitions in financial services have created organisations that pull information from numerous disparate systems and general ledgers located in different business units in various geographical locations. This has created areas of risk that can only be managed through automated systems. “Businesses are struggling to get to grips with exactly what information they have – finding the data they need to use for decision making is a huge issue,” says Kimber. “Firms are spending increasing amounts on data architecture just to understand what data they’ve got and then cleaning that data but without fixing the underlying processes.” The FSA has stated that organisations must identify all the risks that occur to their business on a day-to-day basis. This involves ensuring people know who is responsible for each area and what controls are in place to mitigate any risks. Part of the

Compliance: Analytics and Data Management

problem lies in overcoming reticence on the part of companies who have been using the same systems and methods for many years. It is critical that any decision is carefully thought through and seeks to address as many future scenarios as possible. Many firms have pressed ahead with purchasing systems and solutions presuming they are now compliant without considering future system requirements. “You need to think about information in an entirely different way – if you don’t know where something is and can’t prove you have this area under control, the cost in terms of time, effort and fines can be huge,” says Ward.

The Need for Management and Analytics Many organisations have failed to grasp the need for on-demand realtime enterprise data, with automated processes to manage information through its lifecycle. To meet the requirements for data retention, protection, security, and accessibility, enterprises must have plans in place to effectively and efficiently manage and protect this growing data. The need to consolidate information across multiple business units, functions and processes makes consistency throughout the entire enterprise essential. It is not always apparent that different business units have different practices until a problem occurs. The lack of enterprise-wide consistency causes: ●

●

●

Inaccurate numbers, analytics and reporting when consolidating or viewing information across business units, functions, processes, locations and applications; Disparate views of information, causing managers and auditors to have inaccurate numbers; Problematic resource allocation due to time-consuming reporting placing additional pressure on the IT department to consolidate information.

Electronic records management is an ideal mechanism to provide the long-term retention of evidence that business processes were properly followed. The complexity of Basel II requirements, for example, makes managing the data behind these processes a critical part of compliance. Banks must be able to aggregate credit risk data based on a wide variety of factors, including counterparties, internal bank organisations, time periods, and financial instruments. To do this, they must collect, retain and centrally store data. “Many of the data projects we have seen tend to skip the discovery stage so do not detect where duplications occur and more importantly, where there are contradictions,” says Kimber. “Firms have vast amounts of data that is used for risk management but have no real control over the data, or its accuracy.” If the underlying data is wrong, then the risk calculations and capital assessments will also be wrong. This has huge ramifications for financial institutions. High-quality data is not just a ‘nice to have.’ It is a must. “You must have controls in the reporting function, otherwise you will be guessing that figures are correct without any knowledge of whether they have been altered and

ultimately that will mean noncompliance with Basel II, FSA and Sarbanes Oxley,” says Gert Fahrnberger, Managing Director at business intelligence and analytics provider MIS. This process can become complex, especially where multiple authors work on a document. Version control and the ability to handle shared documents are therefore important. Systems must provide ‘check in/ check out’ functionality to ensure that only one person has the right to make changes to a document at any time, alongside inbuilt workflow capability to ensure that the document moves through a formal review and approval process. Enterprise-wide data management is therefore critical for the following reasons: ●

To satisfy the growing requirements of regulations and the need to keep auditable records;

●

To provide local and corporate repositories for unstructured information;

●

To provide the means to create a single view of transactions/customers;

Compliance: Analytics and Data Management

9

●

To control costs – significant cost savings can be made if information is managed correctly and not automatically deleted;

●

To integrate applications with content held in unstructured data repositories to build and exploit corporate information assets in new ways.

“It needs to move to an enterprise level, pulling information from disparate systems to create a single vault for information that can be accessed from everywhere,” Ward explains. “The technology is now available to access a record whether it is an e-mail, a form or a Word document, through one system. That is important because compliance is no longer just for record managers, it involves everybody.”

“This can be done at the level of a department, product, customer or counterparty to give them a single view of what is happening,” De Beule says. “Banks can then explain precisely why a certain calculation was used and provide evidence through a records audit trail that ensures visibility throughout the process.” The optimal path to compliance lies in the integration of management and analytics. The strategy of using a central repository for data has become popular, but can lead to a number of problems when it comes to analysing data, explains Roger Hordley, Solution Strategy Consultant, Microsoft Consulting Services.

“The bottom line is many organisations have a large central repository and now with regulations demanding greater analytical But, building robust models and capabilities they want to know how analytic processes is useless if the they can utilise the information underlying data has inconsistencies, stored in them. They are struggling duplications, errors or other anomto move this monolithic structure to alies that undermine its reliability and a situation where they can effectively fitness for purpose. Inspecting data and profitably use the information and performing impact analyses they have learnt to collect.” on the business model will be the cornerstone of successful compliance for both Basel II and Sarbanes-Oxley. These models must demonstrate and forecast risk behaviour based on current information.

10

Compliance: Analytics and Data Management

Reducing Risk Through Enterprise-wide Management “It is all about having a system capable of processing significant quantities of information effectively for the end user so that it is possible A solution should enable institutions to report on an exception basis. At the same time a system must to incorporate analytical models of provide the capability to drill down their choice for scenario analysis, to the detail. It must be able to planning, or the calculation of both support both activities and deliver long-term risk and financial inforthe data in fast response times. mation, such as Value-at-Risk (VaR). This will become even more critical as Analytics solutions should interface banks have to retain more and more to multiple sources, to combine different types of risk and consolidate historical data for compliance.” data across the enterprise, as well as To achieve compliance, corporate support multiple reporting formats “Most companies don’t have intetransparency is essential if managegrated processes within analytics and and frequencies as required. ment is to gain a detailed view into still use Excel to enter information business activity and then control Some financial products are active and then e-mail the spreadsheet to this activity in line with regulations. for decades and it is possible that a others to check. This is time conTransparency is only achievable with mis-selling charge could be made suming and error-prone, leading to access to real-time information poor risk management,” Fahrnberger twenty years after the sale is comacross the enterprise. Technology says. “We know of a UK bank that has plete. Without the ability to bring can enable organisations to monitor together and analyse all the docu32 people doing nothing else but processes, produce meaningful data mentation relating to a particular gathering Excel documents and product, organisations will be unable and timely analytical information, pulling information from internal and manage the ever-increasing to prove that the correct processes databases to perform analytics. You quantity of information. have been followed. Integrated simply will not be able to comply analytics can enable risk events to be with new regulations by doing that.” simulated and response mechanisms Now that some sources of data may have to be kept for over 50 years, the to be tested for future analysis and Risk and financial reporting have future-proofing of systems is critical. fine-tuning to prevent nonbecome integral to the day-to-day It is possible to implement a system compliance. operations of a bank. However, the that enables data to be stored in its number of internal teams and exnative format and indexed using “Therefore, a solution must also ternal bodies that require this informetadata. This will record who sent be scalable to enable customers to mation are growing, with each an e-mail, or created a document, address current regulations but also demanding the data in their own when they did so, and any alterations format and at their chosen frequency. provide a basis for compliance with that have been made throughout future requirements”, says Paul Without the ability to automatically its existence. Martin, CEO, IntelligentApps. Historically, analytics has been an area where firms have used downloads dumped into Microsoft Excel to produce reports and analyse company data. However, legal requirements, particularly under Section 302 and Section 404 of Sarbanes-Oxley require automated processes. These deal with corporate responsibility for financial reports and establish direct management responsibility for the assessment of internal controls.

match and analyse sets of often ambiguous records, crucial information will be missed, creating risk.

Compliance: Analytics and Data Management

11

“This can be achieved by taking an on-line analytical processing (OLAP) database platform, which provides the ability to perform analysis across multiple dimensions such as client, time, portfolio, branch or cost, and coupling it with a set of tools that the end-user can choose and deploy”, says Intelligent Apps’ Martin. “The Excel add-in has gained much credibility as a tool flexible enough to create a fully interactive analysis solution. Firms can store their raw As the number of regulatory and information in data marts and, financial reports increases, the audience for this information is becoming through Excel or a browser, easily connect to an OLAP cube (multimore demanding. Management dimensional data store) and choose within the organisation, as well as what information to display, the regulatory bodies, will want to depending on what they wish to receive a subset of the risk and fireport on.” nancial information in a specified format and at the frequency they This enables institutions to take prefer. “By using a central repository advantage of the normal OLAP ‘slice as simply a repository and taking data from that onto separately host- and dice’ capability, i.e. cutting the data to see the facts you need ed data marts enables you to maand also provides the extra depth nipulate the data in greater ways,” required to carry out advanced says Hordley. multiple product or business line analysis. For ad hoc analysis, users “By pulling off the data to use on an application specific analytics exercise can drill up, down, and across data and also drill back into the underyou have greater governance over lying transactions as required. that exercise and an increased cost awareness of that exercise, saving The same single solution can be financial services organisations time utilised to produce formal reports, to and money,” he explains. conduct production reporting, for Web delivery, data adjusting and formal data entry. The multi-query “Cost is usually cited as a reason for holding back on these types of projects, but organisations should view regulations as a starting point to create systems which enable them to comply but also in the long run save them money,” says Fahrnberger. “Of course it is a challenge, but it should also be viewed as an opportunity to create ideal business structures and gain a competitive edge.”

12

Compliance: Analytics and Data Management

and multi-cube approach offers large functionality advantages by removing the need to combine reporting and analysis functions across two distinct solutions and share data between them. “This provides end users with a scalable, flexible analytics and management tool that has a familiar front end and which enables them to move seamlessly between day-today ad hoc analysis and formal reporting”, says Martin. “Users no longer have to learn two systems and there is no need to build a base query in order to complete a report because the information is all in one system waiting to be used.” “The aim and objective of an analytics solution is to enable people to make cost-effective use of the information that has taken time, money and effort to collect,” says Hordley. “Information has great value and that is increasing as institutions realise it can be used for everything from customer retention and attracting new customers, through to risk assessment and regulatory compliance.”

Conclusion

Analytics and data management is another example of a compliance requirement that places significant record retention and IT demands on organisations. As a financial services institution carries out its project to become compliant, it must ensure that a solution is capable of meeting the record retention requirements. This is necessary irrespective of whether those records are structured or unstructured, and the interrelationships between these records must be maintained. It must also implement a system which enables analysis to be performed on the entire transactional set of records to mitigate risk by ensuring it can prove the correct decisions, and the factors that affected it, were made. The onus is now on financial organisations to prove that they have the systems and controls in place to operate in a transparent manner, rather than the regulator having to find evidence to the contrary. Meeting the requirements of compliance cannot be seen as an option, it is a basic cost of doing business. Is your organisation compliant?

Compliance: Analytics and Data Management

13

14

Compliance: Analytics and Data Management

For Further Information

If you would like a full, detailed list of regulations affecting the Financial Services Industry and their associated impact on IT, please e-mail : [email protected] For more information about Microsoft in Financial Services please visit: www.microsoft.com/uk/financialservices For more information about Microsoft in the UK, please visit: www.microsoft.com/uk Kalypton Limited, a provider of compliance consultancy www.kalypton.com Buttonwood Tree http://www.buttonwood-tree.com Financial Architects http://www.finarch.com/ Intelligent Apps http://www.intelligentapps.com KVS http://www.kvsinc.com Meridio http://www.meridio.com MIS http://www.misag.com/uk

Compliance: Analytics and Data Management

15

© 2004 Microsoft Corporation. All rights reserved. Microsoft and the Microsoft logo are either registered trademarks or trademarks of the Microsoft Corporation in the United States and/or other countries. Registered Office: Microsoft Campus, Thames Valley Park, Reading. RG6 1WG. Registered in England no 1624297 VAT no GB 7245946 15.

www.microsoft.com/uk