As compliance specialists, information and security managers are accountable for applying the organisation’s obligations to their regulated data. This means Records Authorities, Acts, Regulations, government policies, and international standards. We can build systems to comply with those obligations – but what happens when the rules change?
The Thompson Reuters Cost of Compliance Report 2019 found that, coupled with increasing regulation, the volume and pace of regulatory changes was one of the major challenges facing risk and compliance professionals. Deloitte has found that there are around 200 changes in regulation every day. Keeping track of these changes is already a major challenge. Applying them is extremely difficult, as this requires:
1. Knowing which data, users and processes will be impacted by the change
2. What systems hold that data, with what integration points
3. What code or configuration in those systems needs to change to meet the new requirement
4. What flow-on impacts that will have on other configuration items, processes, or the user experience (e.g. training and business change control).
For these reasons, trying to apply compliance in each system is not a sustainable approach. Regulatory controls over data simply cannot be built into systems with customisation or even configuration – they change too frequently, and affect too many data sources. Changing systems constantly has an enormous user and business process reengineering impact, delaying the application of regulatory requirements overall. The cost of changing dozens of systems is prohibitive – but so is the cost of failing to update the regulations: KPMG estimates that financial institutions alone pay around $300b a year in penalties.
Rather than applying controls in each system, Castlepoint lets you apply controls over every system, from one central location. The Data Castle model lets you oversee all of your data in every system, from ‘high on the hill’ above your network. All regulatory requirements are tracked and managed in Castlepoint (and kept up to date), along with an asset register of every record. This means Steps 1 and 2 above are automatically met, and are always up-to-date. Steps 3 and 4 become obsolete. Users and source systems are never impacted by changes in rules, as regulation can be managed invisibly and centrally.
This means that you can avoid both direct costs from penalties, and also significantly reduce the costs of compliance (the same financial organisations that pay $300b in fines every year are already spending $270b per year on trying to comply – not a great return on investment!). New approaches like Castlepoint are necessary if we want to continue to grow, and comply, in an ever more complex regulatory environment.