For a lot of dedicated breach reporting teams, the work is proving to be relentless. The broadened scope and tighter timeframes are reducing capacity, increasing the risk of poor data quality, and leaving little time in between to allow for analysis of what has been reported and is being rectified for continuous improvement. There are concerns that tactical decisions made to achieve compliance may not be sustainable over the long-term, with inadequate consideration of root causes or emerging risks and themes.
Some of the key challenges as a result of this include:
- Lack of awareness or understanding as to the quality, accuracy or completeness of data available for use – particularly as between the GRC and manual reporting of information to ASIC.
- Lack of deep root cause analysis over the reported data to draw out clear, actionable insights for the business.
- Lack of clear understanding of data lineage across the end-to-end breach reporting value chain.
- Lack of identification of systematic issues related to breaches being identified.
- Under-resourced or under-funded data teams, including deficiencies in the capability of existing teams.
- De-prioritisation or inadequate buy-in from senior stakeholders within the business.
- Ambiguity as to what is possible or what the end solution may look like for the organisation in the context of overarching regulatory reporting obligations.
Consequently, many are now looking for data-led solutions for this critical business problem. Deloitte suggests four core phases of work that organisations can consider.
Solutions…
1. Process and policy uplift
The focus of this phase is process and policy uplift. While organisations made the required changes to existing frameworks, policies and procedures prior to go-live, many recognise that the changes represented only a short-term solution and came at considerable cost through increases in head count. The reliance on tweaking existing ways of working in BAU is not sustainable from a resource, efficiency or output perspective. By reviewing frameworks, policies and procedures through the lens of continuous improvement, rather than meeting compliance obligations, organisations will be better placed to produce accurately and timely outputs. For some this will include taking the learnings from the manual triage process being applied to create rules-based breach libraries. And updating the GRC system to better align with the information required by ASIC so better information is captured earlier.
2. Quick wins
The focus of this phase is the quick wins. Leveraging data that is already available within the organisation and assessing the availability, quality and conformity in order to be able to better identify reportable situations and assess for any missed reportable situations caused by incomplete data or coverage. Once that is understood, determining those priority metrics that will provide a view on where reportable situations may arise and how that metric has performed over time. In addition, monitoring for similar cohorts (customers, product types etc) will identify outliers, systemic issues and priority areas to focus on initially. Given the simple nature of this stage, it’s likely organisations will take a single-product view and apply the behavioural analysis in isolation to identify, monitor and mitigate potential breaches.
The outcome will be earlier and more efficient identification of reportable situations, including trends based on the available data. Data conformity will provide insights that can be leveraged to improve data quality and process efficiencies.
3. Data integration
The focus of this phase is integration. Leveraging the data that is already available and augmenting with additional internal and external sources of information ( for example, events and complaints) will allow for organisations to build out enhanced data models. A detailed data quality gap assessment will assist in identifying and resolving gaps in historical data as well as informing potential future datapoints to begin capturing. In addition, integration with customer and product data will provide a holistic view on the issues and incidents at both the customer and portfolio level. In doing so, organisations will be better able to identify thematic and systemic issues and incidents as they arise and analyse the potential root cause.
4. Prevention and prediction
The focus of this phase is automation and predictability. The pivot from detecting and fixing issues of the past to preventing issues in the future is a shift we are starting to see across many organisations within the Financial Services sector. This next phase is an evolution of the existing solutions, which leverages the existing data models and utilises emerging technology solutions such as artificial intelligence, voice analytics and machine learning to be able to prevent potential breaches, minimise systemic issues and efficiently triage the issue or incidents based on historical data.