Category: Web technologies & information standards (Page 45 of 58)

Today marks the official release of the public draft of the governance, risk management, and compliance (GRC) paper that I have worked on over the past couple months with Ted Frank, of The Compliance Consortium, and others. The writing of the paper was driven by three convictions:

• GRC stands apart: Governance, risk management, and compliance are all of a piece–and they are related to a coherent set of objectives and practices that are fundamentally different from the other things going on in an organization.
• GRC needs high level attention: Governance, risk management, and compliance comprise a set of concerns and objectives that must be dealt with at the board of directors and senior management level.
• GRC is manageable: Even though governance, risk management, and compliance touch thousands of processes and objectives throughout an organization, there really is a small, manageable set of concerns that should inform board and management decision-making.

This last point relates to the “both forest and trees” view that I wrote about in my recent post on XBRL and Compliance. To make GRC manageable we need ways to zoom into the details and zoom back out to the big picture. Said more formally, we need ways to deal with the concept at different levels of abstraction, from fine-grained to chunky. XBRL looks promising in this regard.

One of the key ideas expressed in the paper is that the United States Sentencing Commission guidelines regarding compliance and ethics can serve as a good starting point for identifying the important, board and senior management level GRC objectives. This idea is practically appealing, since following the guidelines can result in a 95% reduction in penalties in the event that, despite a company’s best efforts to prevent it, fraudulent activity takes place. The intent of the paper is to also make this idea appealing at an operational and functional level — we believe that we make the case that concentrating on just seven objectives can get management and board members focused on the right concerns and questions.

If this interests you, take a look at the paper.  If you have comments, you can of course add them here — but if you want your comments to get more in the way official consideration, you should also express your views on the Compliance Consortium website.

I have just finished working on a paper with an industry group that is concerned with compliance issues. The paper takes a broad look at enterprise-wide compliance issues, as distinguished from the trap (an easy one to fall into) of dealing with compliance in a fragmented way, driven by the demands of different (and changing) regulations.

What are the requirements for an enterprise-wide, operational approach to compliance? Well, to get the full answer you will need to read the paper when it comes out in the next few weeks. But there was one requirement –a requirement that I want to talk about here– that ties into the threads and postings about XBRL here on the Gilbane website.

One of the first, big steps toward getting a broader, more useful view of “compliance” consists of applying it to internal control procedures, rather than just in reference to external requirements. “Compliance,” in this view, means doing what is right for the organization.

Take relations with donors within a non-profit organization as an example. Compliance, in this instance, means that the staff follows the organization’s procedures for contacting donors, working with donors to structure gifts for maximum tax advantage, and staying in touch with and supporting donors after the gift has been given. Compliance, in this sense, means making use of what the organization has learned over time. Compliance is the means by which the organization ensures that learning is retained and put into practice.

Stepping back from the particulars and looking at the general case, compliance is one part of the mechanism by which an organization responds to its environment — to the sources of support, to threats, and, of course, to rules put in place by governments. Compliance–the exercise of internal control systems–is how the organization regulates itself so that it survives and thrives in its environment. To use a human analogy, your body’s responding to infection is kind of compliance response. At a higher level, using learned compliance, your responses in a business meeting–measuring your reactions, thinking before you speak–are also forms of control and compliance.

The point of taking this broader view  of compliance is, of course, to help organizations deal more deliberately and productively with the process of making decisions and taking risks.

But … when you put this good thinking and theory into practice, you run into a problem. The problem is that, for each component in this overall compliance system, the key to making the system work is always in the details–BUT–at the same time, you want to somehow get these systems to connect with each other.

And, they DO connect with each other. When you connect the details of
responding to infections with the details for responding to a business meeting, for example, you find that it is very difficult to put all the tact and learning about social interactions into play when you are running a raging fever.

This isn’t a far-fetched analogy. When you take a close look at the day-to-day operations at Enron, courtesy of a book such as Kurt Eichenwald’s Conspiracy of Fools, it is hard to escape the sense that the Enron tragedy grew from a combination of thousands of small infections coupled with a couple of big instances of shortsightedness and fraud. The interesting question raised by a book like Eichenwald’s is one of how the entire system managed to get out of control–and, if we can understand that–how can we prevent such interactions in the future.

So, the problem is one of finding a way to operate effectively both at the level of forest and at the level of trees. You’ve got to sweat the little things to make compliance work, but you also have to see how the little things work together in big ways.

One reason that this is so difficult is that many of the different, “tree-level” compliance efforts use different terms, because they reflect different concerns.  Calibration of lab instruments is an important aspect of compliance. Protecting privacy of patient records is another aspect of compliance. Tracking costs for clinical trials is yet another. Each uses a different language, reflecting different concerns. Yet all of these activities, taken together, contribute to assessing the health of a pharmaceutical research effort.

Successful governance–overseeing these compliance efforts and understanding what they are telling us–depends on finding a way to abstract the common elements and concerns. Communication of the common concerns depends on defining a “forest level” view that imposes uniform, organization-level language and perspective on all the tree-level activities.

My sense–and I am putting this out here for discussion and argument–is that XBRL is a good candidate for doing this. Taxonomies are a large part of what XBRL is all about, and XBRL has the flexibility, viewed as a formal language, to describe taxonomies at the level of “trees” and to link those “tree-level” concepts back up to a set of concepts that are appropriate to the needs of someone who wants to see and manage the “forest.”

Taking my pharmaceutical research example, XBRL taxonomies could describe the disparate concerns of instrument calibration, patient records, and financial costs, recording and tagging the facts associated with each of these areas of activity. The recording and identification of these facts would be an integral part of each detailed control process. At the same time, XBRL could be used to capture exception conditions and other aggregations, supporting high level, management control systems.

I would be interested in reader feedback on this idea. I am pretty sure that we do need a way to move from trees to forest and back again, and it seems to me that XBRL is set up to do that job. What do others think?

XBRL is, in some ways, a funny kind of XML language. It doesn’t make much use
of the capabilities within XML Schema to express relationships such as
order, hierarchy, and so on. Viewed strictly as XML, XBRL looks pretty flat,
without a lot of contextual constraints.

But that’s nonsense, of course. Financial documents are highly constrained
and contain intricate interrelationships. XBRL expresses these relationships
within "taxonomies"–special XBRL constructs that define business
"concepts" and that relate these concepts to each other. The
relationships can, in fact, be really complex …more so than would be possible
within a strict XML Schema definition.

Once consequence of this decision to define the bulk of XBRL semantics
outside the range of standard XML semantics is that XSLT (XML Stylesheet
Language Translator) doesn’t work very well
as a way to transform XBRL documents into something that humans can read. Since
XSLT cannot
"understand" the information in the XBRL taxonomy, XSLT does not have
the information that it needs to present the "facts" in an XBRL instance
in a way that reflects the taxonomy relationships. 

So, how do people produce formatted output from XBRL today? In a Wednesday morning session at the 11th
International XBRL Conference, Raymond Lam of BlastRadius
explained that the usual solution is to hard-wire all
the necessary contextual information into the XSLT rules.  The result is an XSLT
stylesheet that contains nearly as many separate template rules as there are
separate facts to be presented.  Bummer.

Continue reading