My dad, a process safety engineer in the Oil and Gas Industry sent me a text yesterday, saying that he was going to send me an article about watermelons. I thought this was unusual on a couple of counts. First, my dad was sending me an article about watermelons, and secondly, this somehow related to my work as a compliance professional. Send the article he did. I read it and, lo and behold, there actually is a connection to my work, even though the article predicated upon ensuring that process safety professionals can prevent another major accident in Oil and Gas. The paper is titled “Avoiding the Watermelon Effect: Are we doing enough in the process industry to prevent the next major accident?” and is authored ABB consultants Graeme Ellis and Conrad Ellison. The “watermelon effect” that they mention is the phenomenon that occurs when all the metrics appear to “green” giving the appearance that all controls are working appropriately, when in reality, there is a great deal of “red” below the surface.
That in itself is very relevant to the life of a compliance professional. While payments companies are often subject to a number of audits and assessments, the number and variety of which may vary according to business model and portfolio composition, it is important to remember that those audits are often just a snapshot. In the case of the SSAE 18, the test provides a look-back analysis of controls, but may not offer insights into potential issues moving forward, particularly if the company makes significant changes. The PCI DSS assessment evaluates controls only during the time in which the assessment took place– i.e. “are the controls in place at this time?” It is important to understand that those “green” metrics from the audit, assuming positive audit results, are only indicative that the entity was compliant at the time of the audit. Ongoing compliance monitoring is vitally important to ensure that the controls in place are working on an ongoing basis. This compliance monitoring brings us to another critical juncture in the prediction of potential compliance failures – the design and selection of the metrics used for monitoring.
Poorly designed monitoring, based on irrelevant Key Performance Indicators (KPIs) can be just as dangerous as a complete absence of monitoring. Insufficiently designed monitoring programs can lead one to believe that the controls are working properly, when in fact, the organization is in danger of significant violations. This is the “watermelon effect.” While the surface looks “green,” the underlying environment is actually quite “red.” In designing compliance monitoring programs, it is vital to ensure that the metrics are accurately reflecting the effectiveness of the controls in place. While it might seem a simple thing in theory, this is much harder to accomplish in practice. As discussed in the article, organizations often choose KPIs according to how easy they are to measure, as opposed to how accurately they reflect the control environment. In order to overcome this, the organization is advised to choose its KPIs based on a risk assessment – what areas pose the highest risk of exposure/liability? Developing risk-based metrics may be more challenging, but they will ultimately provide greater insight into the safe or compliant operation of the organization. The organization should review the risk assessment, and therefore the KPIs, on at least an annual basis to ensure continued relevance.
One of the more interesting points in the article, however, had less to do with metrics and more to do with company culture. The authors discuss the importance of maintaining a “chronic sense of unease.” The notion here is not that we should all walk around suspicious of each other or fearing that the sky will fall. Rather, the idea is that management should be constantly concerned about compliance and security risks. I prefer the term “constant vigilance” to” chronic sense of unease,” but the underlying philosophy is the same. We must not become complacent in the idea that our control system is impenetrable. Being constantly vigilant allows organizations to evaluate their risks, their controls and their risk and compliance metrics in a comprehensive and timely way. This ensures that the control environment (in this case our risk and compliance program) evolves in a way that is commensurate with the risks of our business models and regulatory landscape.
Underlying all of this, though, is the question of culture. Are the leaders willing to accept what the authors of the article call “red metric culture?” In other words, are they sincere in a desire to root out potential red flags and address the issues, or are they more interested in compliance theater – in which it is more important to appear compliant than it is to be compliant? In a compliance-focused company, leadership encourages discussion of potential compliance issues. Such transparency empowers employees and allows for timely remediation of potential violations. In organizations that focus more on the appearance of compliance, discussion of such issues is discouraged and potential violations are swept under the rug. Acknowledging a potential violation means that the company may need to devote resources to rectify the situation and in certain instances, based on contractual obligation or regulatory requirement, organizations are required to report those violations. Some managers are reluctant to report deficiencies for fear that it reflects badly on them. In speaking with auditors and regulators, though, they all agree on one thing – it is always better to self-report and remediate potential violations than it is to have them discovered through an audit. This is particularly the case if a regulatory agency is conducting the audit.
There is no magic pill for the perfect compliance program. With the best will in the world, there may still be findings or violations. The goal is to minimize the number and mitigate their impact. However, there are reasonable steps that an organization can take to ensure that it is operating in a compliant way, and to ensure that its control environment and compliance program are effectively designed and operating properly. That is through well-designed metrics, ongoing testing and monitoring, and maintaining a constant state of vigilance. An annual risk assessment is the best tool to ensure that the control environment is commensurate with the evolving risk of the organization. Involving senior leadership and different operational units can help in the design and implementation of metrics that allow for an accurate determination of whether those controls are operating. As with most things related to compliance, while it is imperative to have the appropriate tools and processes in place, it is equally imperative to have a culture that encourages accurate and honest compliance reporting.