Two important and, for some, potentially life changing events took place this month – the release of the new Star Wars movie and New York Governor Cuomo’s announcement of a proposed anti-money laundering and anti-terrorism rule that would impose personal criminal penalties on chief compliance officers who falsely or incorrectly certify that their institution’s Transaction Monitoring and Filtering Program complies with all the requirements” of the rule. So what do they have in common? It just might be the need for “the Force.”
In the Star Wars films, as everyone knows, “the Force” is an energy field connecting all living things. It gives power to Jedis, and anyone else sensitive to it, by allowing them to sense impending attacks or threats, to protect and defend people and things, to persuade or pass along wisdom, to see the future, and more cool stuff. It is an essential tool for a successful Jedi in every battle. The Force enables the Jedi to reliably achieve his (or now, her) objectives, while addressing uncertainty and acting with integrity – what we at OCEG call Principled Performance.
Wouldn’t it be great if chief compliance officers of financial institutions could harness the Force to protect their organizations and themselves? But, alas, it’s not available to them, even though they need tools and resources that help them keep their organizations on the path to Principled Performance.
So what should they use instead to help them sense threats, protect and defend the organization (and themselves), educate and persuade, and see the future? How can they be Jedis without the Force? What can they yield in place of the awesome lightsaber? What helps them keep their organizations on the path to Principled Performance?
Like the Force, a strong set of governance, risk and compliance (GRC) capabilities can detect and prevent threats and even see them coming in the future. Like the Force, well-designed GRC capabilities can share wisdom with those who need it throughout the organization, persuade others, reinforce desired conduct, and support leaders and champions of right.
The starting point is the OCEG GRC Capability Model, a clear set of open source standards for integrating and aligning information and core functions, and supporting them with strong communication, effective technology, and development of the desired culture. The Model, and many related resources provided by OCEG can help jumpstart or improve GRC structures, processes and technology architectures for monitoring changes both within and outside of the organization that may give rise to threats or opportunities.
The second step is to harness the power of strong GRC capabilities with the right technology, just as a lightsaber harnesses the Force into a powerful tool. While the proposed New York rule indicates the system for control may be manual or automated, it actually demands establishing strong technology architecture to enable among other things:
- A system of control based on risk assessment
- Capability to engage in ongoing analysis to assess the logic and performance of the technology or tools and continued mapping of watch lists to the risks of the institution
- Reports and documentation that validate the design of the program tools and technology
- Ongoing identification of all data sources that contain relevant data and continued validation of data integrity, accuracy and quality
The proposed New York rule would apply only to the financial sector with regard to the anti-money laundering and anti-terrorism capabilities, but if it is adopted, I venture to guess that similar obligations and liabilities will be extended to compliance officers in other contexts. Faced with the dual challenge of protecting the organization and protecting themselves, the need for Principled Performance is clearer and more important than ever before. So follow the example of the Jedi and use the powers and tools available to you to stay on the path and look to the future.