Compliance as Good Business: How Cognitive Compliance Can Enable Better Security

1116-IBM-ArtToday, industries as diverse as healthcare, energy, banking and construction continue to face ever-increasing regulatory burdens. While the industry specifics vary, the themes of increased numbers of regulations, increased regulatory scrutiny, and heightened expectations for compliance are present for most firms across regulated industries. And, with conduct risk an increasing concern for banking, new software-driven devices a focus for healthcare, and cybersecurity an increasing concern across all industries, regulatory focus is not anticipated to let up.

And yet, regulatory management and how it is integrated into the IT and business environments remains largely unchanged. Identifying new and changing regulatory requirements, understanding the impact of those requirements to the business, and actually incorporating the changes remain largely manual tasks. This has significant implications for both compliance and impacted operations. Without a comprehensive view of regulatory requirements, both at stasis and as new requirements flow in, compliance must rely on experts to have broad knowledge of both the regulatory environment and the business. With more than 2,000 regulators creating more than 5 million regulations for banking alone, that is a tall order for even the most knowledgeable experts. And similarly, the owners of impacted processes and operations are left firefighting on a case-by-case basis as new requirements emerge, with little opportunity to look comprehensively across regulations to manage en masse.

Cognitive computing offers the potential for a new paradigm. But what is cognitive computing?

“Cognitive” computing refers to systems that learn at scale, reason with purpose and interact with humans naturally. Rather than being explicitly programmed, these systems learn and reason from their interactions with us and from their experiences with their environment to provide relevant, actionable insights.

Cognitive systems offer ways to transform beyond traditional functions by, among other things, using machine learning and applying analytics to data to understand more about the enterprise, customers and competitors. They continually build knowledge and learning, understand natural language, and reason and interact more naturally with human beings than traditional programmable systems. Four principles form the foundation of cognitive computing: learn and improve, build speed and scale, collate human intelligence, and interact in a natural way.

Learn and improve.

Because cognitive computing leverages systems that can learn, improvements are possible with each outcome, action and iteration. Every new piece of information can add to the body of knowledge with more than a simple additive result.

Build speed and scale. Processing speed supports scaling that enhances machine learning to carry out complex tasks repeatedly and much more efficiently.

Collate human intelligence.

Cognitive solutions are trained by subject matter experts and make collective knowledge accessible for rapid reuse and decision support. These technologies help us understand the complexities of unstructured data and apply advanced analytics to weigh and evaluate responses.

Interact in a natural way.

Cognitive solutions adapt to human approaches and interfaces while understanding context and reason. Deep natural language processing assesses and evaluates language over virtually unlimited topics and enables informed judgments.

How does cognitive computing help organizations transform compliance?

Cognitive compliance can drive transformation by partnering with compliance experts: from identifying the regulatory requirements through impact assessment, implementing the required changes, and managing ongoing compliance. Regulatory management — identifying the regulatory requirements, determining applicability, identifying impact, and managing ongoing change — requires deep expertise of both the regulatory environment and the business. This is knowledge that an expert can train a cognitive system to emulate, so that the system can begin to do some of the heavy lifting.

Start with identifying new or changed regulatory requirements. A global organization with regulators at both local and national levels can be faced with hundreds of new requirements daily. Today, to manage those alerts — experts identify that a regulatory update happened, consolidate updates to eliminate repeats, and read through the new regulations to identify the actual new or changed requirements, or new guidance on existing requirements. In the new paradigm, cognitive systems can monitor the vast array of regulators for updates, dedupe updates to eliminate repeats, and identify the requirements from the regulations. The system can then surface the result – the consolidated set of new requirements — to the expert to approve or edit as needed.

Once the new requirements have been identified, experts determine if they are applicable and, if so, the impact on the organization. Experts must have broad knowledge of the business’s environment and often must involve multiple parties to ensure that all potential impacts have been identified. This can require engaging policy, procedure, and control owners across multiple geographies and lines of business. In the new paradigm, cognitive systems can determine applicability and surface impact to the relevant owner. By mapping a business’s existing compliance environment – establishing lineage from regulatory requirements through policies, procedures, and controls – a cognitive system can “scenario test” the anticipated impact of new, incoming requirements. Again, the cognitive system can do the heavy lifting and surface the results to the expert to approve or edit as needed.

This paradigm shift from “expert only” work to “expert supported by cognitive computing” has significant benefits for compliance, business, and IT. Compliance experts are able to refocus their attention from highly complex, repetitive tasks such as identifying requirements from regulations to high-value activities such as creating specific program offices to implement new regulatory requirements. Business and IT are able to look comprehensively across their regulatory requirements so that they can become anticipatory about impending regulatory impacts and, where applicable, implement global controls rather than manage on a case-by-case basis.

It is this final point, enabling the business and IT to have a deep understanding of their compliance obligations, where the full value of the paradigm shift to expert + cognitive system is fully realized. Business and IT can, on an ongoing basis, incorporate compliance requirements as part of good business practices to drive value for the overall business.

The shift to cognitive computing has begun to affect every area of security, and indeed every area of computing. Systems which understand and reason on human language at a scale far beyond what a human individual can read and understand are the key to keeping up with ever-increasing regulatory complexity, just as they are critical to overcoming continually escalating and more complex security threats. Cognitive compliance is now emerging alongside early cognitive cybersecurity, insider threat detection, and sensitive information detection solutions. As these and other new cognitive technologies emerge, we can expect them to inform future regulatory changes as businesses adopt them to manage these growing challenges. In a world where security is an ever-escalating arms race, a strong and continuously updated compliance stance aided by cognitive technologies will be the foundation of a good business.

This article originally appeared in the November 2016 issue of Workflow.

Jeb Linton is the chief security and risk assurance architect for IBM Watson Group and Jared Klee is part of Watson Business Development.