Provenance and Compliance Risk Management
CraigTrim 110000G799 Visits (3566)
Risk management is designed to reduce or eliminate the risk of certain kinds of events happening or having an impact on the business. Risk management is a growth area for companies. In many cases, no longer a best practice but a regulatory requirement. Programs are being expanded around how to manage risk. Many systems are engaged, and need to be, and a lot of owners in different places.
Top 5 Types of Risk:
CEOs worldwide believe regulatory and reputation risks are the two most significant threats to business.
Corporate investing is focused on managing regulatory and reputation risks. This is not simply a protectionist stance, but rather a refocused effort to achieve greater business advantage through improved operations and management.
Regulatory (or, Compliance) risk is the current and prospective risk to earnings or capital arising from violations of, or nonconformance with, laws, rules, regulations, prescribed practices, internal policies, and procedures, or ethical standards. Compliance risk also arises in situations where the laws or rules governing certain bank products or activities of the Bank’s clients may be ambiguous or untested. This risk exposes the institution to fines, civil money penalties, payment of damages, and the voiding of contracts. Compliance risk can lead to diminished reputation, reduced franchise value, limited business opportunities, reduced expansion potential, and an inability to enforce contracts
Reputation risk is the current and prospective impact on earnings and capital arising from negative public opinion. This affects the institution’s ability to establish new relationships or services or continue servicing existing relationships. This risk may expose the institution to litigation, financial loss, or a decline in its customer base. Reputation risk exposure is present throughout the organization and includes the responsibility to exercise an abundance of caution in dealing with its customers and the community.
What is Compliance Risk?
Companies are subject to a wide range of rules and regulations that apply directly to their internal operations and the products and services they provide. Compliance to these regulations are essential for a company to operate transparently and ethically in their particular markets. They are required to prove compliance to the imposed regulations through internal and external auditing processes.
Classic conceptions of information security refer to it comprising confidentiality, integrity, and availability. Provenance is very strongly bound up with the integrity part, so much so that many of the high-level concerns of security are often almost indistinguishable from provenance concerns. For example, the question of whether (or how) the content of a particular electronic document has changed since its creation is very much an integrity question in the security world; it is equally well a proper question for the analysis of the document’s provenance.
These processes are usually manual where the auditors sample and inspect the process documentation generated by the company being audited. This is both time consuming and potentially subject to error. Applying the Provenance architecture and methodology to business processes as they execute has the potential to improve the quality of the auditing processes, improve the transparency of a company’s compliance to the regulations and provide cost benefits which impact profitability.
How can Provenance help?
The question of whether (or how) the content of a particular electronic document has changed since its creation is very much an integrity question in the security world; it is equally well a proper question for the analysis for a document’s provenance.
An assessment of the trustworthiness of information sources and the products derived from them is of fundamental importance. Not only is the trustworthiness of a source of interest, but the way in which information changes as it is processed and disseminated between people and groups.
One of the ITA research threads in the program is that of secure information flows that is investigating aspects of security and trust. In a military context, an assessment of the trustworthiness of information sources and the products derived from them is of fundamental importance. Not only is the trustworthiness of a source of interest, but the way in which trust in information changes as it is processed, fused and disseminated between coalition partners must be considered. Trust can be considered to be another dimension to any access or distribution policies that might be enforced as part of an information release process. Tracking the processing of any information corresponds to documenting its provenance. Previous experience has informed our decision to use a provenance documentation model being standardized (PROV-DM) but to describe the model using a representation developed under another ITA project. This representation is an example of a Controlled Natural Language (CNL) and is described in the next section of this paper. In section III we show how the PROV-DM specification can be described in the CNL with section IV showing an example use case in text analytics. Section V provides some observations on provenance and rationale; a feature of our implementation of the CNL that may be used to provide a user-friendly narrative of the provenance documentation.
References & Further Reading