Governance & Environment
Confronted with spreading and sundry regulations on one hand, the blurring of enterprise boundaries on the other hand, corporate governance has to adapt information architectures to new requirements with regard to regulations and risks. Interestingly, those requirements seem to be driven by two different knowledge policies: what should be known with regard to compliance, and what should be looked for with regard to risk management.
Compliance: The Need to Know
Enterprises are meant to conform to rules, some set at corporate level, others set by external entities. If one may assume that enterprise agents are mostly aware of the former, that’s not necessary the case for the latter, which means that information and understanding are prerequisites for regulatory compliance :
- Information: the relevant regulations must be identified, collected, and their changes monitored.
- Understanding: the meanings of regulations must be analyzed and the consequences of compliance assessed.
With regard to information processing capabilities, it must be noted that, since regulations generally come as well structured information with formal meanings, the need for data processing will be limited, if at all.
With regard to governance, given the pervasive sources of external regulations and their potentially crippling consequences, the challenge will be to circumscribe the relevant sources and manage their consequences with regard to business logic and organization.
Risks: The Will to Know
Assuming that the primary objective of risk management is to deal with the consequences (positive or negative) of unexpected events, its information priorities can be seen as the opposite of the ones of regulatory compliance:
- Information: instead of dealing with well-defined information from trustworthy sources, risk management must process raw data from ill-defined or unreliable origins.
- Understanding: instead of mapping information to existing organization and business logic, risk management will also have to explore possible associations with still potentially unidentified purposes or activities.
In terms of governance risks management can therefore be seen as the symmetric of regulatory compliance: the former relies on processing data into information and expanding the scope of possible consequences, the latter on translating information into knowledge and reducing the scope of possible consequences.
Not surprisingly, that understanding coincides with the traditional view of governance as a decision-making process balancing focus and anticipation.
Decision-making: Framing Risks and Regulations
As noted above, regulatory compliance and risk management rely on different knowledge policies, the former restrictive, the latter inclusive. That distinction also coincides with the type of factors involved and the type of decision-making:
- Regulations are deontic constraints, i.e ones whose assessment is not subject to enterprises decision-making. Compliance policies will therefore try to circumscribe the footprint of regulations on business activities.
- Risks are alethic constraints, i.e ones whose assessment is subject to enterprise decision-making. Risks management policies will therefore try to prepare for every contingency.
Yet, when set on a governance perspective, that picture can be misleading because regulations are not always mandatory, and even mandatory ones may left room for compliance adjustments. And when regulations are elective, compliance is less driven by sanctions or penalties than by the assessment of business or technical alternatives.
Conversely, risks do not necessarily arise from unidentified events and upshot but can also come from well-defined outcomes with unknown likelihood. Managing the latter will not be very different from dealing with elective regulations except that decisions will be about weighted opportunity costs instead of business alternatives. Similarly, managing risks from unidentified events and upshot can be compared to compliance to mandatory regulations, with insurance policies instead of compliance costs.
What to Decide: Shifting Sands
As regulations can be elective, risks can be interpretative: with business environments relocated to virtual realms, decision-making may easily turns to crisis management based on conjectural and ephemeral web-driven semantics. In that case ensuing overlaps between regulations and risks can only be managed if data analysis and operational intelligence are seamlessly integrated with production systems.
When to Decide: Last Responsible Moment
Finally, with regulations scope and weighted risks duly assessed, one have to consider the time-frames of decisions about compliance and commitments.
Regarding elective regulations and defined risks, the time-frame of decisions is set at enterprise level in so far as options can be directly linked to business strategies and policies. That’s not the case for compliance to mandatory regulations or commitments exposed to undefined risks since both are subject to external contingencies.
Whatever the source of the time-frame, the question is when to decide, and the answer is at the “last responsible moment”, i.e not until taking side could change the possible options:
- Whether elective or mandatory, the “last responsible moment” for compliance decision is static because the parameters are known.
- Whether defined or not, the “last responsible moment” for commitments exposed to risks is dynamic because the parameters are to be reassessed periodically or continuously.
One step ahead along that path of reasoning, the ultimate challenge of regulatory compliance and risk management would be to use the former to steady the latter.
I agree with your reading of “distinguishing the “regulatory source” from the “regulatory effect” components of understanding.”
That makes room from frictions introduced by time, events, and the rigidity of organizations, architectures, and processes.
But “necessarily” is about logic while corporate governance is first and foremost about how logic is carried on by the organization along time. The importance of time and events in decision making is developed in the referenced articles.
I agree the issue is one of temporal characterization. I’ll rephrase without using ‘necessity’.
If I know that a process maps or is implemented following a certain regulation, if that regulation is explicitly affected by a new rule, I can assume that I need to check the process again. This meta-information enables an asynchronous triggering of – let’s say – a “specific process” of understanding, for revision purposes.
If a new rule is issued, however, I need also to proceed by a “wide process” of understanding, because it may implicitly affect previous regulation (the “regulatory source” component of understanding), and then existing operations; or simply constrain what was not constrained before (the “regulatory effect” component of understanding). Analyzing the resulting impact on all my current operations, I can modify them accordingly, adding references to the new rule. This anchoring will allow me, when the rule will be explicitly considered in further modifications, to possibly go for the specific process.
Therefore, I see relevance as the result of contextual understanding. It is because I have previously understood that this regulation is relevant for that process, that I have attached the “relevant information” to the process.
Reading the passage again, it seems to me you are rather distinguishing the “regulatory source” from the “regulatory effect” components of understanding.
I have some problems to separate information and understanding as you did in the paragraph about “The need to know”. When relevance is accounted as a filter, understanding (in the sense of contextualization process) is to some extent necessarily at stake.