In recent years managing regulatory compliance has become enormously challenging for organizations with ever-changing new or revised regulations, growing man-power, continuous monitoring, increased cost, etc. Many solutions exist in the market, but all these solutions provide an offline view of compliance at any organization. All these offline solutions require continuous monitoring, run time-intensive reports, and manually auditing the results of the report to find if anything is “RED” / non-compliant, then act. Why we need to wait till something goes “RED” then take remediation and other measures. All these existing approaches are reactive in nature, wait till something happens and then act which leads to revenue loss for the organization, reputation loss, a recent example is PNB fraud, by the time reports finally audited, the bank lost millions. There should be some solution which can make sure that if an entity which we are protecting, is always compliant, which in-turn make sure that organization is 24×7 compliant.
Top 5 compliance issues trending across the globe.
- Protecting the Data from Hacking/Manipulation
- Continuous Monitoring
- Increased Investment in compliance operations
- Quick & Easily validation of compliance standard for timely decision making.
- Personal Liability
Facts from Recent Study of Compliance Report
Infographic Ref: Thomson Reuters Compliance Report
Instead of throwing ever more money at multiple compliance issues, responses from nearly 900 compliance professionals worldwide suggest that more of them are looking for improved efficiencies through the deployment of technology and automation.
In all the existing compliance solutions, considering the SAP governance, risk, and compliance solutions you can check the compliance issues in the organization only after the execution of reports. All these reports are time-intensive and require manual efforts to execute and check the compliance issues. Existing solutions are based on the personal liability of the auditor, only after auditing & taking action based on auditing results you can make sure the organization is compliant, and that auditing is required after regular intervals to make sure that the organization stays compliant, there is no continuous monitoring.
Existing solutions do not focus on data manipulation or hacking, also these solutions provide an offline view of compliance situation at any point in time in the organization, which can impact organization decision making if the decision is based on manipulated data / outdated results.
What we achieve From Proposed Solution
GRC is now an accepted and mandatory strategy for managing the business. The more successful organizations are approaching GRC from a business risk perspective. Stakeholders from the board, audit, risk, finance, IT, and internal controls seem to be most in harmony when risk and compliance are both embraced as the common denominator as the two sides of the governance coin.
However there is the 3rd side of the coin, “business performance”, which is clearly visible from various survey reports, stakeholders expectations, and ever-changing business needs due to technology advancements, business performance in terms of cost savings in the IT compliance, audits, and reporting process, real-time solution & reporting for quick decision making, automatic monitoring and improving efficiency through deployment of latest technology and automation.
Benefits which can only be achieved via Proposed Solution ( GRC on Blockchain )
Data Protection & Security – The proposed solution will make sure the data which is part of compliance and vital for organization decision making is secure & protected, nobody from inside/outside organization can hack the system and manipulate the data, which in turn impact organization decision making.
Real-Time Compliant Organization – The proposed solution will make sure any organization is 24×7 compliant.
Reduced Audit Costs & Time – Audits are an expensive and disruptive process for most organizations. Due to its real-time compliant nature, periodic internal/external audits are no longer required.
Avoid Personal Liability – The solution will use technology to make sure that the organization is compliant instead of personal liability or assurance from an auditor.
Quick & Accurate Decision Making – As the organization is real-time compliant and top management need not to wait for the intensive time-driven reports, decision making will be quick & accurate.
Other Benefits of Proposed Solution
Continuous Monitoring – not required, solution will take appropriate action for any non-compliant request/action.
Improved decision-making process through real-time diagnostics
Make sure the organization is risk-free and increasing confidence in financial reporting.
Less effort to respond to the compliance needs of business areas and internal audit
The proposal is to apply a machine learning algorithm on the past decision records for learning and use a machine learning prediction algorithm for recommending a decision to the reviewer.
To explain the working of the solution we consider the SAP system only, although the non-SAP system also part of the scope. A user request few transactions ( SU01, PFCG) on a particular SAP system,
- As per configuration, the request might get auto approved and the user can execute these transactions on the system, later when the auditor runs a compliance report using the GRC solution found that this is a risk, then access is removed/blocked.
- In the second scenario request goes to the approver inbox, the approver runs the risk analysis and found the risk, then rejects the request.
- In the third scenario when the user request, a service automatically execute risk analysis, if found risk then blocks or reject the request.
Real-Time Compliance solution based on Blockchain technology will help the organizations to be compliant 24×7. This solution is proactive & autonomous in nature, which requires no manual monitoring & auditing, it acts automatically to prevent any non-compliant action. A request block will be added to the Blockchain with a timestamp, only if it is compliant, any changes which impact compliance decision will also be added as a block in the chain with a timestamp. To ensure the integrity of the added block, each block is verified at least at 3 levels by randomly selected nodes and the results are stored along with the irreversible cryptographic hash value. The remaining nodes in the blockchain can easily calculate & verify hash value. When all the nodes in the blockchain network confirm/match the block, it will be added to the compliant blockchain. All these operations are performed & handled by the Proof of Access Compliance Algorithm.
- Make sure each entity in the blockchain is compliant.
- In case of any changes in the compliance rules, it automatically blocks the access.
- Consensus & Validation mechanism to avoid any security/hacking issues.
- Automatic Monitoring
The following block diagrams explain the important steps in real-time compliance solution based on blockchain.
Following use case will help us to understand the complete working of this solution, here
- A user initiates a request block
- Request block is handled by any randomly selected node in the blockchain network.
- That selected node sends the block to any 3 randomly selected nodes for a compliance check. (Where Level1/Level2/Level2 compliance validation is performed)
- All the nodes set the compliance results status / generate hash code and notify the initiator node.
5. Initiator node checks the results from all the nodes, when the block is declared compliant by all the nodes and hash-code is verified, the result block is broadcast to all the nodes in the network.
6. Verified block then finally added as a part of the compliant blockchain.
How the solution makes sure that the organization is 24×7 complaint
At any point in time, the block-chain consists of all those blocks which are compliant as per defined regulatory guidelines.
What if there is a change in Rules (pre-defined guidelines defined to check compliant block), i.e. a new rule is added, according to which few of the existing assignments are non-compliant.
Any changes in rules are also added as a block ( we call it change-block ) in the compliant blockchain. Any user who tries to access any transaction is validated by (PAC) Proof of Access Compliance (Change Analysis), if the change-block timestamp greater than assigned access, then the access is blocked. ( PAC can be configured to do compliance analysis in all such cases and provide access if the block is complaint instead of blocking the access. )
How automatic monitoring works
Whenever a user tries to perform any operation, authorization validation is done by PAC. Even if the source system manipulates the data, no action can be performed until validated by PAC. Any attempt to perform any action will be blocked & reported to concerned authorities.
Proof of Access Compliance does three different type of work.
- Compliance Analysis – Helps to Identify access risk violations automatically across SAP and non-SAP systems.
PAC performs the analysis on the authorizations requested for the user, the submitted authorization is matched with an existing set of rules* to detect the risk*. Any such rule that matches with the requested set of authorization is considered as a risk. To reduce the analysis time PAC has an in-built registry of transaction & rule mapping when it performs the analysis only those rules are loaded which are required to validate user authorization.
- PAC receives the request for analysis.
- Check the registry and load only those rules which are required to perform the analysis.
- Identify the risks if any (Match the requested authorization one by one with rules.)
- Generate the hash code (Requested User ID + Transactions + Analysis Results (Y/N)+ Previous Hash)
In our compliance-based blockchain network, one node does the complete analysis (Level 1), which means it will identify all the risk associated with that request, other defined no. of nodes will run partial analysis (Level 2) which means once the analysis found the first risk it will stop the processing and mark the analysis results as failed (N).
Level 1 – Validates if the requested transactions are part of any set of rules, here it checks if the combination of transactions is part of the rule, check if requested permissions are part of rules.
- Creates a registry for the action rules/permission rules
- Before starting validation, load only those rules which are part of that registry.
- Completes action analysis and permission analysis.
PAC will do a complete analysis and will find any risk from the segregation of duties, critical action/permission. Here PAC compares the existing rules with user assignment and found if there is any risk associated with the same or not.
Level 2 – Validate only till the first occurrence of not valid transactions.
PAC will not perform the complete analysis, it will do the risk assessment. In order to perform the analysis quickly, it will skip the risk analysis where it finds the first risk & stops the risk analysis there. PAC is designed in such a way that it can perform risk assessment at a high level for only those authorizations which are involved in permission risk generation.
- Change Analysis – Any changes in the rules are stored as a secure block with timestamps in the parallel blockchain. Any user who tries to access any transaction is validated by (PAC) Proof of Access Compliance (Change Analysis), if the change-block timestamp greater than assigned access, then the access is blocked. ( PAC can be configured to do compliance analysis in all such cases and provide access if the block is complaint instead of blocking the access. ).
- Each time user tries to execute a transaction it was first validated by PAC (Change Analysis) where it checks if the user has valid authorization to execute the transaction or there is any change in rule for that transaction, if there is any change in rule related to that transaction then user access is blocked and business administrator needs to re-run the risk analysis to make sure user has valid access.
- Tracking Rule Changes – Whenever any rule is updated a secure block is created with a set of transactions that are part of that change. Other required information like who made the changes / IP Address / System Details / Login Details / Time Stamp are also stored for the same. All the stakeholders are notified via email regarding the change.
- Hash Generation & Validation – Nodes completing the analysis, generate the Hash Code (Requested User + Transactions + Analysis Results + Previous Hash ). Other nodes that are part of the blockchain network validate the hash code by generating the hash code with the provided set of parameters. Any changes in the requested parameter will generate a different hash code.
In my opinion, Real-Time compliance using blockchain is the only automatic way to make sure any organization is 24×7 compliant avoiding any data manipulation and hacking. Without the need for continuous monitoring or any personal liability, it tremendously reduces the compliance cost for any organization. Quick & Easily validation of compliance standards results in faster decision-making and successful audits.
I would like to have your feedback. Feel free to leave your comment below if you have questions or suggestions for making an intelligent compliance solution.
Thanks for reading!