Informatica Identity Resolution

Transcription

1 Critical Technologies for Compliance and Risk Management The financial meltdown in the mortgage-backed securities industry has Siperian organizations MDM across Hub and all sectors bracing Informatica Identity Resolution for tighter regulations and increased compliance demands. It is unclear exactly what action these government agencies may take, but the widespread agreement that the crisis was exacerbated by lax A perfect regulations combination makes it clear of that advanced new compliance Match requirements technology will within be implemented a flexible to ensure Master such Data a debacle Management does not happen Platform again. Under these circumstances, how do organizations ensure compliance with stricter regulations and manage risk appropriately so the business does not slip into non-compliance resulting in severe consequences negative publicity or punitive fines? Smart decision-makers, irrespective of the industry they are in, are now seeking technology investments to help establish good governance models that will in turn help with regulatory compliance and lower their operational risk. Master Data Management (MDM) is exactly this kind of investment. MDM ensures that critical enterprise data is validated as correct, consistent and complete when it is circulated for consumption by internal or external business processes, applications or users. But not all MDM technologies can address the various compliance requirements facing today s businesses. Only an integrated, model-driven, and flexible MDM platform that is easily configurable can provide the functionality required to meet compliance requirements and lower risk. Regulation Comes in Different Forms Most regulations are initiated by the government and comprise of two types: those that are broad in nature and apply to companies across all industries, and those specific to a particular industry. For example Sarbanes-Oxley, which is designed to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise, applies to companies across all industries. However, physician spend reporting regulations, requiring drug manufacturers to track and report their healthcare provider expenditures and adjust them based on varying state limits, apply only to companies in the pharmaceutical industry. Then there are the regulations that arise from sources other than the government. There are standards bodies -- sometimes created by a group of companies within a particular sector --that create and enforce regulations for the benefit of the entire industry. For example the American Medical Association (AMA), a voluntary association of physicians in the United States which sets standards for the medical profession and advocates on behalf of physicians, has created the Pharmaceutical Research and Manufacturers of America (PhRMA) code on interactions with healthcare professionals. This code is a voluntary one that suggests all gifts and services given by Pharmaceutical companies to physicians must primarily benefit patients or be for the education of the physician. For example, it would be appropriate to give 1

2 a stethoscope, but not a golf bag. Pharmaceutical companies that market their drugs to physicians are expected to honor these codes. Why Comply? Usually government regulations carry a penalty, whereas regulations promulgated by standards bodies might not. For example, companies that engage in direct marketing (and most companies who sell to consumers do) are expected to abide by the FCC s opt-out regulation, whereby individuals signing up with the national Do Not Call registry cannot be solicited over the phone. Failure to comply with these regulations can result in fines up to $11,000 per infraction. On the other hand, a violation of the PhRMA code does not necessarily result in fines; it only asks pharmaceutical companies to voluntarily honor the system. In most cases, government regulations are designed as a baseline for organizations within an industry. Consequences for non-compliance vary in scope, for instance, based on the size of the organization or the magnitude of the violation. If the infraction is minor, the fine may not be of any great financial consequence to the company, but a major infraction can be costly such as affect brand equity should the company wind up on the 10 O clock news. To avoid such embarrassment, organizations need to hold themselves to higher standards above and beyond the mere baseline. Failure to do so can result in severe dilution of brand equity that can affect customer retention, prospective customer acquisition, stock holder confidence and therefore future revenue growth. For example, one medical devices company that manufactures blood glucose monitoring devices failed to heed customer requests to not send sensitive information to the work address, an action that resulted in both customer attrition and brand dilution. Achieving Compliance is Hard Compliance is such a challenge for companies largely because each industry has unique regulatory requirements. For example, pharmaceutical companies have to comply with the Prescription Drug Restriction Program and state-level Gift Law regulations. Retailers struggle with multi-channel optout regulations. Medical device manufacturers have to confront product recall regulations. Banks must comply with Basel II regulation and a number of privacy laws. Since each of these regulations has its own unique compliance and reporting element, there is the impression that each regulation requires a unique approach. This is true to a degree, yet there is one aspect to the compliance challenge that is common across all industries and all regulations: data. More to the point, companies in all these industries struggle to comply with these regulations because they do not have their data in order. Regulatory compliance typically requires two steps: (1) tracking and monitoring compliance related data, and (2) reporting compliance information to the regulatory authorities on a periodic basis. In both steps, data becomes the crux of regulatory compliance. Generally, the problem occurs because data is captured by different lines of business in different systems, yielding inconsistent, incomplete, and duplicate data. For example, retail companies struggle with optout compliance because a customer s opt-out preference is captured in multiple systems, and they often conflict with each other. A customer could choose to opt-out via several channels phone call, fax, snailmail, , or on the company website. In a typical retail setting, there are separate systems such as CRM, ERP, or web content management systems to manage each of these channels. So when a customer calls into the call center and opts-out of receiving the company s marketing communications, the other systems are not automatically updated with the new customer preference. As a result it is not obvious to the marketing department as to which data or source system is correct. Consequently, they might find themselves accidentally sending an unwanted correspondence to the customer who had previously optedout simply because the web content management system held the incorrect customer preference. 2

3 Compliance Requirements To support regulatory compliance monitoring and reporting, companies need a strong combination of people, processes, and technology to properly manage the data. In other words, an organization requires a strong data governance regime and the technological capability to facilitate the governance in order to be successful with its compliance initiatives. Requirement #1: Establish a Strong Master Data Governance Regime While data is certainly ubiquitous across an organization, the practice of data governance is commonly limited to the most important types of data the data that is deemed necessary for efficiently managing business operations and regulatory compliance. Today, this important class of data, which is called master data, is emerging as a critical and central component to a company s data governance efforts. More specifically, master data is a collection of common core business data entities such as customer, product, location and organization, and their associated attributes and values that are considered to be core to a company s business. Master data governance, on the other hand, is the overall management of these data entities, and consists of the policies, processes, controls and audit functions required to manage and safe-guard these critical corporate data assets. As a result, data governance also includes oversight of the related domains of data availability, usability, integrity and security. However, before implementing a master data governance program, you should proactively raise and answer the following seven critical questions in order to help lay the foundation for a sound master data governance program. By pursuing thorough due diligence upfront, and by securing buy-in from the necessary stakeholders, your data governance initiative will have a greater chance of success while avoiding costly delays and falling victim to political quarrels. 1. What data should constitute master data? 2. Who will own the various aspects of master data? 3. How many and what data sources exist for each type of master data? 4. What level of validation and/or verification of consistency, correctness and completeness are sufficient? 5. What, if any, industry or regulatory standards must be supported? 6. Who is allowed access rights to which data type and what actions can they perform? 7. What controls need to be put in place for master data, and what level of change needs to be recorded over what timeframe? Master data governance is unique to every organization, even within the same industry. This is because master data governance is closely tied to the company s business processes, culture and IT landscape, which are different for each organization. As a result, you and your organization need to go through a design phase in order to create a master data governance program that is customized for your specific company. Requirement #2: Enable Master Data Governance with MDM Technology Once the custom master data governance design in place, you then need to focus on the technology. Not just any technology, but a master data management solution that s flexible enough to support the custom design. If the MDM platform is rigid in its functionality, (i.e. if it has a fixed data model), then you may end up compromising your data governance design in order to adapt to the limitations of the technology. Critical MDM functionality can be easily overlooked when companies are narrowly focused on nearterm requirements within a single business function or compliance endeavor or a single business data type such as customer (Customer Data Integration) or product (Product Information Management). Consequently, they run the risk of selecting and investing in technologies that may be difficult to extend to other areas or compliance-related efforts that are happening across the organization. Taking this approach undoubtedly will require costly and extensive custom coding in order to add additional business data entities or data sources, or to extend the system to other lines of business or geographies. In order to 3

4 prevent these costly pitfalls, decision-makers need to ensure proper support for compliance monitoring and reporting, and reduce the over-all project risk. To reduce the risk of choosing the wrong solution, it is important that a Request For Proposal (RFP) include key business data requirements across several critical business functions including sales, marketing, customer support and, of course, compliance. To avoid the common mistakes made by MDM software evaluation teams and ensure long-term success, you should make sure that key components are built into your master data management solution. By including these ten critical MDM requirements in your RFP, you will be well on you way to laying the foundation for a complete and flexible MDM platform that addresses your current requirements, and is also able to evolve to address unforeseen future data integration requirements across the organization. 1. Manages multiple business data entities within a single MDM platform. Using an MDM platform that can handle multiple data types, an organization can begin to ensure compliance within a single business division in order to demonstrate a rapid return on investment and later extend the solution to accommodate other business divisions for even greater enterprise value. 2. Permits data governance at both the project and/or enterprise-level. It is critical that the underlying MDM platform is able to support the compliance-related data governance policies and processes defined by your organization. 3. Works with your standard workflow tool. Workflow is an important component of both MDM and data governance, as it can be used to monitor compliance in real-time and automatically alert the appropriate personnel of any potential violations. 4. Handles complex relationships and hierarchies. Certain compliance initiatives such as Basel II require the ability to manage complex legal counterparty hierarchies. Make sure your MDM request for proposal requires a solution that is capable of modeling complex business-tobusiness (B2B) and business-to-consumer (B2C) hierarchies within the same MDM platform. 5. Provides support for Service Oriented Architecture (SOA) services. Since MDM is the foundation technology that provides reliable data, any changes made to the MDM environment will ultimately result in changes to the dependent SOA services, and consequently to the SOA applications. You need to ensure the MDM platform can automatically generate changes to the SOA services whenever its data model is updated with new attributes, entities, or sources. This key requirement will protect the higher-level compliance applications from any changes made to the underlying MDM system. 6. Allows for data to be cleansed inside of the MDM platform. Data cleansing needs to be centralized within the MDM system in order to provide clean data for compliance reporting. If your company has already standardized on a cleansing tool, then it is important to ensure the MDM solution provides out-of-the-box integration with it in order to leverage your existing investments. 7. Enables both deterministic and probabilistic matching. In order to achieve the most reliable and consolidated view of master data for compliance purposes, the MDM platform should support a combination of these matching techniques, with each being able to address a particular class of data matching. A single technique, such as probabilistic, will not likely be able to find all valid match candidates, or worse may generate false matches. 8. Creates a golden master record with the best field-level information and stores it centrally. It is important that the MDM system is able to automatically create a golden record for any master data type (i.e. customer, product, asset, etc.) to enable compliance monitoring and reporting. In addition, the MDM system should provide a robust unmerge functionality in order to rollback any manual errors or exceptions. 4

5 9. Stores history and lineage. The ability to store history of all changes and the lineage of how the duplicate has merged is a very important requirement to support compliance. Any compliance initiative will require the ability to audit such data changes over several years. 10. Supports both analytical and operational usage. Compliance monitoring is performed within an operational system while compliance reporting is performed using a business intelligence tool or data warehouse. Successful Regulatory Compliance Begins with an Integrated and Flexible MDM Platform Taking the time to build the foundation for a sound master data governance program is critical to the success of any compliance effort. Answering the seven questions in advance of designing your data governance process will allow you to better plan and implement a successful enterprise-wide regulatory compliance effort. Further, the ten requirements will enable you to identify and evaluate a suitable technology platform a prerequisite when managing your organization s master data assets and establishing a consistent master data foundation. Once your organization starts to make its departmental compliance projects operational, you are likely to find that your larger compliance requirements will expand to include other lines of business or geographies. Therefore it is important to create a comprehensive RFP, carefully evaluate the MDM options, and choose a solution and that will include all ten critical requirements. It is also important to assess the MDM platform s ability to support these ten core capabilities out-of-the-box, as they should be integrated components of a complete enterprise-wide MDM platform. In this way, you will be able to mitigate technology risk and improve your return on investment since additional integration and customization will not be necessary in order to make the system operational. Another benefit gained by having these ten MDM components integrated within the same MDM platform is that software deployment is much faster and easier to migrate over time. Finally, it is wise to check vendor references to evaluate the enterprise-wide deployments of their customers, and to ensure that the vendor s MDM solution is both proven and includes all ten enterprise MDM platform capabilities. A well thought-out master data governance regime will allow you to quickly reap the returns from your integrated and flexible MDM platform. More importantly, the ten critical MDM requirements will enable greater success of your compliance initiative allowing a more rapid deployment and even faster time to value. Taking the time to implement an MDM platform that is capable of meeting both your current and future compliance efforts will reap many rewards. How Different Industries Face Compliance Challenges Pharmaceutical Compliance The pharmaceutical industry is one of the most highly regulated industries, with strict Federal and state government oversight in R&D, manufacturing, sales and marketing, and drug recall activities. Within marketing, pharmaceutical companies face two regulations: (1) State Gift Laws and (2) the Prescription Drug Restriction Program. State Gift Laws: State Gift Laws are laws enacted by various state governments to regulate pharmaceutical companies from giving expensive gifts to physicians. The genesis of these laws was the PhRMA Code on Interactions with Healthcare Professionals enacted by the American Medical Association. This code s main relevance to pharmaceutical companies is its suggestion that all gifts and services given must primarily benefit patients or be for the education of the physician. The Office of Inspector General (OIG) of the Department of Health and Human Services came up with its own version, which provides pharmaceutical manufacturers with guidelines to consider while developing regulatory and statutory compliance programs. More specifically, the guidance document discusses the most common, potentially illegal arrangements including: 5

6 Switching arrangements (in which the physician is encouraged to switch patients to the manufacturer s drug from a competing drug) Consulting and advisory payments (i.e. where the physician is given a fee for listening to a marketing pitch) Payments for detailing (i.e. where the physician is given a substantial fee for completing minimal paperwork) Business courtesies and other gratuities Educational and research activities (i.e. where physicians are paid above market rates for research that is unnecessary) Both the AMA and the OIG allowed the pharmaceutical companies to adopt their guidelines on a completely voluntary basis, so the adoption didn t go too far. However, fearing rising drug prices as a result of rising marketing costs, several states began passing laws based on the AMA and OIG guidelines. For example, California S.B (which became effective on July 1, 2005) requires that all pharmaceutical companies in the state comply with the current PhRMA and OIG voluntary guidelines and establish firm caps on the amount of money they spend per doctor, per year on direct promotion. Several other states followed suit, including Maine, Minnesota, New Hampshire, Vermont, and several others, while, more than a dozen other states are in the process of passing similar laws. However, and to further complicate matters, each state has or is in the process of passing laws with different dollar limits and different restrictions. Pharmaceutical companies face several other challenges as a result of these different state regulations. First they may not be able to track the expenses on each healthcare provider by expense type based on state limits. They may also be unable to report on the expense per healthcare provider and may not have authoritative knowledge of whether the company is in compliance with each of the state s regulation. These challenges are further complicated when the physician information is dispersed across disparate transactional systems, gets duplicated, or develops conflicts between the various versions -- giving rise to a number of MDM challenges. In particular, pharmaceutical companies: May be unable to authoritatively determine the exact total spend at any time on each healthcare provider across several payment systems such as Reimbursement, Grants, Accounts Payable, etc. May be unable to determine all the organizations a healthcare professional is associated with May not reliably know the state in which the healthcare provider practices May find it hard to determine if they are compliant because the data warehouse, which may be used to report on the expenditures, does not have reliable healthcare provider data May be unable to see the relationship between sales reps and prescribers (sales territory alignment) MDM can help ensure compliance in these situations by uniquely identifying the healthcare provider across systems and as a result provide: A dynamic view of all the transactions including payment, reimbursement, related to each healthcare provider A single complete representation of the healthcare provider across all systems A reliable view of the relationship between the healthcare provider and all the organizations he/she is associated with The best/unique healthcare provider dimension data to the data warehouse to accurately report on adherence to federal/state regulations and enforce compliance A dynamic view of the relationship between the sales reps and the healthcare provider Prescription Drug Restriction Program: The AMA created the Prescription Drug Restriction Program (PDRP) which requires pharmaceutical companies to keep restricted data out of reach of certain restricted employees. The AMA defines restricted data as measures of prescription volume in absolute and percentage terms, the associated dollar value of a physician s prescribing, any indicators of change in these measures, as well as any means of ranking, benchmarking, or grouping physicians. It defines restricted employees as sales reps and their immediate managers. 6

7 Pharmaceutical companies face several challenges due to this regulation. First, distinguishing restricted data from unrestricted data is not an easy exercise. Second, blocking restricted employees from accessing restricted data but allowing access to unrestricted data or allowing unrestricted employees such as sales and marketing executives to access restricted data requires changes to current software. Third, the company needs to restrict access to only those prescribers the sales representative is assigned to, which requires careful sales territory alignment. More complexity is added when the physician information resides in multiple applications, is duplicated across different systems, or has conflicts. These problems give rise to several other MDM challenges. First, pharmaceutical companies might not know which systems house the opted-out prescribers. This can be further compounded when the same prescriber information is duplicated or has conflicting names. Second, pharmaceutical companies may be unable to see the relationship between restricted employees and opted-out prescribers (sales territory alignment). Third, they need to block access for the same prescriber in multiple systems if duplicates exist. Fourth, restricted employees can gain backdoor access to restricted data by using a different spelling of the prescriber name if name conflict exists. Finally, if a data warehouse is used to learn prescribing practices, it might be hard to enforce compliance because the data warehouse does not have reliable prescriber data. An MDM system can help ensure compliance in this situation by uniquely identifying the prescriber across systems. More specifically a master data management platform can provide: Complete views of all the systems which house opted-out prescribers Dynamic views of the relationship between sales reps, their immediate managers, and opted-out prescribers Ways to prevent unauthorized backdoor access by taking advantage of differently spelled names A single security gateway to multiple systems housing opted-out prescribers Reliable prescriber data to the data warehouse to enforce compliance Retail Compliance For companies in the retail industry, direct marketing is a prime medium for reaching their end customers the consumer. Retailers use this medium to communicate important product announcements, cross-sell or up-sell other products and so on. The Federal Trade Commission (FTC) mandates the collection and maintenance of consumers preferences for mailing marketing literature. Failure to respect a consumer s request to not receive marketing literature can result in an $11,000 per incident fine for the retailer. To ensure that the company respects their customers privacy, they provide ways for the customer to opt-out of receiving communication in each and every channel including: phone, fax, , website and so on. Quite often, companies in the retail sector use different systems for each of the channels. Customer service representatives use CRM applications to capture the preferences, while opt-out preferences that are mailed or faxed might get entered into a different system. Also, the retailer might use a separate web content management system for website interaction. As a result, multiple copies of the same customer s record are duplicated across different systems. When the customer communicates that they do not want to be contacted by phone, this information may be updated in the CRM application, but perhaps not in the other two systems. Without a holistic view of the opt-out preference, a marketing campaign that targets customers who reach the company via website would totally ignore the opt-out preference called in by the customer and updated in the CRM system. As a result, the company would continue mailing its marketing literature to the customer that had already communicated his or her choice to totally opt-out of any such communication. Such continued practices will often result in customer attrition and brand dilution. An MDM system can provide the retailer with consistent, complete and accurate consumer, contact, optin/ opt-out and communication preference information that is captured and stored in different systems. From there it can create a single view of the customer information from all the different systems and store it centrally along with their specific opt-out preferences. If opt-out information is entered into the 7

8 CRM system that change will quickly be reflected in the web content management system. This means that any campaign that is using data from the central MDM system would use the correct preference setting regardless of the system of origin. Medical Device Manufacturing Compliance Some of the devices manufactured by medical device companies blood glucose monitors, for instance are subject to some of the strictest regulations by government agencies such as Federal Drug Administration (FDA). One such regulation governs the recall of these devices when a malfunction is detected. The FDA mandates that in a medical device recall, the manufacturer should reach at least 80% of the device users. If 80% cannot be reached, then they need to call the users. Usually, medical device companies use low-cost media such as s and snail-mails to reach them, as calling the users is labor intensive and expensive. Despite the importance of accurate and reliable data, is not uncommon among medical device companies to capture customer information in different systems, and hence they lack the correct contact information required in critical incidents such as a recall. When these companies try to reach their consumers via snail-mail, they might get 20-30% returns due to incorrect addresses, prompting an expensive calling campaign. MDM can help medical device manufacturers avoid costly and ineffective product recall campaigns by centrally storing accurate customer information aggregated from all the different systems within the company. The companies can use this information to reach its customers rapidly, keeping returns to a minimum. Banking Compliance In 2004 the Federal Reserve Bank identified eight core banks in the US to implement the most complex and rigorous standards for capital management as defined by the International Basel II Accord. These standards included the Advanced Internal Rated Based (AIRB) methodology for managing credit risk as well as advanced approaches for managing operational risk. Basel II regulations stipulate how much capital banks need to put aside to guard against the risks banks face. These include credit risk, operational risk, interest rate risk, market risk and business risk. Basel II is fundamentally, about risk management and affects a bank s disclosures to public and investors. Since Basel II is an international framework, it affects both domestic U.S.-based banks and international businesses. To comply with the federal regulatory requirements, a bank needs to develop the ability to aggregate credit exposure at multiple levels, including legal entity, counterparty (or party to a contract) and business unit. Basel II requires that all counterparties be uniquely identified at the legal entity level and be rated using the banks internally developed rating models. It also requires that all credit exposures be linked to identify counterparties and aggregated based on legal entity hierarchy. Currently there is no international standard for linking legal entities and subsidiaries. Banks interact with a variety of entities associated with trading, settlement and account management. Robust risk management frameworks and practices are needed for banks to comply with Basel II. Clean, accurate counterparty data is essential in this equation, and is required to accurately estimate capital requirements. Additionally, Basel II regulations will need to reconcile conflicting counterparty master data and legal hierarchies and store them centrally for immediate access. To effectively comply with Basel II requirements, banks need an MDM solution to accurately aggregate counterparties so that all credit exposures can be linked to already identified counterparties and aggregated based on legal entity. Good risk analysis depends on good quality data, and on the availability of relevant and necessary data for effective analysis and modeling. Banks need an MDM system that provides a framework to capture and maintain data quality business rules, so counterparties can be uniquely identified at the legal entity levels. Banks must be able to aggregate exposures by counterparty across the organization. Also, hierarchies/ families of legal entities must be identified so that risk exposures can be rolled up to the parent. 8

9 About the Author Ravi Shankar is Senior Director of Product Marketing at Siperian, Inc., an innovative provider of the most flexible master data management platform. For more information, contact him at com or visit Siperian, Inc. 100 Foster City Boulevard, 2nd Floor Foster City, CA USA Toll-free: SIPERIAN Online: 9