Processes, Records, Systems and Roles (PRSRs) are captured and kept under change control because of their vital association with business controls. This is critical data we collect when carrying out regulatory gap analyses (GRC-POS-24) to establish business control requirements.
Regulations Controlling Company Data
Over the years there have been numerous instances of new regulations being passed that have required companies to change how they access certain types of data and process them in a particular manner.
More obvious examples include:
- the US Foreign Account Tax Compliance Act (FATCA) and the reporting required by all countries on the assets of foreign individuals;
- Anti Money Laundering requirements such as “Know Your Client” and the processing of Politically Exposed Persons (PEPs); and
- the many Data Protection rules in jurisdictions on processing personal information (PI).
The simplicity of our solution schematic below for managing inventories of PRSRs dealing with PI that must comply with Data Protection rules belies the complexities involved.
Harnessing technology is the only way to stay in control of these rules. Hence our customizable Data Inventory Management System (DIMS).
Cataloguing Any Combination of Data Fields Using DIMS
So against this backdrop, we have developed the capability of carrying out data inventories for clients by capturing all Processes and their Records that have fields containing pertinent information, along with the Systems and Roles of the people accessing them – what we refer to as PRSRs. Any combination of fields can be set up to be catalogued in our Data Inventory Management System (DIMS).
Creating a Baseline for Establishing the Impact
In situations where clients need to assess the impact of regulations on their operations and where there is a heavy emphasis on knowledge of certain data, we are able to collect the information needed. This creates a baseline for determining the impact that data-related rules will have by being able to map them to the PRSRs via our system. The logical diagram above and the process flow diagram below shows how we have tackled Data Protection rules in this way.
Baseline Dependency for Certain Assessments
This process of digitising PRSRs using our DIMS solution dovetails with our regulatory assessment service (GRC-POS-24), where a detailed analysis can only be done effectively once knowledge of the PRSRs has been established. By doing the gap analysis using input from DIMS on the PRSRs impacted, it provides the essential input for designing business controls to bridge these gaps.
What Our Service Entails
The help we provide takes the form of 14 steps that follow two very distinct stages of engagement:
- The first 7 steps deal with the preparation required to pave the way for a successful data inventory exercise to digitise the PRSRs; and
- The remaining 7 steps cover the process followed to deliver a fully digitised set of PRSRs.
Here are the steps for the Preparation Stage:
- Establish where a lack of PRSR data will create potential risk to the business (e.g. Data Protection rules that have not yet been implemented properly);
- Carry out a high-level assessment to determine where the areas in the business are that represent a high risk;
- Identify the subject matter experts (SMEs) in each area in scope who will be responsible for providing the PRSR data for their areas;
- Carry out training of SMEs on use of DIMS and templates to be completed for each area;
- Set up and pre-load the required tables in DIMS;
- Agree key deliverables and dates per area and produce a project plan; and
- Schedule online initiation workshops to commence capturing PRSR data.
The second stage, that delivers a fully digitised set of PRSRs, entails the following steps:
- Carry out online initiation and periodic review workshops with each area;
- Capture Process details for each area;
- Capture Records associated with each process in each area;
- Capture the Fields in each record;
- Capture the Source of each record;
- Capture who has Access to each record; and
- Capture Alternative Uses for each record.
Some of the above steps are driven by the Data Protection rules that are a norm today, and may need to be extended to include other parameters for other regulations depending on client needs.
A. Preparation Stage
Our experience in carrying out data inventory exercises is that every client has a different profile in terms of maturity in how they control the core data relating to the design make-up of their business controls.
Business controls invariably comprise a combination of what we call Business Control Elements (BCEs) and these are the Processes, Records, Systems and Roles (PRSRs) that are present in every operating model in a company.
Failing to keep these BCEs under change control means your first line of defence in combatting potential risks to the business is compromised. The problem is that any changes to BCEs, for whatever reason, have the potential knock-on effect of negatively impacting the design and operational effectiveness of your business controls.
Hence the need, during the preparation stage, to carry out an assessment of where the big gaps in control of BCE data is creating the biggest risks to the business. These gaps are most evident when new regulations compel business to look at the data side of their operations. Data Protection (DP) is a good example of this with the DPA, GDPR and POPIA regulations in the UK, EU and SA respectively.
Continuing with this DP example, the million dollar question that needs to be answered because of this regulated focus on data is: What do we do with the personal information of our clients, suppliers and employees and which PRSRs are impacted?
There are different ways of answering this question. We have found that the lean approach is the best one. In other words, don’t start by doing an inventory of your whole organisation and then looking at where PI is being processed. Inventories require a level of detail that is out of place where a company is still trying to get a grasp on how big the problem is overall.
Rather do a high-level assessment of the impact of the regulation on your organisation first, to create a heat map that shows the hot spots where specific business areas need to drill down and get their data under control to meet the rules these regulations impose. We do this under the regulatory assessment service in GRC-POS-024.
To give you an idea of the level of granularity differences here, a high-level impact assessment deals with 22 requirements at a summary level to generate the heat maps for a DP regulation. Once you know where the hot spots are, the more comprehensive analysis deals with 86 detail level requirements and includes more specific questions about which PRSRs are impacted in each business.
To be able to answer the question about which PRSRs are impacted in each high-risk business, there is some key preparation needed for using our DIMS solution. This involves capturing the pre-existing data on PRSRs and then adding the regulation-specific options that are new and need to be captured about the PRSRs in each business.
Then there is the planning and training required to be ready for capturing the content needed in DIMS to answer the detailed analysis questions.
B. Digitisation Stage
The pre-existing data on PRSRs that gets captured during the preparation stage will take care of all pertinent data relating to PRSRs that already exists in different repositories such as any registers of systems, processes and HR roles in the company.
It is the records that hold specific data fields that become regulated that is normally the challenge to list in the system beforehand.
This pre-existing PRSR detail is captured and becomes the set of drop-down menus for each business to enable them to select the ones that are relevant to their operations and add the missing data.
Once this base information on PRSRs has been captured and placed under change control, you have 80% of the picture for future data-related regulations that come along. You then only require a 20% effort to refine what you have in DIMS to assess the impact and put controls in place. This is the beauty of using our system solution.
The regulation-specific options that are new and need to be captured about the PRSRs are important to get right during preparation as this drives the main effort during the inventory exercise. This is where the risk lies of not having this information under control because of the new rules introduced by the regulation.
If we use the DP regulations as an example, each process in a business area that is impacted is identified and the following data captured:
1. > Capture Process details for each area:
a. Type b. Name c. Description d. Purpose
2. > Capture Records associated with each process:
a. Name b. Description c. Systems processing each record d. Is the area acting as a Processor (third party)? e. Could this record pertain to a child?
3. > Capture the Fields in each record:
a. Name b. Description c. Purpose (business reason) d. Grounds (prescribed regulatory rule / none) e. Special PI Category (select category / NA)
4. > Capture the Source of each record
a. Source Classification b. Source Name c. Source Description
5. > Capture who has Access to each record
a. Access Purpose b. Access Group
6. > Capture Alternative Uses for each record
a. Alternative Use Type b. Alternative Use Method
Various illustrations of drop-down menus have been provided above. What follows are some screen layouts of our Data Inventory Management System.
Request for Information
Should you wish to find out more about this or any of our other Portfolio of GRC Services or Solutions, please don’t hesitate to give us a call or email us. Our details can be found at the bottom of this screen or under Contact on the main menu.