Compliance Analytics: Effectively Gathering and Making Use of Compliance Related Data

pci-compliance

What kind of story is your data saying about your organization? Ask yourself the following questions: How are you currently measuring and reporting on complaint data? Do you have the ability to demonstrate trends by month, quarter, response time, or complaint category? What is your monthly failure rating for collector calls? How are you effectively measuring the effects of improvements made to your overall Compliance Management System?

If at this point you’ve done the planning, completed the risk assessment, drafted and implemented your policies and procedures, it’s time to begin the monitoring phase of your CMS cycle of continuous improvement. Compliance data analytics is a powerful way to perform this monitoring as well as allow you to visualize and communicate with others inside the organization the status of our overall compliance posture.

So in the chaos of our hectic lives, where do we start? How do you know that your controls established within policies and procedures are being followed? And, what exactly does Compliance Analytics look like?

Start by mapping the regulatory requirements to your operational objectives. After you’ve identified the requirements that apply to you, map them to your processes. Apply a risk level to each process and begin to gather the measurable data. Investigate the use of tools you may have (spreadsheets or database applications) or tools you may be able to purchase and begin the analysis. Develop dashboard style reports that provide a visual demonstration for easily identifying trends.

What data should you begin capturing? Well, as it relates to third party debt collection activities, complaints, call monitoring, and training results are all categories involving processes that maintain heightened risk factors, therefore are typically a good place to start.

Complaint tracking and resolution is a requirement of the CFPB. Chief Compliance Officers are responsible for ensuring that complaints are addressed in a timely manner as well as communicated to the board and senior management on a periodic basis. Compliant review and analysis is the most effective way of identifying weaknesses in your CMS. Consider ways in which you can utilize the data you are already collecting to develop reports demonstrating trends in the data.

Call analytics is another telling data element. By utilizing the results of call monitoring, you will be able to determine if FDCPA and UDAAP policies and procedures are effective and followed. It will help you identify areas in need of improvements as well as discover additional training needs. Over time, you will be able to see the visual representation and measure the effects of changes and improvements.

Employee training results can also be useful if training programs and tests are constructed in such a way that allows you to determine results by topic. Measuring on a regular basis can help paint the picture of your overall compliance posture and the knowledge level of your employees. A strong employee training system is based on score rather than pass/fail. By analyzing your employee training results, you can identify weaknesses and opportunities for retraining. Taking it to the next level, you can focus in on where the employees are struggling and if the appropriate employees were tested.

 

This blog originally appeared on the KirkpatrickPrice blog, written by Sarah Morris

Sarah Morris is the Managing Editor at KirkpatrickPrice. She is certified in General Information Security Fundamental (GIAC GISF) and specializes in keeping companies up to date on information security and regulatory compliance by developing content that revolves around industry trends and best practices.