One challenge facing chief risk officers, chief compliance officers and other c-level officers of large, regulated companies is how to better understand the governance, risk and compliance (GRC) issues facing their companies. This can be an especially acute problem for conglomerates engaged in multiple lines of business (e.g., banking, securities and insurance) regulated on an international, U.S. federal and state basis. Although very sophisticated charts and graphs can now be created with Microsoft Excel and other available business tools, it may become necessary for very complex GRC scenarios to be able to visualize them through the use of 3-D virtual environments. For example, under the Health Insurance Portability and Accountability Act (HIPAA), health plans, health care clearinghouses and health care providers are deemed “covered entities” subject to the mandates of HIPAA. However, an insurance company that markets life insurance, property insurance and health insurance would be deemed a “hybrid” entity where only the health insurance operations would be subject to the requirements of HIPAA. The IT infrastructure supporting the company’s health insurance operations would be subject to the HIPAA Privacy Rule, one aspect of which requires the company to report on uses and disclosures of “protected health information (PHI”) relating to individual consumers. Thus, for the health insurance operations only, the company would need to track where PHI is maintained, used and disclosed for reporting purposes in order to protect the privacy and confidentiality of their customers’ health information. Manufacturing companies routinely use CAD/CAM software to portray complex engineered items, such as engines. Such CAD/CAM software can display the engine in 3-D, permit the viewer to “explode” the engine in order to see its individual parts and even drill down for an individual part to the engineering information relating to the part(click here and here for examples). This CAD/CAM approach might prove useful to provide visualizations of the companies’ lines of business and the GRC issues relating to each line of business, such as which IT systems deal with PHI subject to the HIPAA Privacy Rule.
This approach can be further augmented by developing 3-D virtual environments to portray the business operations of a company and the GRC issues relating to each line of business. For example, HP has developed a “Virtual Environment Design Automation (VEDA)” software application that creates a 3-D virtual environment that is not static, but rather changes as the underlying data in the connected database changes. An HP white paper describing the VEDA technology shows the creation of an exhibition hall “environment” that can be used to show off HP technology in separate virtual “rooms”. One possible spinoff use of the VEDA technology would be a GRC environment, where each “room” would represent a different regulatory compliance issue. For example, one “room” could relate solely to legal mandates imposing risk assessment obligations on the target company (e.g., Basel II and the Sarbanes-Oxley Act). Another “room” would relate solely to legal mandates imposing IT privacy and security obligations on the target company (e.g., the EU Privacy Directive, HIPAA and the Gramm-Leach-Bliley Act). This prototype environment therefore could be used by corporate compliance teams as a tool for visually understanding their company’s compliance “world” and to brief their Board of Directors on the company’s compliance approach. In addition, within a “master room” contained in the 3-D virtual environment, the user could (i) “click” on a 3-D floating icon that represents the entire company and all of its lines of business from a hierarchical and/or business process point of view, (ii) “explode” the image to drill down to an individual line of business and then (iii) drill down further to view due diligence documents relating to the company’s compliance with individual laws for that specific line of business. The 3-D image also could be mapped against the geographic regions impacted by the line of business operations. Microsoft tools such as Silverlight, Photosynth and Deep Zoom may prove to be valuable in the future in the development of such a virtual 3-D GRC environment. The technology approaches depicted in Microsoft’s Productivity Future Vision video also could prove to be of relevance for realizing such a GRC 3-D virtual environment.
Jeff Jinnett invites your comments.