Can your business afford manual compliance auditing?
Brett Stineman 270002944C firstname.lastname@example.org | | Tags:  compliance risk business-rules event-processing business-events fraud
0 Comments | 1,999 Visits
Recently, there was an interesting news story that highlights the issues companies face when dealing with regulatory compliance. The US Drug Enforcement Agency discovered a suspiciously high volume of a restricted pain relief medication, OxyCodone, being channeled through several pharmacies in Florida. The DEA is currently engaged in legal proceedings against both the parent company of the retail pharmacies and the wholesale pharmaceutical distributor, alleging that they knowingly permitted these pharmacies to act as a conduit for illegal distribution of this medication.
While all sides agree that there was illegal activity taking place by rogue medical providers and their cohorts involved in black market distribution, there is disagreement regarding the knowledge of this activity by the companies. In all likelihood there probably was not a broad awareness at these companies of the unusual activity taking place. Why do I believe this to be the case? Because of the immense number of transactions that both these companies handle, the signs pointing to the problem were probably hidden by the amount of data passing through their information systems. It is the proverbial “finding the needle in the haystack”, and this really highlights the need to implement solutions that can automate detection of potential compliance situations in order to accelerate identification and response.
Event processing technology provides the ability to look for data anomalies (such as the 40x difference in OxyCodone order volume at the pharmacies in this news story compared to the national average) that can trigger actions such as initiating an investigation process. What makes it really powerful is the ability to detect patterns that may take place across a set of transactions over an extended time period or across different systems – this makes it much more difficult to hide non-compliant activity by spreading it out to make any individual transaction look legitimate. By combining event processing with business rules, very precise actions can be defined to ensure the appropriate level of priority or to define which groups should be notified based on the context of the situation.
What I just described transforms compliance from an occasional, ad hoc task to a proactive, integrated, always-on core business function. Going back to this news story, I’m sure that eventually an audit would have uncovered this problem, but what ended up happening is that the regulators discovered it first. Given the cost and disruption of a compliance violation, especially when it can affect your core business, organizations should be moving towards an approach that allows them to improve detection, increase visibility and accelerate their ability to respond to compliance issues.