脅威を予測する!組織のリスクに基づくセキュリティ戦略の検討

How Gathering Requirements for Compliance Improves Supervision of Business Risks

Monitoring digital communications to mitigate compliance risks is a top priority for many organizations. This blog dives into the process Proofpoint uses to gather business requirements for compliance and supervision of employees’ digital communications, including emails, chats, social media, and other business messages. You’ll also learn how gathering requirements for compliance helps companies make more informed decisions about structuring or restructuring their supervision process.

I’ve met with many clients who either wanted to migrate their compliance systems from another vendor to Proofpoint or had never supervised compliance before and wanted to use our solution to meet their regulatory obligations. Most of my discussions have been with chief compliance officers (CCOs), compliance analysts or managers, IT professionals, and software engineers.

During requirement-gathering sessions, I ask clients questions about their current business structure and the keywords or phrases they’re trying to flag as potential compliance violations in their corporate communications. Through this process, many clients realize they’re either missed some things in their supervision model, or they need to improve their review process by gaining access to more functions using an efficient, robust supervision solution.

Here are three main categories of compliance requirements that may help professionals determine whether they need to revisit how they supervise and monitor content:

1. Supervision hierarchy and structure—who monitors which messages and in what language

I ask CCOs how many users they need to monitor for compliance and if they’re grouped appropriately by department or role. Many CCOs have “aha!” moments when they realize they need to engage their IT or engineering teams to clean up the user groups and permissions.

Then, we talk about how many reviewers supervise each department. One chief financial officer I met with was pleasantly surprised to learn that creating review teams and assigning them to monitor employees for certain business risks, such as Financial Industry Regulatory Authority (FINRA) or Securities and Exchange Commission (SEC) regulations, tends to increase their compliance efficiency and streamline their review.

When it comes to analyzing how many compliance system administrators they currently have and what their functions are, many clients conclude that, by using Proofpoint Intelligent Supervision, their compliance staff can handle and configure significantly more settings and permissions, thus reducing the administrative burden on IT.

2. Language rules to monitor specific business risks—flagging rates to catch potential violations

In many years of engaging with clients from different industries, I’ve been exposed to specific regulatory and business risks that must be addressed through lexicon language rules. Employee communications are monitored based on keywords and phrases that people write in their internal and external messages. And very often, people don’t write grammatically correct communications. They use abbreviations, slang, metaphors, street language and casual terms—which must all be captured in the lexicon rules to trigger a potential violation flag.

During the requirements phase to configure their supervision tool, I ask clients specific questions related to these keywords and how often they’re maintained. In one instance, a client told me they hadn’t updated their lexicon in more than five years, and we discovered this directly contributed to a more than 50% increase in their false positives. The incorrectly flagged messages were clogging reviewer queues, creating extra work to clear.

Clients have been pleased when I’ve told them that Proofpoint has an extensive out-of-the-box rule library tailored for very specific business risks (such as those for FINRA-regulated firms). One CCO was ecstatic to learn that he could import some of these rules into his platform with a click of a button. He decided to enhance his outdated, short keywords list with Proofpoint rules that offer plenty of keyword context in a very targeted supervision solution that significantly reduced their false positives.

The flagging rates statistics (true positive violations versus false positives) are critically important for compliance review teams because their compliance performance is driven not only by the amount of message communications, but also by the accuracy of lexicon rules. If the monitored language is too restrictive or permissive, the review queues can be out of balance and create too much work. Or they may not flag enough potentially risky keywords or phrases that are out of compliance.

Supervision requirements are a true two-way discussion with clients regarding their lexicon needs. I discover their current state. Then, I demo what Proofpoint Intelligent Supervision lexicon rules look like and what violation trends these rules can uncover about compliance risks. Without the rules (which are based on words and phrases), the firms can’t uncover the violation trends.

Clients often understand immediately how powerful and targeted these rules are. And with a click of a button, they can import them into their own platform to monitor specific business risks. It gives me great satisfaction to hear feedback from my customers that their flagging rates have improved, and compliance supervision has become an easier job that also now makes much more sense!

3. Supervisory workflow and reporting—how compliance reviewers handle flagged messages 

Compliance reviewers work their queues by taking actions on the messages flagged for potential violations. The requirements for supervision workflow provide great insights on how review teams handle these messages—for example, if they use an escalation path, how they close messages when violations are confirmed, how the message status changes after each review, and if any documentation is required within the solution.

By asking the right questions while analyzing the message handling, compliance teams realize all the nuances in the workflow and better understand the reporting aspect of their supervision activities. One compliance manager shared her feedback on how smooth the compliance audits have become since her organization implemented Proofpoint Intelligent Supervision. She said the reports don’t seem confusing anymore, and they provide more clarity about messages changing status—from unreviewed to cleared, escalated, confirmed and closed, or deferred.

No matter how big or small our clients are, they all need to meet some type of regulatory requirements and mitigate their business risks. Proofpoint helps these firms implement best practices for compliance supervision right from the start, when we gather requirements and understand what the goals and challenges are. This is the point where clients realize they may need to improve their supervision process by using a solution that is user-friendly and easy to understand and configure, helping to improve reviewer workflows with enhanced transparency throughout the entire process.

Learn more about Professional Services offerings from Proofpoint, which can help you with your gathering requirements for compliance, rule refinement and more.