Sterling Management Solutions Corp.
15 Roszel Road
Princeton, New Jersey 08540
April 18, 2003
Jonathan G. Katz
Office of the Secretary
Mail Stop 0609
United States Securities and Exchange Commission
450 Fifth Street, NW
Washington, DC 20549
Via E-Mail: Ruleemail@example.com
Re: Comment to Proposed Rule File No. S7-03-03 - Compliance Programs of Investment Companies and Investment Advisers (IC-25925 and IA-2107, dated February 5, 2003) (the "Release")
Dear Mr. Katz:
The Commission has requested comment from the private sector relating to their possible roles in overseeing compliance by investment companies and investment advisers with the federal securities laws. Sterling Management Solutions Corp., a business intelligence and performance measurement analytics software and solutions company based in Princeton, New Jersey, is filing this letter to provide the Commission with specific background on its technology efforts in this area.
Disclosure and financial controls for regulated entities under the recent Sarbanes-Oxley Act and the new related rules adopted and proposed by the Securities and Exchange Commission have become a huge area of concern for those companies. Among other requirements, Chief Executive and Chief Financial Officers are required to certify their companies' financial statements in certain filings with the Commission. Such senior executive officers face real and substantial personal liabilities should such certifications prove unsupportable. A Chief Compliance Officer is proposed to oversee compliance efforts for investment companies and advisers and perhaps even certify compliance policies and procedures.
Sterling Management Solutions Corp.'s patent-pending PerformBITM for Corporate Governance technology solution is intended to provide analytics and business process/workflow automation for disclosure and financial controls, and certifications. We believe that technology-enabled solutions will be required to ensure that adequate controls are maintained and that assessments of the effectiveness of such controls and the certification process are sufficiently informed. Without the implementation of such a corporate governance system, it is unclear to us how reliable the required certifications of controls over such complex activities (comprised of ongoing business and legal processes, financial data, and various corporate governance activities) will be.
The platform is designed to provide a command and control digital dashboard (on a business user's computer screen and via other delivery mechanisms, including wireless, phone and others) for the prevention, detection and correction of potential fraud and other non-compliant events. This solution is intended to implement and maintain control procedures and processes, and monitors (using threshold and pattern-recognition detection technology) corporate financial, compliance and event performance measurements for "out-of-condition" occurrences.
When utilized in an overall company process reasonably designed to prevent securities law violations, this technology should assist efforts to effectively enhance corporate governance across an organization, contribute to a reduction in the risks to their business and shareholder value of securities law violations, and possibly even be seen to help personally-liable CEOs and CFOs reduce the risk of serious enforcement actions and other legal action against both their companies and themselves. It should also materially assist the audit committees of their boards of directors to be more effective in the execution of their duties by allowing further control of, and transparency into, a company's disclosure and internal control processes.
FOSTERING USE OF THIRD-PARTY
CORPORATE GOVERNANCE AND COMPLIANCE
The Commission has indicated that the existence of legitimate third party mechanisms such as compliance audits and demonstrable evidence of adherence to reasonable compliance procedures could assist them in identifying companies that are pursuing best practices, reduce their need for oversight of such companies, and therefore presumably reduce the cost of both the Commission's and, eventually, those companies' efforts to prevent, detect, and correct securities law compliance violations.
Responding to this new regulatory environment has become a hotbed of activity for the private sector. The inherent difficulties and array of disparate business processes involved in the managing the complex operations of large regulated entities lends itself well to an integrated technology solution approach. There also could be significant economies of scale if corporate governance and compliance technology is widely available and easily usable across the much more numerous population of smaller funds and advisers.
To encourage the adoption of such systems, it is respectfully suggested that the Commission strongly consider some type of "safe harbor" treatment for investment advisers, investment companies, broker-dealers and public companies that implement and effectively utilize such systems or other compliance programs, or specifically allow for the use of soft dollar credits for compliance systems directly tied to investment decision-making processes under certain circumstances.
In other instances, the Commission has promulgated "safe harbors" for forward-looking information and private placements of securities, among other areas. The need to ensure effective securities and corporate governance compliance and controls appears to be of equal if not greater importance than the public policy issues underlying the adoption of those aforementioned safe harbors.
Additionally, the use of soft dollar credits could allow for more rapid implementation of these systems by certain regulated entities. These types of systems could be seen to be directly tied to the investment decision-making process in that the analytics can automatically monitor, detect and alert about, among other things, performance and compliance of the specific trading decisions themselves.
These types of systems would presumably lead to better-informed decisions about many investment decision related activities, including the choice of trading partners (including investment advisers, investment companies and broker-dealers) by allowing client investors, especially institutions, downstream to observe and understand which of their further upstream trading and execution entities are most compliant with the securities laws and the specific investment and other business rules set by that client. This type of transparency into the investing decision-making and compliance process should be encouraged and fostered by the Commission, which has numerous other rules fostering similar types of "transparency" of information to the investing public.
CORPORATE GOVERNANCE ANALYTICS AND
BUSINESS PROCESS AUTOMATION
The sheer volume of financial and disclosure control reports now inundating the desks of certifying executives and the corresponding complex business processes necessary for the implementation and maintenance of "effective" disclosure and financial controls present the very real risk and danger of an "information overload" that would act to counteract the intent of the new rules, which is to foster more robust systems of corporate governance at regulated companies.
Software solutions are beginning to emerge that respond to the need for better management of corporate controls. Certain of these solutions, such as Sterling's PerformBI for Corporate Governance, can provide actionable industry-specific tracking and alerting analytics for disclosure and financial controls right on the desktop of a senior executive or compliance officer and integrate business process or workflow automation tools to allow technology-assisted management of those controls.
PerformBI for Corporate Governance now allows for the collection and automation of these processes into a centralized "digital dashboard." Senior officers and responsible employees can use this system to help them prevent, detect and correct deficiencies in a streamlined and efficient manner, thereby helping to mitigate the risks of managing both highly complex regulatory requirements and sophisticated business processes that depend on rapid response, remediation and disclosure.
This technology also can allow for the tracking of the effectiveness of these controls, significant changes made to them, help spot deficiencies in the process, and otherwise help to ensure that controls, policies and procedures are in place and maintained in a manner reasonably designed to prevent violations of the federal securities laws.
The Sterling analytics platform monitors material changes in specified financial, corporate event performance and compliance measures, and quickly alerts senior corporate executives about possible violations, along with providing built-in workflow automation, communications, scheduling, CEO and CFO Sarbanes-Oxley certification support, code of ethics and control document management, participant education and awareness campaigns about corporate governance issues, and audit trail functionality.
Operational efficiencies, competitive advantage, and enhanced risk management will be some of the resulting benefits to companies using the PerformBI Corporate Governance solution. Investors and the financial markets in general, however, will be the ultimate beneficiaries of such a software system that helps to ensure the integrity of disclosure under the United States "disclosure-oriented" regulatory system.
DIGITAL DASHBOARD TECHNOLOGY
A "digital dashboard" for these solutions provides an intuitive workspace portal for command, control and communication via a standard web browser, giving the user centralized access to reports, alerts, documents, workflow automation and additional tools such as email, wire feeds, news services, video, and other information sources.
The PerformBI for Corporate Governance "dashboard" allows the user a great deal of freedom, while at the same time providing immediate desktop notification of potential financial and compliance violation conditions. Because of the intuitive design, very limited business user training is required. The dashboard allows for further investigation capabilities and ad hoc report generation designed for non-technical professionals, along with associated charting and graphics.
FRAUD AND COMPLIANCE ANALYTICS
Sterling's pre-built vertical-specific fraud and compliance analytics are perhaps the most important aspect of the solution. Detection and alert functionality, using threshold and pattern recognition technology, runs in the background to monitor rules-based compliance or process scenarios.
When a specified potential violation condition is detected, an alert is activated and communicated to the user. Alerts are triggered by performance indicators from financial and compliance information systems, and can also be triggered from a specific set of business rules or other outside factors.
This true analytics platform's slice and dice, drill-down, and ad-hoc capabilities can allow for immediate further investigation and analysis directly at the desktops of CEOs, CFOs, Chief Compliance Officers, audit committee members and other authorized parties.
Policies and procedures of investment companies include business continuity plans. An additional "dashboard" would be Sterling's Virtual Command CenterTM (VCC) for business continuity and disaster recovery.
The VCC, and associated services, including security assessment and solutions, business impact analysis, and disaster recovery and business continuity services, allow managers and even appropriate customers to obtain company specific protocols, discrete instructions and guidance as well as industry specific, effective and timely solutions to the issues presented by business continuity or disaster recovery events.
Using web-enabled software, the VCC may contain, by way of example: incident tracking; logging and reporting; automated standard operating procedure checklists and plans; resource management (with full database functionality); central command and control; messaging and communications function with tracking; documentation of response actions; contact lists; internet, intranet/VPN and wireless; radio, cellular and satellite; appropriate member participation; automated journaling; access to plans and data; mapping; role-based staff management; linking capability to access internet sources for weather and event intelligence; executive briefings, and other features.
COMMUNICATIONS AND PERMISSION-BASED VIEWS
Communications with members of the team regarding required activities and compliance violation alert conditions are all provided within the dashboard. Automated follow-ups are sent should responses not be given within certain timeframes. Auditable trails of communications are stored automatically. Wireless access allows the business user to receive reports and alerts over cellular phones, Palm Pilots, Blackberry and other wireless devices.
Different views into such a system can be made available on a user by user basis, even allowing specific sets of data to be viewed by important other participants in the process, including members of the audit committee of the board of directors.
NEW TOOLS FOR A NEW ERA
Certain resistance to the utilization of such technology for command and control of securities disclosure business processes can be expected from those who believe that experienced judgment cannot be replaced by such tools and that such solutions may be too heavily relied upon in fulfilling responsibilities for oversight of disclosure activities. It is true that, in effectively implementing the use of such technology, there are definitely moral hazards to anything that could be viewed to be a substitute for good experience and independent judgment.
However, that argument still has some very significant problems. It is like telling a detective or intelligence analyst that better tools, such as DNA and fingerprint databank sharing across jurisdictions, pattern matching for similar modus operandi, or advanced data mining that spots possible criminal activity should not be used because people will rely too heavily on it and ignore old fashioned but still very effective gumshoe techniques.
It is an old axiom that the old techniques need to be retained and still can provide tremendous breakthroughs. Surely no one thinks, however, that detectives want to throw away the new tools just because they fear they will make them lazy and not exercise independent judgment.
The same response applies to financial and compliance professionals who use and make judgments everyday about the data and reports coming to them from extremely complex financial systems or auditors who utilize sampling techniques for auditing that are enabled and made more efficient by use of technology. No reasonable person would suggest that they not avail themselves of such tools and that they should only use former labor intensive, technology-light efforts that could be incomplete and untimely. Even so, it is important to retain and rigorously continue to apply common sense and non-data sourced auditing and compliance practices in the utilization of such tools.
The ability of new computer solutions to collect, integrate and analyze data, which is now still being done at some companies by large numbers of business analysts armed with spreadsheets, is not to be underestimated. The savings in cost and time spent could be tremendous, both for regulated entities and regulatory authorities.
PerformBI for Corporate Governance is providing an answer to what regulated companies are required to achieve: earlier and more timely discovery of potential disclosure issues and financial problems. This technology can help to nip those issues in the bud and could even help provide strong evidence of such controls to regulators.
Many top broker-dealers and other financial services companies are already using analytics to monitor performance and compliance, and regulated companies are beginning to use technology solutions for Sarbanes-Oxley. Auditing and law firms should understand these new tools also and the need of their clients' business executives to not ignore the power of these tools to have institute much better controls over their corporate governance activities.
These technologies provide a further path down the road to the necessary automation of certain business and legal processes, giving the human business users much of the critical information they need for informed and value-added judgments in one central location and in a manageable and usable form. A company, its senior officers and compliance professionals can even be given alternatives as to what logical steps they should take next, given the structures of their programs and policies.
"Detection," "monitoring" and "real-time" are words now being used by the Commission and other participants in the financial markets. It could well be said that regulated companies have no choice but to automate disclosure controls, unless they want to continue to risk shareholder value, lawsuits, enforcement actions and worse by keeping in place a process that has built-in unacceptable risks created by an unwieldy structure that manually looks across multiple disparate processes and systems with widely differing platforms and levels of automation.
As a nation, we must all be smarter about our detection and monitoring of activities relating to the securities markets and regulated companies, including issues relating to non-compliance and outright fraud. There are intrinsic problems when a complex regulated business relies exclusively on other human members of a disclosure team, with the necessarily segmented and possibly biased, although sometimes brilliant, views they bring to the table.
The effective implementation of a technology-enabled corporate governance analytics system captures a tremendous amount of the experiential scenarios of members of the disclosure team by memorializing those scenarios in business rules and patterns to automate the detection of violations of those scenarios. That aspect of an analytics deployment is an indispensable part of the process of creating an effective industry-specific analytics solution, as is keeping participants accountable and communicating their disclosure control comments in an active and auditable manner.
The complex business processes and technology systems of businesses today clearly do not have enough transparency, even to the senior executives managing them. PerformBI for Corporate Governance can confront that complexity and provide a much more efficient way of managing the ever-expanding universe of potentially material information, leader to better quality disclosure to the investing public.
Robert N. Sobol
Chief Operating Officer
Sterling Management Solutions Corp.
15 Roszel Road
Princeton, New Jersey 08540
1-609-452-9300 (ext - 109)