The first meeting and founding ideas behind the UCF

The first meeting and founding ideas behind the UCF

Undoubtedly you’ve been to our homepage or our “Our Story” page and have wondered a bit more about it. Here’s the longer version of the story.

In the spring of 2004, Dorian Cougias, co-founder of Unified Compliance, sat in a Miami conference room as blue-chip CIOs cited eerily similar complaints about the crushing mass of compliance mandates they had to address.

Globalization, regulation, and increasing business complexity made their compliance challenges a nightmare. Sarbanes-Oxley was a new law. HIPAA was coming. It seemed like new laws and requirements were popping up every day. The process was manual, and the risk of error was enormous. Project silos. Duplication. Skyrocketing costs. Uncertain results. Like an overtaxed transit system, each route traveled from A to B, but the network was hugely inefficient.

Dorian and his peers in the conference room were united by a common vision: their paramount goal was to enhance their businesses through robust compliance practices. While the prospect of failing an audit or security check was a concern, it was not their chief worry. Rather, the crux of their unease lay in the laborious task of manually assembling the myriad components of each regulation and standard. They understood that manual compilation not only was a painstaking exercise in detail orientation but also carried the inherent risk of human error. In their quest for precision and efficiency, they recognized that the true obstacle was the manual process itself—a process begging for automation to ensure comprehensive and error-free compliance management. This leads to our first predicate (ideas we are based on):

Predicate # 1

Our first predicate is that our general “markets” are those who believe the same things we do.

• efficiency is king – compliance requirements can and should be aligned and harmonized leveraging Euclid’s first notion¹; and
• compliance done well strengthens the organization; and
• human error is a risk to highly complex processes such as interpreting and mapping regulatory content.

The challenge

Why, Dorian asked, should companies waste time and money starting from scratch each time a new regulation is introduced? Why should each regulation be handled separately when it had been addressed in a previous requirement?

Alignment and harmonization are the linchpins in the intricate machinery of compliance management. Imagine the potential if we could distill the essence of various compliance mandates to unveil their commonalities. Such clarity would empower us to optimize existing processes and controls, seamlessly integrating them to address new mandates. This strategic approach would not only streamline the daunting tasks of scoping, defining, and maintaining compliance but also result in substantial savings of time and resources. In the multifaceted realm of compliance, the ability to synchronize disparate processes to satisfy multiple directives simultaneously would mark a paradigm shift — a truly transformative leap towards simplifying the intricate dance of compliance.

Compliance Meets Courtroom

The idea of “harmonized compliance” wasn’t new. A few attempts were made to harmonize compliance controls, but none solved the two biggest challenges: making harmonized audits legally defensible and maintaining the control lists as new requirements became law. Even the rough minimum definition of a compliance framework was new².

When exploring how to address these challenges, Dorian sought out Marcelo Halpern, a partner at Latham and Watkins (now a partner at Perkins Coie), as a legal resource. Together, they examined other compliance frameworks and discovered that very specific controls were combined with more general controls. This made it next to impossible to identify specific requirements for different subsets of mandates from the original laws and standards. To complicate things even further, as each new Authority Document was added, the controls became even less accurate and more difficult to maintain.

At that time, the definition of what was and wasn’t a framework for aligning or harmonizing compliance was pretty rough. After much research, Dorian and Marcelo theorized that the only way to ensure a legally defensible compliance process was to create a Unified Compliance Framework with a maintainable set of harmonized controls based 100% on compliance mandates.

Predicate # 2

Complexity and human error combined mean that this has to be done by a combination of computers and people. Dorian and Marcelo also learned a few other things along the way that they brought to the table:

1. What organizations must comply with was a bit more complex than what they started out thinking. A definition and hierarchy of what needed to be complied with had to be written.

2. Working with Word files, PDFs, and spreadsheets wasn’t going to cut it. They’d have to analyze the content of each, irrespective of the format. This meant stripping the content out of the document.

3. Each step of the process for aligning and harmonizing mandates needed to be trackable and auditable. If documents were going to be taken from a source and broken down into their content, that chain of custody had to be tracked in an auditable fashion.

4. People are too error-prone to go it alone (see predicate 1), and answers from a computer’s black box won’t cut it in the courtroom. Therefore, humans and computers will need to work together to create an auditable system for alignment and harmonization of compliance content.

Testing the Hypothesis

In science, a hypothesis predicts an outcome. If the hypothesis holds up to testing, it is repeatable. In testing their hypothesis, Dorian and Marcelo followed a rigorous scientific methodology to determine what rules must be in place to create and maintain a legally defensible, unified framework for all the mandates from any Authority Document.

Over the next 6 months, Dorian and Marcelo discovered 270 separate rules for creating the framework, including roles for subject experts, lawyers, and glossarists. They researched, measured, and tested each rule until it could be proven to support this new compliance framework.

When the scientific method was applied and the methodology determined, Marcelo and Dorian created the Unified Compliance Framework^® (UCF) and released it in 2005 with an initial 60 Authority Documents mapped in.

References

“Euclid’s Elements, Common Notions.” Accessed April 25, 2024. http://aleph0.clarku.edu/~djoyce/elements/bookI/cn.html.

“The Minimum Definition of a Compliance Framework,” April 29, 2024. https://www.unifiedcompliance.com/uc-blog/the-minimum-definition-of-a-compliance-framework.