The other day I had the good fortune to moderate a webinar on data analytics in the compliance function. Considering the pressure corporate compliance programs are now under to develop strong analytics capability, let’s review some of the main points and themes that emerged from the discussion.
For starters, compliance officers should take another look at precisely what the Justice Department says about compliance programs and data analytics — because contrary to popular belief, formal guidance from the department programs doesn’t mention data analytics. For example, the guidelines for effective compliance programs don’t mention it. Neither does the FCPA Resource Guide, nor the U.S. Sentencing Guidelines.
Instead, we have Justice Department officials talking about the importance of data analytics. For example, in a speech that assistant attorney general Kenneth Polite delivered last year, he said: “Just as we [at the Justice Department] use data analytics to detect and combat criminal schemes, we urge corporations to consider what data analytic tools they can use to monitor compliance with laws and policies within their operations and to ferret out wrongdoing when it occurs.”
Consider tools! Monitor compliance! Ferret out wrongdoing where it occurs! That’s what compliance officers hear, and we absolutely should take Polite’s words seriously — but pithy phrases are not a roadmap that compliance officers can follow. We’re still largely left to figure out for ourselves what a data analytics program should be able to do.
And why do I dwell on that somewhat obvious point so much? Because it means that compliance officers need to develop strong use cases, so you can convince senior management to invest in the technology you need and convince leaders in the First and Second lines of defense to go along with your data analytics ideas. You need to think clearly about the data you need, and creatively about how to obtain it and put it to good use.
So back to our webinar the other day. What did the speakers and attendees have to say about all that?
Start With Risks, Then Go to Data
One point they all made was that whatever data analytics program you want to build, worry about building it only after you’ve done a thorough risk assessment and understand what your risks are. Then reverse-engineer the metrics that would keep you informed about that risk, and the data that you’d need to collect to keep that key risk metric current, complete, and accurate.
This is where creative thinking about your risks can enter the picture. For example, all compliance officers worry about third parties, and specifically you worry about third parties that are acting as agents on your behalf in high-risk markets. In the ideal world you can catalog all those third parties working as agents in high-risk markets, and hooray to those compliance officers whose onboarding programs can do that; but here in the real world, you might mis-categorize what the third party does or in which markets it provides services.
You could address that problem by looking at it from a different angle — say, by looking for all third parties that are paid by commission, because pretty much by definition any third party paid by commission is acting as an agent. Then you can implement a rule that all agents are high enough risk that they need close monitoring.
So rather than sift through data from procurement or sales teams that may or may not collect all the third-party data you want, you can attack through the accounting team and its data about payments going out the door. You still end up getting better insight about your risk from third-party agents, which is what you want.
Of course, to make all this work, compliance officers do need strong relationships with the IT department and all the operating units at your company sitting on all that data. That actually is mentioned in the Justice Department’s guidelines for effective compliance programs: “Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions?”
In other words, the department isn’t too hung up on exactly what data you analyze, or how you analyze it; the department wants to see that the compliance team can get the data it needs. Which only happens when senior management supports a strong, robust compliance function, and the rest of the enterprise follows suit.
Ain’t it funny how we keep coming back to that point.
Other Analytics Observations
We had plenty of other great insights, too. In no particular order…
Data analytics and policy management go hand in hand, because analytics lets you understand why employees might be violating a policy. As one attendee put it: “If one or two people violate a policy, you have a people problem. If lots of folks are violating the policy, you have a policy problem.”
That’s exactly right. Without strong analytics capability, you’re really just relying on gut instinct and anecdotal evidence to figure out which policies work as intended and which ones are problematic. That approach strikes me as exactly what the Justice Department does not want to see.
Get all your anti-fraud efforts aligned. One attendee called anti-fraud and financial crime compliance a cat-and-mouse game that never really ends. Compliance and anti-fraud specialists therefore need to assure that their efforts all work in alignment. The attendee even offered a checklist!
- Are you identifying your inherent and residual risks?
- Are you aligning your data to these risks?
- Are you aligning the controls to data?
- Are you aligning your analytics strategy to these risks and controls?
- Do you have a meta-analytics strategy, to combine disparate forms of data?
- Have you developed a feedback mechanism, where the results of your investigation and due diligence feeds back to your risk assessment, controls environment and analytics strategy?
Yes, you can start small. We had a fair bit of questions and discussion about how compliance officers can get started with data analytics, especially if you lack sophisticated technology or analytics personnel.
First, compliance officers can overcome those obstacles. For example, perhaps you could borrow a data analyst from internal audit or a business analytics team elsewhere in the enterprise. Plus, at the risk of blaspheming — Excel spreadsheets do have a fair bit of analytics and visualization capabilities. You can start with spreadsheets, even while best practices say we should hate them.
More broadly, however, go back to that checklist we just mentioned; or to our first section about starting with your risks and then working backwards to metrics and data. One speaker on the webinar said the real goal is to develop a “full ecosystem” to manage risk, which is what those earlier passages describe — but those full ecosystems don’t need to address all your risks.
So long as you start with your biggest risk, and develop a full ecosystem to manage and improve that issue, and then move on to the next risk; you’re going down the right path. And that is what the Justice Department wants to see.