Concerns Over Access to Data
Today let’s return to the Justice Department’s newly revised guidance for effective corporate compliance programs. Specifically, let’s give a close analysis of what those updates say about compliance officers’ access to data and IT systems.
For starters we should appreciate why access to data is such an important issue for the Justice Department at all. One big clue is where within the guidance the department puts its questions about access to data: under the broader question of whether your compliance program is empowered to function effectively.
Well, the compliance function can’t function effectively if it doesn’t know what’s going on across the rest of the enterprise. To understand what’s going on, you need information. The information you receive is data.
Some of that data, the compliance department can generate itself. For example, most compliance teams have access to data about whistleblower hotlines or ethics training by default, because you’re responsible for those systems.
Most other data you need, however, must come from other departments managing other functions. So senior management either orders those other departments to share their data with you, or invests in IT systems that give you visibility into that data. Either way, compliance teams depend on others to give you the data you need.
Now consider the Justice Department’s perspective on all this. Its guidelines are meant to help prosecutors understand whether your company has an effective compliance program at the time the misconduct issue reaches resolution. Prosecutors want to know whether:
(a) Your compliance program is now sophisticated enough to intercept future offenses; and
(b) Senior management truly supports a strong culture of ethics and compliance.
Understanding the compliance program’s access to data informs prosecutors on both of those goals. Hence it has become such a strong priority for the Justice Department — from the first time officials voiced concerns about access to data years ago, to a dedicated section in compliance program guidance today.
It’s a point worth emphasizing to the board and senior management when they ask why you want more investment in data access and IT.
Questions Obstacles to Data
The Justice Department guidelines ask a total of six questions in its section about data resources and access. We can take those questions two at a time, starting with the following.
- Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions?
- Do any impediments exist that limit or delay access to relevant sources of data; and, if so, what is the company doing to address the impediments?
One good way for us to analyze these questions is to assume the answer is no, and then think through possible scenarios for why the answer is no.
For example, say the compliance and control personnel don’t have sufficient access to relevant data sources. That might happen due to structural reasons: the company’s IT systems just aren’t designed for easy sharing of data. Perhaps the company has been cobbled together through numerous acquisitions, and is still laboring under legacy ERP software that can’t easily send data across multiple operating units. Maybe the company lacks a strong, centralized IT function that could push through changes to bring all that data into a central location or provide you, the compliance team, with some tool to peer into those silos of data scattered across the enterprise.
It’s also possible that your company has cultural or personnel obstacles that thwart your access to data, where people refuse to share the data they have. That situation could arise from a highly decentralized operation where local units manage their own IT, and local compliance teams report to local legal chiefs. The impediment there could be senior management disinterested in building an empowered compliance function (and we all know how that would look to a bunch of skeptical prosecutors).
Questions About Resources
The next two questions in the guidance probe whether the compliance team has the right tools to access data and put that information to work.
- Do compliance personnel have knowledge of and means to access all relevant data sources in a reasonably timely manner?
- Is the company appropriately leveraging data analytics tools to create efficiencies in compliance operations and measure the effectiveness of components of compliance programs?
These questions seem quite technology-oriented. For example, when we talk about “means to access all relevant data sources” — that should be a technology answer. You should be able to point to an application on your desktop and tell prosecutors, “This is how we pull data from the rest of the enterprise.”
My fear, however, is that too many compliance officers (especially at smaller companies) will still be pointing at Excel or Outlook logos. Those are not reliable tools to extract the data you need. Modern companies should have stronger, dedicated GRC tools — ones that can integrate with other enterprise applications seamlessly — to marshall the data you need to assess the effectiveness of your compliance efforts.
I’m also intrigued by the next question, asking whether the company is “appropriately leveraging data analytics tools,” because that could hinge on both technology and personnel that your company may or may not have. For example, if you’re a large company, do you have sufficient data analytics expertise on staff? If that expertise isn’t within the compliance team itself, where is it? Can you depend on an internal audit function or business intelligence team to help you with compliance analytics projects?
I’m actually less worried about technology for good data analytics, because (heresy alert) even Excel can do some pretty slick analytics if you know how to use it; and more sophisticated tools are fantastic. The real challenge here is whether the compliance team knows what it wants to analyze, and can then tap the right personnel to do that analysis.
Questions on Data Maintenance
Last are two questions about data quality and maintenance:
- How is the company managing the quality of its data sources?
- How is the company measuring the accuracy, precision, or recall of any data analytics models it is using?
I love these questions because they touch on such an important issue. Namely, it’s no longer enough to assure that your IT systems work, and are designed so that they tap into all the data you need. You need assurance over the data itself, since that’s the fuel that keeps your operations and decision-making processes running.
For example, lots of the data you need to perform effective third-party due diligence doesn’t come from your own enterprise; it comes from a vendor. How do you know that data is trustworthy? What service-level agreements are you baking into your contracts with those vendors, to give you the assurance you need?
Other data might be open-source information that your team finds online, such as court records or media headlines. What controls have you put in place to govern the quality of those efforts? (All the more important in our modern era of misinformation everywhere.)
That second question about accuracy and precision of data analytics models will become more urgent too, since artificial intelligence is soon going to run those models for you. We’ve written before about the importance of data validation before an AI starts doing its thing, and audits of AI-driven results after the algorithm crunches its numbers. Especially as AI becomes smarter and more dynamic in its analysis, an ability to assess the trustworthiness of those systems will be crucial (whether that’s your team, an internal audit team, outside specialists, or whatever).
That’s enough for today, but clearly, paying attention to data issues is going to be much more important for compliance program success. CCOs will need to emphasize that point to senior management, and start planning for your brave new world ASAP.