The June 2020 update to the U.S. Department of Justice (DOJ) Evaluation of Corporate Compliance Programs guidance (2020 Guidance) emphasized that corporate compliance programs must be updated to be capable of delivering actionable risk insights on an ongoing basis. The 2020 Guidance specifically notes that companies should focus their resources on high-risk transactions.
“Prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction.” U.S. Department of Justice, Criminal Division, Evaluation of Corporate Compliance Programs (Updated June 2020)
Continuous compliance monitoring that risk scores financial transactions, such as invoices, credit notes, and travel and expense reimbursements, is an essential part of an effective compliance program. However, traditional methods of risk scoring are incomplete if they do not include a mechanism to weigh transactions and aggregate the scores based on weighing. Having a scoring formula that is too rigid may lead to false positives, false negatives, and inaccurate overall scores. Having a consistent approach also allows an organization to review all transactions rather than focusing only on certain discrete countries, businesses, or general ledger accounts. Focusing only where one may expect to see risk may miss non-compliance where an employee has evaded oversight, for example, by using generic general ledger accounts (e.g., Other, Miscellaneous, etc.)
For example, the highest-risk vendor in a customs broker category might be in the middle of your spend distribution and may be in an otherwise low-risk country. However, suppose the broker's invoice payments are frequently expedited, paid to an offshore bank account, always in round values, and the vendor’s address matches an employee's home address. The aggregation of these multiple risk factors makes it even more likely that this invoice is high-risk compared to an invoice that has only one of these risk factors. However, traditional scoring methods don’t include multi-dimensional risk analysis using multiple data sets.
Aggregated risk scoring is fueled by various analyses, including behavioral, statistical, and policy-based analyses, to ensure the transaction is scored through multiple discrete risk lenses. Since the risk score is calculated at an aggregated level across multiple analytics, compliance professionals can prioritize transactions for review based on the company's risk profile. A program capable of automatically aggregating risk scores quickly detects suspicious transactions that may otherwise go uncovered for long periods of time. As a result, compliance experts can focus attention and resources on the highest-risk transactions. If the expert also has access to the full context of the transaction and its risk results, they can further focus on the risk of a transaction more holistically.
Aggregated risk scoring enables organizations to detect high-risk transactions, prevent further violations, and meet regulator expectations while avoiding fines and reputational damage. Compliance programs also benefit from continuous improvement as companies use their findings to adjust further monitoring, internal controls, policies, and training, reinforcing a culture of compliance across the business.