In June 2020, the United States Department of Justice (DOJ) updated its guidance surrounding the Evaluation of Corporate Compliance Programs. The guidance signaled a more aggressive enforcement of regulations, putting an ever greater onus on organizations to ensure their compliance programs are effective and fit for purpose.
Better use of data, through the utilization of data analytics, is one way in which your organization can address these more stringent expectations. In this article we take a look at how data fits within the principles set by the DOJ in evaluating corporate compliance programs, and various ways in which data can be used by organizations to bring their compliance programs up to best practice.
DOJ Compliance Principles
There are three fundamental questions asked by the DOJ when approaching the evaluation of corporate compliance programs. Data has a role to play in all three.
1. Is the corporation’s compliance program well designed?
The base point of any successful compliance program is its design. By first understanding how best to structure your program, you can be sure that it is serving your company in the best way possible.
Designing data into your compliance program from the ground up is a good place to start. Continuously monitoring transactional data and key metrics using real-time data is a step change from the traditional approach that may be overly reliant on “tick the box” controls, high-level metrics and subjective decision-making.
Incorporating data shows the organizational commitment to evidence-based risk analysis and a proactive approach to detecting wrongdoing that is expected by the DOJ. That’s because it provides insight into the risks the organization faces in reality, rather than in theory.
Critically, it enables risk professionals to have real, meaningful information at their fingertips to help them learn about their organization, investigate specific issues or generally identify unusual trends and patterns from their data. Those insights are critical to ensuring that the compliance program can be designed in the most targeted way to reflect the true risks your organization faces.
The DOJ expects compliance programs to root out problems and effect changes. A well-designed compliance program will also consider how it presents findings to stakeholders to make decisions about necessary changes. Evidence-based recommendations founded in credible data, and visualized to bring context and clarity to the data, makes this job easier.
2. Is the program being applied earnestly and in good faith?
Once your compliance program has been fully designed, the next step is to test its application.
Decisions about where to focus a program’s efforts can be negatively influenced by a range of subjective issues. These might include limited understanding of potential risks due to a lack of experience, poor judgement, errors, inexperience or even wilful intent.
Using data therefore brings a level of objectivity to your compliance efforts. For example, compliance leadership likely will have a much more objective and holistic view of third-party spend risk if data analytics are applied to every third party payment globally than if data is only provided from a handful of sample-based audits and hotline reports.
Investing in good data practices and automation cuts down on manual and inefficient processes, while allowing you to have broader risk coverage and controls. It frees up risk and compliance professionals to spend more of their time interpreting the data analytics and focus on high-value activity. And, by utilizing data to inform decisions about investment and resource deployment, and then using data to validate those decisions, organizations can demonstrate their compliance program is dynamic and evolving - and more than a box-ticking exercise.
3. Does the corporation’s compliance program work in practice?
Finally, you’ll need to evaluate the performance of your compliance program as it’s put into practice within your organization. The DOJ guidance makes clear that it is the effectiveness of a compliance program that is important, not simply its existence or its complexity.
For example, statistics demonstrating that your workforce has completed their training obligations shows that a process is working, but provides little insight into outcomes - whether employees are actually behaving ethically. Reports to your whistleblowing hotlines can tell you where employees have been brave enough to report failures of your process, but may not provide a full picture of all your risks and may not have not been provided in a timely manner.
A truly data-driven approach makes it possible to track and measure more meaningful risk information. One example of this might be measuring the risk profile of every transaction based on predefined risk analyses, which have the risk perspective of your organization and its particular issues, circumstances and norms. These types of metrics can be a more effective way to help you measure the true incidence of non-compliance within your organization.
Best practice uses of data to comply with DOJ recommendations
The use of data to assess and improve the effectiveness of your program is explicitly highlighted in the DOJ guidance. The DOJ and SEC have also signposted that the way in which data has been utilized will be considered in judging your commitment to regulatory compliance should an investigation occur.
There are numerous ways in which you could leverage the power of data in a compliance program - here are five examples:
Conducting risk assessments
The DOJ recommends that compliance risk assessments be based upon continuous access to operational data and information across functions, rather than on periodic access that only encapsulates a singular time period. An investment in data analytics enables this by giving you access to key information in real-time and around the clock when assessing and identifying risk.
Where sporadic analysis of company operations was once sufficient, continuous observation and reporting is now completely possible. Risk professionals can analyze automatically-generated data through transactional risk scoring or visualize data by country, third party, expense type or account. This provides a broader and more holistic lens through which risk assessments can be conducted - and follow-ups targeted accordingly.
Evaluating newly acquired entities
As part of a post-acquisition due diligence process, risk analytics that utilize data insights can help teams conduct a rapid, targeted analysis of any problematic transactions, third parties or conflicts of interest.
While cultural and organizational issues may take a while to emerge, the use of objective, transactional data provides a solid foundation for understanding the risks associated with the new entity. Automated technology that analyzes, visualizes and provides ongoing metrics against this data can then provide powerful ongoing controls and transparency into an acquired entity while longer-term enterprise systems, process and people integration is underway.
Performing continuous transaction monitoring
Long-term data analytics should be employed to create a direct and accessible channel into your company’s transactional data. Using data analytics, targeted to expose real indicators of risk and curated to the risk profile of your enterprise, to monitor company spend and revenue over a continuous period of time will make it easier to pinpoint any areas susceptible to fraud and corruption. You can also monitor for other risks, such as sanctions compliance and conflicts of interest.
This gives your company the knowledge to move away from an over-reliance on policies,procedures, training, hotline reporting, risk assessment questionnaires and periodic and sample-based auditing, to supplementing those efforts with holistic and real-time testing with advanced analytics.
Managing third-party risks
Does your company limit third-party risk management to the onboarding process? The updated DOJ guidelines advise you to use your data to engage in risk management of third parties throughout the lifespan of the working relationship, even after onboarding.
Ongoing data collection and analysis will enable your company to flag anomalous transactions or payment attributes in third-party spend data that emerge after due diligence, and that may not match up to the initial risk assessment. Information from the onboarding diligence process can then be fed into the transaction monitoring process (see above) and renewals relating to the third party to provide a virtuous cycle of risk analysis across the third party’s entire lifecycle.
This can deliver a more accurate overall risk picture for your third parties to inform your relationship with them.
Regularly reviewing your compliance program
An effective compliance program is one that is regularly reviewed, adapted and improved in light of new data and new tools. Ongoing monitoring based on objective data can identify areas of potential program improvement more rapidly than short-term evaluations and assessments.
Not only does this save you time, but it enables you to incorporate any findings into your analytics model. This will help prevent future occurrences and improve the overall health and effectiveness of your compliance program, while also keeping it in line with regulatory expectations.
If you are concerned about helping your organization to fit this mold, or require assistance in taking your first few steps towards implementing a data-driven compliance program, please don’t hesitate to get in touch with the Lextegrity team.
Reach out to request a demo to discover how we can help.