Ethics and compliance programs face a rapidly approaching crossroads. Technology and data have created significant pressure on CCOs to harness innovation.  This is a major opportunity for improvement but it also creates real risks.  Chief compliance officers have to carefully tailor the transition to automated platforms and building of data management capabilities.

The key to this effort is focus and simplicity.  When CCOs overthink, they complicate and fall victim to lack of focus and efficiency.  An automated platform for third-party risk, policy management, conflict of interest or training provides important efficiencies that require decisions as to risk management. 

Third-party risk involves categorization of third-party relationships, general definitions that capture specific types of risks (e.g. interaction with foreign officials and existence of foreign government ownership).  Within this process, lines are drawn as to high, medium, low or other levels of risk.

Policy management requires important decisions as to scope of policy coverage, identification of stakeholders, timing for policy reviews and updates, and dissemination of policy changes.  Each of these activities entails line-drawing.

A CCO who overcomplicates this process, by definition, will discourage business-buy-in and ownership. A system built on simplicity and ease of use will attract business users who want the benefit of compliance but without all the hassles that a complicated system creates.

Over the last ten years, we have witnessed a massive increase in compliance generated data.  Computer processing speeds and capabilities have driven the ability of CCOs now to collect, store and analyze large amounts of data in order to monitor, test and revise a CCO’s compliance program. 

For years, CCOs struggled to secure data – now, the challenge is to manage vast amounts of data, separate the wheat from the chaff, and then focus on real-time measurement.  Data is not valuable just for data’s sake.  Data has to be carefully culled, organized and analyzed.  CCOs need help with this process and should include IT professionals in the organization.  This new, working partnership is critical.  At each step, the partners have to ensure that a data source is selected for the right reasons, provides a valuable measurement, and can be easily used by CCOs to build a real-time monitoring system.

Organizations can collect data on number and/or types of third-parties by country, revenue generated by each third-party and level of risk (e.g. high, medium or low) to ascertain trends in third-party population.  Within this framework, CCOs can develop monitoring programs on trends in financial activity, along with traditional measures of compliance functions (e.g. training programs). If an unusual trend or set of transactions occur, the third-party could be flagged for follow-up, including discussions with internal business partner and potential inquiries with the third party as to recent activities. Before putting together a data protocol for third-party monitoring, CCOs have to carefully consider the measures that are important to the CCO, data collection and update timing, and procedures for review, analysis and action steps based on the data trends.

CCOs have to work slowly but efficiently when it comes to implementing data management and analysis systems.  A CCO who takes his/her time to build capabilities keyed to risk priorities may not “win the race” but will have a more, efficient, durable system that is justified by a clear rationale.