Compliance Program Monitoring: Leveraging Data and Analytics (Part III of IV)
Chief compliance officers are visionaries. They define a vision with multiple objectives and then they execute on that vision. At all times, CCOs have to maintain that vision and adjust as circumstances change. By definition, CCOs who have a line-of-sight across the organization must define their role and objectives through this holistic vision. Frankly, in the absence of such a vision, CCOs will lose their focus and tend to fall into the minutiae of compliance — given the size, scope and breadth of a compliance program, it is easy for a CCO to lose perspective.
Over the last five to ten years, CCOs have embraced a new and valuable tool that is critical to their vision and responsibilities — the use of data and analytics. This may be the most important change to hit the compliance profession in the last decade.
The challenge for CCOs is to determine how much to embrace, how much to use and how best to leverage this data to increase the efficiency and effectiveness of their compliance program. CCOs should avoid use of data for data’s sake — in other words, CCOs have to carefully select data, define how they use it, and then make sure they are doing so efficiently. If a CCO attends to this tool carefully, they can make significant gains in their compliance program, particularly in the continuous monitoring of their compliance program.
There are four important principles and steps that need to be applied:
- Determine the specific information and categories of data to review;
- Establish measurements for each category or type of data;
- Collect, review and assess the data (while identifying trends); and
- Evaluate the data, measure, and trend to determine a response.
This objective is directly tied to the source and types of data that can be generated internally (or with an external automated compliance function). There are a variety of automated sources of data generated internally, including: (1) third-party onboarding and monitoring; (2) financial transactions and controls (e.g. tenders, discounts, rebates); (3) transaction monitoring or sampling for anomalies; (4) testing for compliance with internal controls (financial and compliance controls); (5) training; (6) internal investigation performance and timeliness; and (7) gifts, meals, entertainment.
Automation and analytics provide an important opportunity for CCOs to design and implement a risk-based approach to monitoring functions. When a company is able to collect data from automated sources, a CCO can establish rules that may flag abnormalities, require internal approvals for certain transactions, review patterns of activity and generate red flags in response to certain trends, and create a well-defined picture of business activities as part of the updating and evaluation of a company’s risk profile.
On this topic, DOJ has specifically raised the importance of conducting “control testing,” i.e. whether the company has conducted testing of relevant controls, collected and analyzed compliance data and interviewed employees and third parties on occasion to monitor performance. In this respect, companies have to develop procedures to track these testing operations and report to key senior managers and even the board on overall performance.
To assess compliance with a control (or set of controls), a CCO has to review relevant policies and procedures to identify specific controls that can be measured. This requires “control mapping” (or just plain common sense). A control can be broken into several elements — for example, approval forms, signatures, documentation (internal memo, screening documentation), receipts, contracts, fair market valuations, import-export licenses or approvals, and many more).
Two good examples are the third-party onboarding process and compliance with the applicable requirements and requirements for approval and reimbursement for gifts, meals and entertainment expenses. Each of these functions can be broken into specific step-by-step requirements for compliance including review, approval, documentation. In reviewing these functions, a CCO has to examine the data generated by the relevant automated system and then select those categories of information to monitor on an ongoing basis. If a deeper dive audit or sample has to be conducted, this should be keyed to data trends and anomalies. In each step, a compliance review has to document the entire process, from beginning to end.
Another area to consider is what I have termed “organizational justice monitoring.” In my view, organizational justice requires fair and consistent procedures built around five basic principles:
- Procedural justice (e.g. time to close from report to closure)
- Equal justice (equal treatment of similarly-situated violations and individuals);
- Internal disclosure and communications; and
- Survey and measurement of perception of internal justice program.
To monitor performance of a company’s justice system, data should be collected on incidents and reports, initiation of an investigation, closure of investigation and results of investigation, including any disciplinary action taken. The data can be broken into important categories as to types of offenses and individuals involved (officer, manager or employee). This information can provide important insights as to the overall performance and fairness of the company’s justice system.
Even the more subjective topics of transparency, disclosure, communication and measurement of internal perceptions can be tracked to determine relevant trends. The frequency and types of disclosures, communications, transparency as to the internal justice system and the overall perception can be measured, particularly with respect to trends over a given defined period (monthly, quarterly, annually).