Several Department of Justice (DOJ) officials have stated in recent public statements that the department now uses data analytics to detect illegal activities and that they expect compliance units to do the same.
The concept of employing data analytics for compliance purposes did not acquire significant popularity until 2020, when the DOJ's new "Evaluation of Corporate Compliance Programs" guidance was published. This was the first time the agency specifically outlined its expectations on the proactive use of data analytics by compliance departments to monitor compliance risks.
At a recent EY-sponsored webinar, the chief compliance officers of Google and Uber discussed the evolution of their respective data analytics compliance processes.
Google's CCO, Spyro Karetsos, remarked that the company is not the only one with elevated expectations. "Our internal leadership—our board of directors and myself as the chief compliance officer—we’ve also lifted expectations on what we can do from an analytics perspective, if we can shift from detection or lagging indicators to prevention and leading indicators."
Karetsos stated that the purpose of data analysis for compliance is "to turn hindsight—data points that already exist—into insights for decision-making today and potential foresight. If the data points you are pulling together to create insights for today are not leading to action and decision-making, you’re not really living up to the ‘use test’ expectation of analytics, where management uses the data to inform allocation of resources and decision-making."
The DOJ has emphasized on multiple occasions that a compliance program should be risk-based.
"I would expect they would look at data analytics the same way," said Uber's chief compliance and ethical officer, Scott Schools. "At least from my perspective, I would want to make sure I can defend the level of resources I am expending on data analytics based on a risk-based analysis."
A self-assessment of internal data systems is a suitable starting point before investing in an expensive data analytics tool, if the organization does not already have one. In a risk-based approach, for instance, evaluate the organization's most significant issues and then ask, "‘What data points does the business already have that can be analyzed that help tell that story?"
Karetsos continued, "There are disparate data sets that just need to be connected, and the connections tell a great story. Try to find the connection points ."
According to Karetsos, complaint data is a good place to start. Identifying operational areas, subcultures, or specific individuals inside the company that warrant a deeper look by analyzing trends in complaints or the underlying causes of complaints, as he explained, may require an examination of complaint trends.
Instead of color-coding its dangers as red, amber, or green, Google sets its risk-tolerance levels utilizing blue ranges for risk assessment purposes. One explanation for this, according to Karetsos, is that "When you are green, no one asks the question, ‘Are we too green?’ You might be overcontrolling something, or your data might not be telling you there is a problem ."
For every shade of blue, Karetsos stated, "We’ve indicated where we believe our sweet spot should be for that particular data set." If a region is underexposed, for instance, the question "'Can we move resources where we might be overcontrolled into an area where we’re under-controlled?’ Then we ask ourselves, to the extent we are coming in under the sweet spot, ‘Is the data even right? Let’s go take a look.'"
Karetsos stated that qualitative data analysis is reinforced by quantitative data analysis at Google by means of cultural surveys. "We look for disparities between data and survey responses," he stated. Combining quantitative and qualitative data facilitates the evaluation of problems such as "Is there a bias in the way people feel … or are we not measuring the right things? Do we need to start adjusting the data we’re looking at?"
At Uber, Schools remarked, "One thing we found is that data from culture surveys, combined with training data and other data you can assemble, even from just your compliance function, is an excellent entry point to talk to business leaders." If you can demonstrate, for instance, that the employee culture in their geographic area of responsibility is "markedly less positive than other parts of the company," he added, that is a fantastic approach to convince managers to address any necessary cultural issues.
"I think a lot of times, particularly in younger companies, there is a perception everything is going fine, when underneath the surface you may see lingering issues regarding culture," Schools continued.
To persuade upper management of the value of investing in a data analytics tool, Schools advised businesses to first "evaluate what resources you have in-house that may be able to facilitate some level of data analysis." By doing so, "You hopefully can develop some use case that is persuasive to the people who control the purse strings in your company," he said.
Colleges noted that for a startup firm like Uber, "every spend dollar is analyzed very closely." Doing an annual enterprise risk assessment enables compliance to demonstrate that it is investing its limited resources "to address an actual risk and an actual problem," as opposed to appeasing the DOJ or regulators.
Karetsos continued, "If your excuse for not diving into [data analytics] is, ‘I don’t have the resources,’ then you are really hurting your own program. The more you dive into this, the more you realize you can do more with less resources."
By fLEXI tEAM
Comments