How data and analytics drive Microsoft’s compliance mission

One of the problems with a company like Microsoft is that its size, reach, and legacy precedes itself. You say “Microsoft, and you imagine an impossibly large global enterprise that is somehow everywhere at once. And while that might not be entirely the truth, it’s not too far off the mark, either, and few people appreciate that more than David Howard, Microsoft’s corporate VPand deputy general counsel, Litigation, Competition Law and Compliance. He is responsible for the company’s litigation and anti-trust worldwide, as well as its compliance program. 

Howard will be the first to tell you that with 120,000 people doing business in more than 190 countries, there are going to be problems, sometimes even serious ones, and that even the best compliance program in the world can’t prevent that entirely from happening. Howard will also tell you that the main issues he faces as Microsoft’s head of compliance aren’t that far off from what other compliance professionals at other organizations around the world also face. 

“Some of the things we talk about today are common to every compliance professional in every company: the need to focus on culture, and the need to focus on controls,” Howard said in a recent interview with Compliance Week. “How do you create a culture that makes it less likely that your employees are going to do things they shouldn’t do, and at the same time raise issues when they see them? And when that doesn’t happen, how to you ensure the company has controls in place to catch issues either before they happen or shortly thereafter? Those are common problems faced by every compliance program. And every business will address those issues differently.”

Third-party risk is also a huge issue for Microsoft because of how it tends to go to market around the world. “We see situations where a partner might do a deal before that partner has an end customer in sight, which is a violation of Microsoft policies, and we think it’s bad hygiene,” Howard says. “Generally speaking, those don’t have financial statement implications, but there’s always the possibility of that.” As a result, Howard’s team does a lot of work in helping assess partners’ compliance capabilities and get them the tools they might need in that area. 

Another area of concern is corruption. Some time ago, Howard says, Microsoft disclosed the existence of some FCPA issues that the company continues to deal with today, and it’s something he and his team always thinks about in terms of risk identification and management. 

To address challenges such as these, Microsoft uses a three lines of defense model for its compliance. The first line are its employees, who are trained on standards of conduct around the world in over a dozen different languages. The second line of defense are Microsoft’s legal, finance, and HR departments, who see compliance as an important part of their job, but not an exclusive part of their job. And then the third line of defense is Howard’s team of 210 full-time professionals in legal compliance, internal investigations and programs. They work alongside a financial integrity unit that does complex tax investigations. Howard also works very closely with Melvin Flowers, Microsoft’s head of internal audit. Together, these are responsible for Microsoft’s various policies, culture, standards of business conduct, and certain types of internal controls. 

To address culture, Microsoft has launched a program called Microsoft Runs on Trust, its flagship effort to build a strong ethical culture throughout the enterprise. The core message is that trust is the most important value within the company; if Microsoft breaks its trust with customers, its own employees, the government, or other stakeholders, then it is impossible for it to succeed as a business. On the other hand, if it can promote a build trust, that’s a competitive differentiator. The company’s standard of business conduct is tied to that, as well as teaching people when to escalate an issue to an internal hotline. Those messages Howard’s team drives home through an extensive marketing campaign within Microsoft. 

“If you don’t do a good job with the human aspect of compliance, you’re not going to be successful.”
David Howard, Deputy VP and General Counsel, Microsoft

But there is a controls issue as well, and that requires a more data-driven approach. About a year ago, his team began a compliance analytics program to examine transactions shortly after they consummated to see if they had any risk compliance attributes. In November, the team created its High-Risk Deals Desk, powered by Power BI and Azure—Microsoft’s business analytics service, and cloud computing service, respectively. The High-Risk Deals Desk analyzes all transactions within the company before they even occur and monitors for risk factors that might suggest a compliance problem in the making. A very crude example might be a deal that is set to conclude in the final days of a quarter. This flags as a risk factor and is fed into a proprietary algorithm that weigh it among other risk factors.

“If the score is sufficiently high, then we have a specialized team of people from around the world who can dig deeper on that to get the information they need to determine whether we should go forward on deal, modify it, mitigate the risk, to not go forward at all, or even to refer it to [external] investigation,” Howard says. 

The system is relatively new, and it incorporates elements of machine learning and artificial intelligence. The idea is that as Howard’s team learns more through its own investigations and audit, it can change risk attributes, change algorithms and emphasize certain aspects to better identify which transactions are the riskiest. The goal is that as the system gets smarter—as it becomes more able to correlate its ever-growing data set of transactions, it can get better at identifying more nuanced risks. It will take some time, but the early results are promising, Howard says. 

In the meantime, like any compliance chief, Howard struggles with measuring the efficiency of his program. And even though something like the High-Risk Deals Desk can produce a lot of compliance data, this is still an area that, even for him, is a bit of a paradox.

“In the course of a year, if you have 15 significant compliance issues that come up above and beyond what you had the year before, one way to look at it is the company is less concerned about compliance that it used to be,” Howard says. “But the way we prefer to look at it is the program is working because we’re surfacing more issues, and that is a positive.”

The truth is, measuring effectiveness is still incredibly difficult. Over time, Howard says, compliance officers would like to see a reduction in certain types of issues and perhaps the level of seriousness of those issues themselves going down. But if all that’s being measured is the number of issues that get raised or the number of compliance violations that are recorded, it can always build the case that the more violations that are seen, the less the compliance program is actually working. It’s a counterintuitive challenge that for Howard underscores the need not just for strong data systems, but for skilled professionals who can make sense of that data and present their findings to stakeholders. 

“If you don’t do a good job with the human aspect of compliance,” Howard says, “you’re not going to be successful.”