Data analytics and emerging technologies—like artificial intelligence and machine learning—are advancing and enhancing anti-corruption compliance programs in myriad ways. The idea is that the more integrated a company’s data, the more effective compliance departments can be at predicting trends, flagging anomalies, and proactively avoiding risk.

At Compliance Week’s annual conference in Washington, D.C., a panel of compliance officers spoke about how they are using data and predictive analytics in their anti-corruption compliance programs to reduce risk. “Data is a gift, truly,” said Michelle Beistle, chief ethics and compliance officer at The Nature Conservancy. “It can give you knowledge. It can give you power, but it is only as good as the analysis.” Beistle cautioned that “even machines can have bias.”

Rebecca Rohr, vice president of anti-corruption and global trade in the ethics and compliance office at Hewlett Packard, seconded that caution. Finding off-the-book transactions by looking at things like the timing of purchase orders and invoices, for example, doesn’t alone prove that there is illegal activity occurring. “You still have to have manual review and really dig into the facts,” Rohr said. “It has its limitations for sure.”

When thinking about how to begin doing an anti-bribery and anti-corruption assessment using data, begin with the company’s own risk profile, Beistle suggested. What areas pose the highest level of risk to the business?

One area in which compliance departments commonly leverage data analytics in an anti-corruption and anti-bribery program is third-party spend and expenses. “Sales reps pose the biggest risk,” said Joseph Suich, chief compliance officer of GE Power. Thus, prudent compliance officers will want to base their due diligence efforts on such factors as whether sales reps are doing business in high-risk countries; how much they are selling; and whether they are selling to government officials, he said.

Suich said he also asks certain high-risk sales reps of GE Power to list the meetings that they’ve had and the technical services they’ve provided, along with the value-add they’ve offered. “Until they’ve given me that, they can’t get paid,” he said. That way, if a high-risk sales rep ever goes rogue, “you can show, ‘Here is what we did. Here is how we did it.’ ”

Another benefit of data analytics is the cost-saving factor. “If you’re using data analysis to look at vendor spend, you can very quickly identify duplicate payments in real-time,” Beistle said. “That’s not an anti-corruption risk, but that’s a huge business enablement benefit.”

Gifts, meals, and entertainment is another high-risk area where data analytics can be leveraged. For example, HP recently upgraded its gifts and entertainment tool, called the Amenities Approval Tool, to pre-screen all HP events that may include public-sector invitees to ensure HP’s country-specific and recipient-specific rules are satisfied. “We require approval of all amenities to any public-sector official anywhere in the world,” Rohr said, “and we also put in an auto approval functionality, so when people have small-dollar amounts, they can be automatically approved.”

HP also recently upgraded its reporting capabilities, so that data can now be analyzed in all sorts of different ways to get a better understanding of the company’s gifts, meals, and entertainment expenditures throughout the world, Rohr said. Such analysis can be broken down by amenities by country, business unit, or by public-sector recipient, for example.

The Department of Justice’s latest “Evaluation of Corporate Compliance Program” guidance specifically focuses on how companies use data to strengthen their compliance program.

There are lots of places from which compliance can leverage data. “A good place for us to start has been internal audit,” Beistle said. “Even if they don’t manage the data themselves, they’re a good point of contact.” Other areas in which to leverage data include finance, human resources, accounts payable, and procurement.

Panel members also spoke about the use of predictive analytics for anti-corruption compliance purposes. Unlike data analytics, which is based on past events, predictive analytics uses data that’s been collected to predict what might happen in the future.

Many companies, however, are only just beginning to understand how to use emerging technologies like predictive analytics in their anti-corruption compliance programs. At HP, for example, with gifts, meals, and entertainment, “once we have enough data, we can see what times of the year or in what parts of the world the numbers spike,” Rohr said. That can then bring about targeted anti-bribery and anti-corruption training. “That’s really the closest we are to using predictive analytics,” she said.

Growing expectations

Another part of the panel discussion turned to a conversation about how having more data has increased the expectations placed on compliance officers. “At this point, because data is out there, and we do have access to it, I do think it’s becoming quickly good governance to use the data,” Beistle said.

“A good example is hotline data,” Rohr said. Most companies now have lots of data generated by employees’ concerns and complaints made to their hotlines. From that, compliance officers now have a responsibility to look at that data in all sorts of different ways: “What regions of the world are making hotline complaints? What is the nature of the complaints? Are there areas where nobody is calling, and why is that?”

Beyond analyzing data to assess a company’s risk profile, it’s also important to investigate any anomalies that are uncovered and remediate those as part of a robust anti-corruption compliance program. Rohr reminded attendees that the Department of Justice’s latest “Evaluation of Corporate Compliance Program” guidance specifically focuses on how companies use data to strengthen their compliance program.

Specifically, regarding a company’s risk management process, the Justice Department guidance asks, “What methodology has the company used to identify, analyze, and address the particular risks it faces? What information or metrics has the company collected and used to help detect the type of misconduct in question? How have the information or metrics informed the company’s compliance program?”

Beistle also cautioned, “If you’re going to monitor in real-time, you better have people actually monitoring, because if you don’t and then you have a problem and it shows up in your dashboard … you’re going to be in a worse position.”