Tasked with beating the pace of change in business today, staying one step ahead of the next awful thing that could happen, compliance functions can scarcely keep up without relying to some extent on technology.
“Technology advances at our disposal are quite astounding,” said Jon Mackenzie, managing director of PwC, at Compliance Week’s recent annual conference, advocating for compliance officers to make greater use of technology to streamline and monitor their efforts. “You can quickly visualize vulnerabilities and control failures requiring remediation. That’s where the compliance function, particularly monitoring, play such an important role. You must transform at the same pace, if not faster, than the business.”
Compliance has spent plenty of time in the weeds of risk and controls over the past several years as regulatory demands have become more granular. But strategic insight at the higher levels can sometimes get lost in all that activity. “How do we know this is working?” asked Michelle Horton, principal at PwC. “We’re implementing all these controls, but are we getting better? Monitoring is one way to get a lot more visibility into whether the compliance program is operating effectively.”
An onsite poll at the Compliance Week conference revealed roughly half of those participating either were not using data analytics or visualization tools of any kind to monitor their compliance programs, or were just getting started. More than 40 percent said they were using such tools, but were still in the process of building their capabilities. Only a little more than 10 percent said they’d been using the tools for years.
Brendan Kehoe, senior legal counsel for U.K.-based education company Pearson, said he wasn’t surprised by the result. “This is an area where people are just wading in,” he said. Pearson is perhaps further along the curve than many companies, using data analytics to prepare reports, identify red flags in real time, spot trends, and even analyze third-party relationships, he said.
“Technology advances at our disposal are quite astounding. You can quickly visualize vulnerabilities and control failures requiring remediation. That’s where the compliance function, particularly monitoring, play such an important role.”
Jon Mackenzie, managing director of PwC
Analytics are making the compliance process more effective, said Kehoe, but it’s also giving greater insights to the business at the same time. “Cutting costs, for example,” he said. The advanced technology has given greater visibility into return on investment on certain business activities. “So it’s changed the way we do business in those places,” he said.
Jonathan Rusch, senior vice president in charge of anti-bribery and corruption governance for Wells Fargo, said data analytics is critical to the company’s compliance efforts. “We can drill down from a high level and visualize money movements between originations and destinations,” he said. “We can recognize trends and identify abnormal patterns.” Given the company’s size, it was deemed important for compliance to have easy yet controlled, access across the enterprise.
The company’s use of data analytics is well developed, giving compliance a view into possible risky areas like never before. “With something as basic as a word cloud, it enables anyone to understand not just the largest and most prominent information but also any secondary standouts that are worth looking at,” said Rusch.
Kieran Crean, director of internal audit at Gensler Architects, said he relies on advanced technology simply to get more work done. “I’m a team of one in internal audit,” he said. “I’m the only one, so I couldn’t do it without a lot of data analytics.” The data is not perfect, he says, but he has far more actionable information to work with than before employing any advanced tools.
LEADING COMPLIANCE MONITORING PRACTICES
Below is an excerpt from the presentation, “Enabling Business Performance Innovations.”
A monitoring program that is focused on key risks, leverages technology and strategically deploys resources will enable strategic partnership and result in a more cost-effective model.
Leading Practices & Benefits
Centralized, dynamic, timely
Aggregated global testing results to provide both global and
affiliate trending [Direct line to Dashboard Reporting]
Dashboards for efficient analysis of testing results
Consistent and regular communication tailored to key
Strategic deployment of skilled resources, allowing key personnel to focus on value-add activities (e.g. investigations, remediation, etc.) [Direct line to Investigate & Add Value]
Implement methodology and integrate testing across functions to drive consistency and limit duplication
Automate testing, where possible, to improve cost-effectiveness [Direct line to Execute Testing]
Targeted, real-time, risk-based
Greater transactional coverage [Direct line to Leverage Data Analytics]
Efficient sample selection methodology
Broad coverage across affiliates/functions
Continuous, flexible, consistent
Continuous evaluation of results driving future scope and approach [Direct line to Assess Risk & Scope Approach]
Responsiveness to changes in activities, risk, or business model
Source: Compliance Week 2016
As an example, said Crean, the company has a gift and entertainment policy, compliance with which is monitored by analytics. “All I have to do is click refresh and make a phone call,” he said. “It’s a really cheap way to find interesting information.”
Although the tools are powerful, implementing advanced technology is not exactly like waving a magic wand. There’s a great deal of collaboration required, particularly with IT, and it takes time to zero in on the right data and interpret it.
Patience is key, said Kehoe, as is working with the folks in the back office who manage systems. “It’s not in their DNA to think that we want to make a change, so we should check with legal or compliance. I have to make sure I have a regular meeting scheduled with them to find out about changes they’re making.”
It takes some trial and error to get to the right data, said Rusch, so persistence is key to producing data that is useful. “It’s really important to make sure that you have all the categories of data that you need from all the relevant lines of business,” he said. “To the extent you find yourself short, you have to redouble your efforts to make sure you’re reaching every place in the organization for relevant data.”
Data validation also is an important step in assuring the data is useful, especially if the data is key to demonstrating compliance. “It’s not just for your own satisfaction,” he said. “It’s for the auditors and the regulators.”
Cost is often an obstacle when it comes to deploying advanced technology, but Kehoe suggests compliance officers find creative ways through the “corporate dance” around who bears the cost. He suggests compliance officers get involved in discussions with IT and throughout the organization to form partnerships that will help in making the case for more advanced technology. “We’re all on the same time,” he said. “We’re all playing on the same field.”
It also helps to have the topic on the radar so it can be integrated with perhaps other IT initiatives that are in the queue, making it easier to implement in conjunction with something else, Kehoe said. “Now our folks are thinking: We’re making a change. We better check with legal and compliance.”
It also helps to point out that the tools provide an important means of performing ongoing risk assessments. “Some think of data analytics as only finding something wrong,” said Rusch. “Risk assessment to me is a dynamic process, so you always have to be monitoring and adjusting for identifying risks and risk trends.”
And if tools are humming along spotting nothing compelling, that doesn’t mean the analytics are not providing value. “If you’re confident you’re getting all the relevant data in real time and you’re not finding major anomalies, that could be a success story in itself,” said Rusch.