“We need to describe how we’re going to use ‘big data’ in our compliance program.”

This simple statement made by our chief compliance officer took my career in a direction I never previously imagined. It signaled a transition from a traditional compliance officer role into a world of managing risks and a program through algorithms, machine learning, and digital solutions.


Alan Gibson, Microsoft

This transition started in September 2015, when Microsoft’s Office of Legal Compliance (OLC) drafted a memo addressed to the company’s audit committee. We described—at a high level—the innovative steps the OLC could take to make a significant difference in our compliance program. In addition, we demonstrated our alignment with the company’s priorities by highlighting that we were becoming a “data driven” compliance program and adopting a “growth mind set”—we were “placing a big bet on our strength in big data analytics.”

I was asked to lead the design and implementation of what became Microsoft’s Compliance Analytics Program. Our goal was to use digital technologies to create an early warning and monitoring system for compliance risks. Today, our system identifies specific sales transactions and channel partners as “high risk” and routes them for extra compliance oversight.

For context, when we first started, my knowledge of data and statistics was largely limited to what I learned in business school classes and from my passion for advanced baseball statistics. These tools were increasingly an important part of Major League Baseball because they helped identify and highlight elements of the game that traditional approaches could not measure. These tools were used to make better on-field, front office, and player development decisions.

For Microsoft’s Compliance Analytics Program, we wanted to accomplish a similar goal—to take advantage of existing and new data and technology. Instead of winning the World Series, however, we wanted to reduce our compliance risk (starting with corruption). We saw the opportunity to use digital technologies such as advanced statistics, machine learning, and artificial intelligence to enable better compliance and business decisions. As with baseball, we recognized that to be successful we needed to change not just how the game was played, but also the skills and profiles of the players involved—starting with me.

Fortunately, Microsoft invested heavily in my transition and learning. The company understood that our Compliance Analytics Program was a long-term, strategic investment. The company provided opportunities to (1) get involved in other analytics projects at Microsoft; (2) get involved in “stretch” projects involving the company’s broad digital transformation; (3) attend and present at a variety of events that contained analytics and/or risk topics ranging from “traditional” compliance conferences to events hosted by internal audit, enterprise risk management, information security, and machine learning and data science groups; and (4) take online courses from experts (e.g., MIT). The company provided me the time, space, and opportunity to adapt and develop skills. Importantly, it also provided resources based on measurable impact and supported scaling the Compliance Analytics Program from an unfunded executive mandate to a corporate asset—an enterprise-grade risk analytics solution.

The majority of my time is now spent with (1) solution architects (responsible for data mining, data cleansing, and technical implementation); (2) data analysts (responsible for using statistics and tools/technology to decipher the data); and (3) domain experts (responsible for generating the insights and telling the story beyond the data).

I had to adapt to a role in which my strength was no longer being a deep subject matter expert. Instead, my value was being able to navigate among the various functions that had a deep knowledge of data science—to allow us to define how we would translate risks into “themes and schemes” for which we would look for “signals” in the data and allow us to predict risk and identify anomalies to route for additional compliance oversight.

Microsoft’s data science community has equipped me to actively participate in conversations about the limitations of the “current” state of the art risk modeling (a binary classification approach and traditional supervised machine learning models), but also the benefits of Microsoft’s “modern” multiple anomaly detection ensemble model (a “pseudo-recall” approach). While I’ve adopted this vocabulary and adapted to include data science and technology in our compliance program, I continue to remind people that these are “tools”—tools that should be used to guide better decision making and compliance review—not a replacement for human judgment.

Alan Gibson is an assistant general counsel in Microsoft’s Office of Legal Compliance.