In public remarks made over the last few years, multiple officials at the Department of Justice (DOJ) have said the agency is now using data analytics to detect criminal conduct—and that they expect compliance functions to be doing the same.

The idea of using data analytics for compliance purposes did not gain much traction until 2020, following publication of the DOJ’s revised “Evaluation of Corporate Compliance Programs” guidance. That guidance, in part, represented the first time the agency explicitly laid out its expectations compliance departments should be using data analytics to proactively monitor compliance risks.

In a recent webinar sponsored by EY, the chief compliance officers of Google and Uber offered insight into how their own data analytics compliance programs have evolved.

“The heightened expectations that we are feeling aren’t just from external entities,” said Google CCO Spyro Karetsos. “Our internal leadership—our board of directors and myself as the chief compliance officer—we’ve also lifted expectations on what we can do from an analytics perspective, if we can shift from detection or lagging indicators to prevention and leading indicators.”

The goal of data analysis for compliance is “to turn hindsight—data points that already exist—into insights for decision-making today and potential foresight,” Karetsos said. “If the data points you are pulling together to create insights for today are not leading to action and decision-making, you’re not really living up to the ‘use test’ expectation of analytics, where management uses the data to inform allocation of resources and decision-making.”

Risk-based analysis

The DOJ has repeatedly stressed a compliance program should be risk-based.

“I would expect they would look at data analytics the same way,” said Scott Schools, chief compliance and ethics officer at Uber. “At least from my perspective, I would want to make sure I can defend the level of resources I am expending on data analytics based on a risk-based analysis.”

Before going out and investing in an expensive data analytics tool—if the company doesn’t already have one in place—a good starting point is to conduct a self-assessment of internal data systems. In taking a risk-based approach, for example, consider the business’s top risks, Karetsos said, and then ask the question, “‘What data points does the business already have that can be analyzed that help tell that story?’”

“There are disparate data sets that just need to be connected, and the connections tell a great story,” Karetsos added. “Try to find the connection points.”

“If your excuse for not diving into [data analytics] is, ‘I don’t have the resources,’ then you are really hurting your own program. The more you dive into this, the more you realize you can do more with less resources.”

Spyro Karetsos, Chief Compliance Officer, Google

Complaints data is a good place to start, Karetsos said. Analyzing for trends in complaints or the root cause of complaints might point to operational areas, subcultures, or certain individuals within the organization that need a closer look, he said.

From a risk assessment standpoint, Google sets its risk-tolerance levels using ranges of blue rather than color-coding its risks in shades of red, amber, or green. One reason for this, Karetsos said, is because, “When you are green, no one asks the question, ‘Are we too green?’ You might be overcontrolling something, or your data might not be telling you there is a problem.”

For each range of blue, “We’ve indicated where we believe our sweet spot should be for that particular data set,” Karetsos said. If a certain area is underexposed, for example, the question is asked, “‘Can we move resources where we might be overcontrolled into an area where we’re under-controlled?’ Then we ask ourselves, to the extent we are coming in under the sweet spot, ‘Is the data even right? Let’s go take a look.’”

Karetsos added quantitative data analysis at Google is complemented by qualitative data analysis through conducting cultural surveys. “We look for disparities between data and survey responses,” he said. Comparing quantitative data with qualitative data helps assess such questions as, “‘Is there a bias in the way people feel … or are we not measuring the right things? Do we need to start adjusting the data we’re looking at?’”

At Uber, Schools said, “One thing we found is that data from culture surveys, combined with training data and other data you can assemble, even from just your compliance function, is an excellent entry point to talk to business leaders.” If you can show them employee culture within their geographic area of responsibility, for example, is “markedly less positive than other parts of the company,” he said, that’s a great way to get managers to start addressing any cultural issues that need attention.

“I think a lot of times, particularly in younger companies, there is a perception everything is going fine, when underneath the surface you may see lingering issues regarding culture,” Schools added.

Making the case

To convince senior management regarding the value of investing in a data analytics tool, first “evaluate what resources you have in-house that may be able to facilitate some level of data analysis,” Schools said. By doing so, “You hopefully can develop some use case that is persuasive to the people who control the purse strings in your company,” he said.

For a young company like Uber, “every spend dollar is analyzed very closely,” Schools added. Conducting an annual enterprise risk assessment helps compliance make the case its spending its limited resources “to address an actual risk and an actual problem,” he said, not just to appease the DOJ or regulators.

Karetsos added, “If your excuse for not diving into [data analytics] is, ‘I don’t have the resources,’ then you are really hurting your own program. The more you dive into this, the more you realize you can do more with less resources.”