A common theme emerged throughout several sessions devoted to risk management at the recent Compliance Week 2018 conference. Yes, the data you collect when prioritizing risk is important. How that data is collected, however, is only half the battle.
If data is locked in silos, or haphazardly analyzed, it may do very little good.
Likewise, emerging technologies offer amazing potential for compliance programs. They too are only as good as the data you feed them and how those technologies dovetail with traditional business flows.
Using risk-based metrics to drive your compliance program is becoming a necessity given changing hiring trends, says Jason Cropper, vice president for business development at Mitratech, a provider of legal and compliance software.
In the aftermath of the financial crisis, there was a boom in the hiring of compliance personnel. Faced with both past sins and a future regulatory tsunami, firms scrambled to add bodies to their compliance function, hiring intended to satisfy increasing regulatory demands and scrutiny.
Cropper cited one famous post-crisis example: Banking giant JPMorgan added 8,000 people to their compliance function.
“Realistically, where we are now is that the compliance boom is over,” he said. “The hiring boom is frozen. Firms are leveling off of new hires. As a compliance function, we have to start to focus on doing more with less. We’ve been growing for some time. What we need to do now is act smarter, not bigger.”
An important step toward “working smarter” may lie in the adoption of new technology, notably data analysis and automation.
Cherie Axelrod, senior vice president and deputy chief compliance officer for Western Union, is living the scenario described by Cropper.
In recent years, Western Union increased its compliance investment more than 300 percent. It is now spending more than $200 million a year on compliance; of the firm’s nearly 12,000 total employees, 2,500 staff compliance functions.
“We understand that you can’t just keep growing every year,” she says. “So, we are using data and technology to really be much smarter in what we look at, and how we look at things.”
Axelrod’s company has two main sources of risk: consumers using wire transfer services, and the agents and frontline associates who serve them. Her challenge is building a data-informed, risk-based approach to compliance.
Real-time monitoring of customer activity at agent locations is one way the firm is quickly and efficiently alerted when there may be a problem.
“We can’t be everywhere all the time, especially when we are in 200 countries around the globe,” she said. “Because of our unique business needs, we had to build our own technology, instead of buying it. We’ve developed patentable technologies.”
What types of data feed that system?
Axelrod says a focus is on transactional data, used to lift the veil on what customers are doing and, more importantly, who they are.
“It is a collection of who are you via your ID,” she says. “Some countries are moving to biometrics and that is an evolving area of collection for us.”
What compliance looks for is whether customers are conducting transactions in a way that makes sense. “Are you transacting with us in a certain way that you have for a very long time, then all of a sudden something changes,” she says. “Then, we need to understand what you are doing. We are using that data to understand who you are, what you are doing, and then apply that to our agents.”
Similar assessments apply to agents themselves. Do they have a particular pattern of transactions? What does it mean if, all of a sudden, that pattern changes? “Do we understand why and are we risk-assessing those changes?” Axelrod asks. Once that behavior is flagged, discussions turn to “how do we change the behavior?”
Jon Stentz is vice president and chief counsel for development and brands at HMSHost.
His company has a similarly diverse nature with compliance challenges to match. HMSHost is part of Autogrill S.p.A., the world’s largest provider of food and beverage services for travelers. It creates dining locations at airports worldwide.
For his company, particularly for developing markets, Stentz oversaw the development an e-learning tool.
“We couldn’t just fly around and give instructions all over the world, so we created an online method to do it,” he says. “Not only do we have the training translated into foreign languages but we can track employees with data on the training.”
This training assists the compliance team as it collects data on 37 different areas it focuses on, creating a “heat map” to decide where its attention should be, from procurement to food safety.
Crooper cautioned that, although important, there shouldn’t be an overreliance on metrics alone.
“We all fall down in using metrics to monitor how effective we are and what value the compliance function brings to an organization,” he says.
For example, the temptation is to use a 100 percent training participation rate as a point of pride.
“In my opinion, it just shows we are doing our job,” Cropper says. “It doesn’t mean you were effective with what you wanted to achieve.”
A risk-based approach, however, can present a tangible benefit to the organization by creating heat maps and helping assess risk by degrees, high-to-medium-to-low.
“When you find risk, what are the mitigating factors? What are the management action plans?” Axelrod asks.
Benefit without burden
The future is now in terms of emerging technologies like artificial intelligence, blockchain, and machine learning. In the big picture, connected data is transforming enterprise risk management, enabling the compliance function and the business to predict trends, flag anomalies, and warn of an impending crisis.
Using unstructured data with an equally unstructured system, however, can be a recipe for disaster. There needs to be consensus on where your data lies and what you want to do with it well before you start to throw a technology solution at it.
In addition to determining where in the organization data resides, there needs to also be an assessment of its nature, says Gwendolyn Hassan, managing counsel, global compliance and ethics, for CNH Industrial, one of the world’s largest capital goods companies. She asks: “Is it in the same format? Is it even in the same language?”
This imperative has been underscored by the implementation of the European Union’s General Data Protection Regulation. It emphasizes, among other things, the need to identify where data exists throughout the organization and map it.
Jennifer Gilhool, senior director of compliance and ethics for ON Semiconductor, is considering the assistance of social experts and data scientists to “try to understand which behaviors drive the particular outcomes we want, and then which data in the enterprise can be mined to predict when someone might find themselves in trouble.” In one example, data analysis may help prepare, execute, and survey procurement processes.
There are, however, challenges ahead.
“I think there is an overwhelming sense of how much data is out there,” Gilhool says. “People are generally unsure how to harness it, what to do with it, and how to use it. Frankly I think GDPR adds a chilling effect to that. What can I look at? What data can I gather? Thinking about those questions in the context of the new rules.”
Hassan agrees that there are many who are intimidated by big data.
Compliance is closer to the edge of managing data and thinking about what we can do with data, she says, adding that it requires a lot of internal communication, change management, and consensus building.”
Hassan warned of the risk of “compliance burden.”
By imposing new systems and technology, “you are potentially increasing the burden on the business,” she adds. New software reporting lines can slow down the pace of business and, in turn, harm the company.
“We focus on building in instead of bolting on,” she explains, offering a solution. “As a compliance function you can go in and stick on a bunch of extra things. Or, you can look at what the business is doing and find a way to embed yourself into what they are already doing and, as much as possible, reduce the burden of compliance.”
To execute new technology and processes into third-party management protocols, she first mapped out who is doing which tasks with which tools.
“Then we mapped out a way to find insertion points, those places where we could least disrupt what was already happening, but still get the data we needed into our process. We then fed the data back into the business to help them make the most informed decisions possible,” Hassan explains.
How new systems work with existing business functions should also be a consideration, says Russell Stohr, global head of product, connected risk solutions at Thomson Reuters.
“I think you are describing a world in which, instead of asking the business to go into another platform, you are actually embedding into that source and workflow,” he said of Hassan’s efforts. “On the same page where they are reviewing the bids, they are reviewing the risk profiles of those vendors simultaneously. They are never stepping outside of their core business system to participate in risk and compliance.”
Hassan agreed. Added data includes details regarding financing (loans vs. demanding cash up front), succession planning, and a risk perception assessment.
“We’ve built in an algorithm that analyzes a corruption perception index and government risks,” she says. “It is built right into the system—same flow, the same screen—so there is no leaving one system to go into another. … The corruption risk calculation comes out at the end.”