Relying on traditional tools like whistleblower hotlines, employee surveys and audits to spot fraud and other problems without a data analytics component is a poor fit under recent Department of Justice program guidance, corporate compliance specialists say.
DOJ has said it wants to see programs that are not only well designed and adequately funded but work well in actual practice, by which it means compliance officers should be able to improve programs as weaknesses are uncovered, something that requires a robust data analytics component.
“We want to know that a company can identify compliance gaps or violations of policy or law,” Assistant Attorney General Kenneth Polite told a conference of compliance officers in March. “Equally importantly, we want to see how the company addresses the root causes of these gaps or violations and finds ways to improve its controls and prevent recurrence of issues.”
That type of aggressive standard can be hard for even well-resourced companies to meet because it requires the compliance function to have a data system that can pinpoint problems and shed light on what needs to change.
“Very few companies can meet that standard today,” Parth Chanda, CEO of Lextegrity, said in a webinar hosted by his company. “That should be your north star in terms of what your data analytics approach should be, whether it’s [trying to protect against] fraud, bribery, corruption…. Do you have a tool that’s looking for these things in a way that’s going to detect them, immediately, and have a process in place to address those issues?”
Traditional control programs, no matter how well implemented, are too spotty and slow to meet the kind of standards DOJ is talking about. Hotlines and surveys, for example, have long lead times and rely on staff self-reporting, the reliability of which can vary greatly.
“The culture of the company really dictates how people behave,” said Amy Schuh, an attorney with Morgan Lewis.
Schuh said she worked with a company that still relies mainly on whistleblowers to catch problems, leaving it blind to the bulk of the risks it faces.
“I was shocked to continue to see compliance just focused on the hotline,” she said. “It's crazy that their case management system is just a hotline.”
The CEO and board of directors look to the chief compliance officer to put controls in place but no system can be effective unless accountability extends throughout the organization, especially within the business functions, the specialists said. But for employees, including the people whose job is to make deals happen, compliance is typically seen as a bottleneck.
“We’ve heard it many times, compliance is the department of no,” said Maria Gonzalez Calvet, an attorney with Ropes & Gray.
Too often, employees see compliance requirements as a hurdle that’s added to their work but the best programs are those in which controls are integrated within the business processes from the start.
Even “regulators appreciate that the purpose of an effective compliance program is to facilitate a business model where ethical practices win,” said Gonzalez Calvet. “The point is, the ethics program and the compliance program that is effective doesn’t impede business; it supports business success while adhering to the law while doing it in a functional way.”
It’s not uncommon for the breakdown in compliance to happen at the manager level. Many managers aren’t adequately trained on how to escalate concerns raised by employees, but despite that, they tend to be the first point of contact for employees rather than the hotline or the compliance officer.
“If managers aren’t escalating their response, that could signal the manager’s response is a ‘Nothing to see here’ response, which is a tone-from-the-top problem,” said Gonzalez Calvet.
HR managers often miss compliance issues too.
“Some of our HR colleagues may not understand that at the bottom of an email, where somebody is whining about their boss, there’s, like, a kickback allegation,” said Schuh. “They might not understand what a kickback allegation is.”
Against the DOJ backdrop, more compliance officers are turning to technology, which, if well-integrated, can help put the focus on the highest risk areas.
“You don’t have to boil the ocean and take on every country in the world, every business unit,” said Chanda. “You know you have risks in certain places. If you have a big ERP you’re using, maybe start there and just get started.”
For the last several years, regulators have been seeking to rely more heavily on certifications and attestations as a way to light a fire under compliance officers by holding them liable for problems. That in turn has pushed liability further out into the organization as compliance officers seek certifications by others before they sign off.
“The CCO isn’t going to be able to certify on their own,” said Chanda. “They’re going to be tied at the hip with the CEO and country managers and all levels of the organization in terms of requiring sub-certifications. So, for me, the fear is this is all going to become circular: the CCO is going to ask for a sub-certification from the country manager on whether the program is effectively implemented in their country, and the country manager is going to turn right around and ask the CCO, ‘Well, you tell me as the compliance officer.’”
An analytics program can help address that because it gives everyone the same data set off of which to base the certifications.
“If everyone is speaking off the same data driven information, you can really make these certifications with more confidence than just relying on your training stats or your hotline data,” Chanda said.
The good news is the compliance technology space is getting crowded, making it easier for compliance officers to find a solution that fits the size and needs of their organization, and the solutions are increasingly coming with forensic capabilities, which will help them meet regulators’ expectations to detect, remediate and prevent repeats of the same types of noncompliance.
Forensic tools can help by analyzing data from across the organization and finding patterns that can indicate a problem and point to ways to close the gap.
Among other things, the programs can look at spend items across multiple categories, analyze the practices of high-risk spenders, such as whether they use cash often, and whether an expense is from a suspicious merchant category code.
“That’s going to help you identify non-compliance immediately,” said Chanda. “So, align on your goal internally.”
If compliance doesn’t have the budget to implement an analytics program, there’s no reason the money can’t come from another division that has a stake in compliance.
“Audit can pay for all of this,” said Chanda. “The finance team might pay for all of it and you can be a customer of it, internally, in the organization. So, think creatively if you’re strapped for budget. Maybe someone else will pay for it because they can change how they do things.”