In today’s organisations, analytics are everywhere. Gone are the days of relying on gut feelings and instinct to run and compete in the marketplace. Business, and its respective information flows, simply moves at too fast a pace. Todays’ decision makers combine their talents, instincts and experiences with data-driven facts and models to better synthesise the vast amount of data flowing in and around an organisation. The legal and compliance functions are no exception. Effective compliance programmes require a data-driven approach. Legal and compliance professionals must embrace technology to remain relevant to their stakeholders, as depicted in the following hypothetical story.
Juan is head of investigations at Triverno Global, a medium-sized, global manufacturing company based in Mexico City. (All names and company references in this example are fictional.) The company has recently launched an enterprise-wide digital transformation and technology initiative to reduce costs and seek competitive advantages.
The question on Juan’s mind was to what extent the compliance and investigations function would be part of this corporate initiative. Naturally, Juan was not surprised when Miguel, the company’s General Counsel and Global Chief Compliance Officer, asked him to explore how his team could embrace technology to improve the organisation’s integrity culture. Juan had just read a publication citing former US Deputy Attorney General Matthew Miner as saying: ‘This use of data analytics has allowed for greater efficiency in identifying investigation targets, which expedites case development, saves resources, [and] makes the overall program of enforcement more targeted and effective.’ Miner further noted that he ‘believes the same data can tell companies where to look for potential misconduct’. Ultimately, the federal government wants ‘companies to invest in robust and effective compliance programs in advance of misconduct, as well as in a prompt remedial response to any misconduct that is discovered’.
But Juan needs more guidance. What is the required starting point for a company to apply analytics to compliance? Could a literal ‘paper’ programme of policies and procedures not support an environment in which analytics could prosper? And given all the technology buzz around data-driven risk monitoring and improved compliance technologies, such as artificial intelligence (AI), machine learning, robotics process automation and advanced data analytics, where does Juan start?
Until recently, ethics and compliance programmes in Latin America, as around the world, traditionally have focused on the legal aspects of policy, regulatory requirements, employee training and investigating (even policing) activities. A compliance officer might also collaborate with the control and procurement functions to introduce financial and other diligence controls, but adherence to these types of processes was either left to other functions to enforce, or was subject to periodic audits, which inherently are limited in scope and often expensive, cumbersome and disruptive to administer.
Although undoubtedly important to a business, customary activities of this nature are often indicators of trouble either well after the fact, or worse, when a crisis is already at hand. What is more, they typically lack data-driven insights that enable proactive decision-making, risk mitigation and improved company performance. Chief investigators and legal and compliance professionals we have spoken with often feel overwhelmed by having always to react to situations, and challenged by collaborating with other functions rather than having the tools to respond quickly to ethics and compliance events, and not having to proactively pre-empt situations.
The analysis of business transactions – such as payments to vendors, sales transactions with customers or distributors, reimbursements of employee expenses, or patterns of communication and information – to measure compliance effectiveness proactively was typically delegated to the internal audit or finance department. As a result, traditional compliance deliverables tended to be reactive and disciplinary in nature. They also tended to be interesting only to a limited number of risk-oriented professionals within an organization. ‘Compliance fatigue’ has become a popular buzz phrase in recent years as a surfeit of manuals, rules, policies and procedures have tended to be seen by employees, and sometimes management too, as business inhibitors to driving growth. This no longer needs to be the case.
Integrating data science and analytics resources into traditional compliance functions gives risk professionals a tremendous opportunity to drive better business transparency, which in turn drives better business performance. Taking a metrics-driven, coaching approach (rather than an authoritative, investigative, legal approach) to driving business integrity is helping compliance professionals to:
The last point, above, might seem counter-inituitive as the compliance function has traditionally been viewed as a cost centre, not a profit centre. This does not have to be the case. Take, for example, our hypothetical situation involving Triverno Global. With transparency into vendor risk profiles and payment activities across the various markets in which Triverno Global conducts business, Juan and Miguel can advise the chief financial officer (CFO) and chief executive officer (CEO), from a risk perspective, about the cities in which to invest in a new manufacturing facility.
For example, City A might have lower labour costs and cheaper raw materials (as provided by the finance department). Nevertheless, the corruption risk and previous investigative matters in City A may make it less attractive relative to a slightly more expensive city, with significantly lower risks of bribery and corruption. Juan and Miguel may also quickly identify a pattern of high-risk vendor activity in City A, such as a prevalence of consultants and advisers with thin diligence files who receive significant balloon payments or success fees at year end.
The reverse is also possible. Perhaps the CEO and CFO are considering the new Latin America cities in which to expand their sales force. Based on relevant compliance monitoring information, such as customer profiles and sales transactions, Juan and Miguel might recommend certain contractual limitations, such as spending caps or timeframe restrictions. They also might propose conducting less extensive (and expensive) background checks, such as perhaps skipping a required site visit or moving from 10 reference checks to three, to allow faster customer acceptance and growth in cities in which the risks historically have been low. Juan and Miguel may also gain insights into optimal discounting structures in that region, and even identify patterns suggesting that some sales incentive programmes have been diverted inappropriately and aligned with neutral revenue returns; this might suggest that marketing dollars be spent with more high-return customers or regions. In those cases, the sales team can become a valuable partner with the compliance team in ensuring that company resources are deployed in an efficient, transparent way, thereby reducing compliance risk while increasing returns.
Less manual processes, such as phone call references or physical inspections, and contractual restrictions also could be reduced, with a heavier focus placed on transaction monitoring during the life of a business relationship rather than a one-time heavy due diligence investment at the time of onboarding. This approach allows the sales team to move quickly while simultaneously allowing the compliance team to monitor for any changes to the current risk landscape. The sales team would look to the compliance team as a partner and not an enforcement officer, further helping to ensure the company’s business integrity functions and adherence to the code of conduct.
We often hear the complaint that a company cannot stand up analytics in a compliance department because so much of its compliance programme is paper-based. There is no dictionary definition of ‘paper-based’ but we find that it often refers to organisations with compliance programmes somewhere between an Excel spreadsheet for tracking investigations and initiatives, and a print machine for producing endless copies of policies that invariably just sit on a shelf. We often look at this kind of challenge as a huge opportunity for compliance professionals to add value to their business. Compliance conferences witness a veritable bazaar of solutions aimed at simplifying generally accepted compliance workflows with greater or lesser benefit to companies themselves. Although not intended to be exhaustive, the following are some opportunities that compliance professionals can evaluate for possible use in integrating technology into their compliance programmes.
Compliance inevitably involves a high degree of process. Nevertheless, it is not always easy for an organisation to certify which executives have been trained, which whistle-blower reports have been investigated and which vendors have been vetted without tracking and monitoring. Compliance programmes often employ professionals who spend inordinate amounts of time tracking spreadsheets and following up with emails to ensure completion. Approaching this solution tends to be labour-intensive and does not capitalise on the insights that the data generated from such processes give. In terms of reducing workflow, there is a growing number of platforms that provide basic functionality for following up on tasks to be automated. These platforms not only remove a lot of repetitive email and spreadsheet updating but can generate a lot of insight into risk. Ask yourself whether it is more helpful to send 100 emails asking someone to attend a training event or to identify (and perhaps publicise) which vice presidents lead teams that are consistently ahead of or behind compliance training? Would it not give better insight to establish whether a certain business unit has requested diligence on a meaningfully higher (or lower) number of high-risk vendors? If done well, automation can simultaneously remove mundane workflows and allow the compliance team to focus on analyses of trends and patterns that drive meaningful decision-making.
According to the research site Statista, 3.5 billion people, roughly 45 per cent of the world’s population, will access the internet with a smartphone in 2020. The number is increasing rapidly and is expected to reach 3.8 billion in 2021. This uptick in connectivity offers new ways for compliance officers to interact with their workforce. The key to managing this change is to ensure that the content generated by a compliance team is fit for mobile, in a timely and relevant fashion. We are not saying that compliance will ever truly compete with trending YouTube clips, celebrity exploits or the highlights of a top-level sporting event. However, the competition for attention on a smart screen means that compliance officers need to give more thought to how their information is being consumed. Does it make sense for a company policy to be converted to PDF and placed on a mobile-accessible website for employees to comb through the minuscule type? Or should the delivery of these types of documents be tailored and formatted to mobile, where questions can be asked and relevant answers provided in an easy-to-use, easy-to-read interface? At one telecommunications company, for example, the keyword search for ‘what is a conflict of interest’ was anonymously asked more than 5,000 times in a year by employees using the mobile compliance app. This helped the compliance team improve training and communications around conflicts of interest and most likely helped to prevent hundreds, if not thousands, of compliance violations proactively.
A similar point can be made for training. Organisations tend to expend a tremendous amount of effort in requiring their employees to submit to compliance training but comparatively little thought as to whether the training should be designed to engage people and influence behaviour or exist solely to document that some effort was made to train staff. There are a few providers on the market heading in the right direction, with excellent use of narratives, story-telling, and even chatbots that are making training relevant to the workforce. We predict that as training becomes increasingly mobile, the programmes that can capture people’s attention and communicate in a memorable way that translates to a mobile device will have significantly more lasting power.
It is safe to say that virtually all Fortune 500 companies are investing in various forms of AI. In 2017, a Forbes survey of Fortune 500 CEOs found that 81 per cent stated that AI is ‘extremely important’ or ‘very important’ to their companies’ future. Even if compliance officers are not leading this charge, it means that the transformation being undertaken by organisations is generating data sets that can provide operational insights that are invaluable to compliance. Traditional compliance assessments in the context of the US Foreign Corrupt Practices Act tend to focus on the extent to which a business is regulated, the jurisdictions in which it operates and the financial control environment, to name a few. But few tend to look at the information technology operating environment, the quality of data stewardship, the state of systems integration and other hallmarks that will provide insight into how difficult it would be to harness quality data to gain compliance insights of the operation. Organisations that are investing in AI will be doing so to improve the data hygiene of their systems, particularly with respect to how a company pays third parties, or tracks sales to customers or distributors. Compliance insights do not need to come solely from data borne of the compliance department – in fact, in almost all cases, it is more insightful to business risks to gather these insights more broadly. For example, the data sets that a revenue management function would find desirable to review sales margins are the same data sets that would yield insights into graft, fraud and abuse for compliance. Similarly, data created by a procurement function will house potential insights into third-party risk. Any risk assessment should take into account the data ecosystem in which the compliance officer is operating with a view to harvesting what is ripe and identifying the areas in which activities may be less transparent (and therefore more risky), for example because of an immature data infrastructure. Make sure you are asking the right business and compliance risk questions – those that really matter to the business from an integrity perspective – then align your data resources, wherever they may lie within the organisation, to seek answers to those questions.
A key question for any data strategy is whether the work-product generated by compliance will lend itself to useful data analysis. Implicit in this decision point is whether the company should invest the time and resources necessary to organise data in a structured way.
For those unfamiliar with these terms, unstructured data is data that is not organised in a predefined model. Text in an email, presentation or document is often considered unstructured in nature. In contrast, structured data is data arranged either at creation or shortly thereafter organised into defined buckets and categories. Numbers organised in a spreadsheet or database, with rows and columns, is typically looked at as structured data. Attorneys tend to operate within an unstructured data milieu, and prefer to create precise written narratives as part of their work-product that are inherently unstructured. Imagine a narrative compliance entry in a diligence file: ‘The vendor is being paid $26,501 to advise on customs clearances in Mozambique.’ Structured data inputs tend to require selection of predetermined fields, such as a series of dropdowns or multiple-choice answers. The same information, therefore, could be reduced to four fields to the effect of (1) vendor [being paid] (2) < $30,000> for (3) services with a subcategory of (4) customs. Currently, structured data fields lend themselves to analysis far better – particularly if there is good hygiene around the data – meaning that controls are in place to ensure consistency of input. Unstructured data inputs can express information in a myriad of ways, which can make it difficult to organise them and make meaningful decisions.
With structured data, the fields tend to remain constant, which facilitates analysis and drives consistency and objectivity in the monitoring process. So, in the four-point example above, the compliance team could identify quickly how many vendors in Mozambique were engaged within a certain period for a defined compensation range. With unstructured data, that is less likely to be the case. The nomenclature and organisational philosophy will tend to have a great deal of flux between users. Accordingly, ‘the vendor is being paid $26,501 to advise on customs clearances in Mozambique’ can easily become ‘Moz. Agent paid $26,501.00 for customs advice’, making it difficult for a computer to identify that these two statements mean the same thing. And that is without typographical errors, currency variations or different languages being added to the mix. Thus, with current technology, there are benefits to requiring and ensuring that data generated from any process is standardised.
A structured data strategy is not without challenges in and of itself. It requires planning, training and organisational discipline to identify what is desirable as the information to be entered, and requires operational teams to input that information in a structured way. But it is possible. As technology progresses, one can hope that it will become increasingly possible for natural language processing and more advanced data collection techniques to organise even the notes of your most long-winded colleague into something concise, well-structured and usable. But in the short run, it is better to get everyone to agree what should be input and how.
Despite efforts to structure data, even the most disciplined organisation may find there are differences in terminology, a misunderstanding of fields or other manifestations of human error as part of the analysis of any data set. What is more, data insights tend to be more powerful when coupled across multiple data sets. From our own experience, the performance of a particular set of compliance analytics (in this case, travel and entertainment)was radically improved by combining human resources data inputs with the feed from the system in question. Previously, it had been possible to identify outlier transactions (e.g., which employees spent the most on lunch in a given country) but that was of limited use without the capability to readily classify employees into buckets. To do that seamlessly, it required connecting travel and entertainment data with an organisational schematic. This allows analytics to say which sales manager in a given province is an outlier in terms of a certain type of expense. The combination of data sets significantly improved our models.
However, to yield these insights, it is critically important to reliably combine data sets. Doing so requires a common pivot point between two separate data sets that allows for the combination of the source information. Importantly, failures of data stewardship (like those discussed in the previous subsection) become amplified when merging data sets because it can be difficult to unwind and find the root cause of ‘bad’ or mislabelled data combined into a new set. The key to ensuring that data is appropriately combined is building in a process to reconcile and audit combined data sets against the original sets to ensure the data is transferred and combined in a high-quality manner. This process is critical (and often more complex) when the same types of data are combined from two systems. For example, global brewer Anheuser-Busch InBev has combined more than 30 enterprise resource planning systems into the foundational levels of its data analytics platform: each system has its own customisations and is owned and operated by different subsidiaries and business units. This results in a level of variation across data – even when it is structured. Many data analytics projects become frustrated by poor reconciliation. The more complex the project, the more careful one needs to be to ensure that each step is reconciled against an accurate baseline model. To do otherwise is like trying to add sugar to a cake that has already been baked.
Returning to our hypothetical company, Juan and Miguel elected to compile aggregate data from two accounting systems in high-risk countries for their business. They also have identified an application that is a case management solution, which allows them to run compliance workflows in a single database. Further, they have designated partners in their financial controls and IT groups to assist in reconciling and validating their source accounting data. And they have linked the data from their accounting systems to their compliance systems, so they have the ability to assess those data sets in tandem. They now have the framework for a database that is ready to apply to key business questions in the form of algorithms, but several questions still exist. What are the key business risks that should be addressed? What tests should be applied? Do they have the correct data to execute those tests? How do they align the data to answer the business risk question? What would an ideal report look like? Who has the skills to assist in developing these tests?
A common starting point in the analytics journey is the rule-based test, with which most people are familiar – perhaps without realising. For example, if you have ever organised your email inbox to pinpoint all messages from your boss (perhaps to confirm that you did not miss an assignment) or run a search for a key word in your mail (perhaps to confirm you sent your spouse a birthday note) then you have run a rule-based test. In compliance, rules often start with a greater degree of complexity, particularly if the underlying data set is filled with accounting data. For example, rather than taking a random sample of all transactions as part of a compliance review, it is arguably more sensible to look for transactions that hit certain rules that are indicative of problematic behaviour – round number payments (Rule 1) made offshore (Rule 2) on an expedited basis (Rule 3). The application of these rules can potentially yield insights into data or otherwise expedite other investigations. When investigating based on suspicions about certain patterns of behaviour in the market (e.g., a supplier reported in the news to be funnelling bribes through an offshore subsidiary), rule-based tests can be particularly useful in identifying aberrant behaviour. In other words, by relying on the compliance officer’s professional judgement as to what is important or risky about a data set, rule-based testing is a useful way to parse and sort data to find high-risk transactions, employees, vendors or customers.
In our hypothetical company, Juan and Carlos adopt this approach and develop a series of rules that, for example, look at structured data such as round dollar payments, where the payment date is within five days of the payment request date (i.e., urgent payment) combined with unstructured data rules containing certain high-risk keywords such as ‘expedite’, ‘facilitation pay’ or ‘special payment’. Carlos develops rules to identify trends within the compliance investigation database that contains the case files for all internal investigations opened by compliance (including all whistle-blowing data). Juan applies a series of rules based on prior investigations that occurred at the company to the accounting data that they have aggregated. They compare notes and insights.
Carlos promptly sees that rule-based testing shows that almost all his whistle-blowing activity is coming from four countries. He also sees that Country X has three times the number of reports around faulty accounting controls and Country Y has three times the number of reported thefts as the next highest country on those issues, respectively. Carlos rethinks his training and communications plan to focus on increasing awareness of compliance in countries that under-index for whistle-blowing and collaborates with internal auditing to overhaul the accounting and security controls in response to the data.
Many companies are looking at digital transformation and technology initiatives to reduce costs and seek competitive advantages. The continued buzz around AI, particularly the subset focused on machine learning, is therefore an important element to understand and apply when seeking to enhance your compliance monitoring functions. Specifically, the advent of unsupervised machine learning in compliance is particularly relevant given the conspicuous and hidden nature of fraud and corruptions schemes. But first, it is important to understand the differences between supervised and unsupervised learning.
In supervised learning, an individual trains a machine using data that is tagged. This means that some records (e.g., transactions) are tagged with the correct answer– such as ‘relevant’, ‘potential bribe’ or ‘potential fake invoice’. The data can be compared to learning with the supervision of a person who can fine tune and revise the model to find more statistically similar transactions. Unsupervised learning does not need a human to supervise, or train, the model by feeding it known outcomes. Instead, the machine seeks to teach itself to improve the predictive model and work on its own to discover patterns and information that are statistically relevant. Model outputs include the key variables or transactions driving certain outcomes, such as what are the outlier or unusual transactions, which patterns and trends look suspicious and who are the most anomalous vendors or customers, and why. As a result, unsupervised learning algorithms enable more complex processing tasks, across more disparate data sets, as compared to supervised learning.
In a compliance context, we can apply these concepts to our case example with Triverno. Juan and his compliance team collaborated with their analytics and data science team to use supervised machine learning to help reduce fake customer schemes by simply profiling the key attributes of known fake customers obtained from previous investigations. When certain attributes were present, such as cash-only customers, lack of in-store product displays, discrepancies in the actual versus recommended product purchases and high numbers of customer returns — among several other variables — the model predicted fake customers with a 96 per cent confidence rate. The company, when it applied the model across its portfolio of customer transactions, identified many fake customers, plus the small group of employees who were creating them to meet bonus targets and divert marketing funds, ultimately saving the company more than US$10 million.
In an unsupervised machine learning context, Juan and the compliance team took it one step further and enriched the sales data with external sources, such as regional retail product sales, customer profitability data, pricing information, product discounts and promotional spending. The result provided Juan and his team with statistical outliers and risk scores that brought profitability metrics in line with certain risks that included abusive discounts, antitrust, jurisdictional laws, theft of inventory and overall customer risk. The resulting information can be compiled to assess a cluster of customers from both risk and commercial perspectives. In fact, the data unlocks the ability for the compliance officer (or salesperson) to do both at the same time, and we would argue that such insights can be instructive in how to prioritise workflows, spot outliers that are simultaneously risky and unprofitable and therefore streamline conversations with the business, and prioritise compliance resources along riskier but profitable centres.
Customer profitability high
Customer profitability low
Customer risk low
Customer risk high
While the customer categories can be changed based on each business case, the general idea is that unsupervised learning can be used to assist in objectively risk scoring customers across multiple profitability and risk indicator metrics. Specific compliance and business actions could be customised. For example, high-profit customers that demonstrate high-risk features (e.g., returns, conflicts of interest and fluctuating sales) could be categorised as vulnerable, and certain sales training, customer incentives or risk mitigating factors could be implemented for that customer. Other customers that are both high-risk and low-profit could be considered a lower priority - with marketing dollars held back (or diverted to star or vulnerable customers), for example.
The compliance vision of the future is one in which compliance professionals have ultimate visibility into the core business activities of the organisation with preventive and detection controls designed to keep the business and employees out of trouble, while also improving business performance. Data science and the operationalisation of key business risk metrics through analytics technologies that are now available are changing how compliance departments are run. No longer is compliance just a legal, policy and internal investigations function of the business. Rather, it is part of an integrated team of legal professionals, information technology professionals, data science and accounting professionals working together to drive business integrity, business transparency and profitable growth using leading analytics techniques that drive, or at least influence, better, more responsible employee decision-making and integrity.
Some industries and groups have developed data-sharing consortiums, in which companies contribute certain data to an aggregated database that all member organisations can access. We feel this is a key trend among global companies that will significantly expand in the next decade, particularly as the use of blockchain technologies, data cleansing, and data privacy and anonymisation become more mainstream. Data-sharing consortiums can help member organisations benefit from the collective data of the group to identify recurrent trends and high-risk third parties, and protect themselves from known schemes in their group or industry. In a 2019 Anti-Fraud Technology Benchmarking Report sponsored by the Association of Certified Fraud Examiners and SAS, it is stated that 29 per cent of companies surveyed currently contribute to an anti-fraud or compliance consortium and another 21 per cent currently do not contribute but would be willing to contribute in the future. Clearly, in this digital age, there is a demand for compliance professionals to embrace technology and develop insights that are shared both within their organisations and perhaps among industry peers as well.
 By Matt Galvin is global vice president for ethics and compliance at Anheuser-Busch InBev and Vincent M Walden is a managing director at Alvarez & Marsal LLP.
 Patzakis, John; Carpenter, Craig, ‘USDOJ expects companies to proactively employ data analytics to detect fraud’, X1 < https://www.x1.com/2019/09/25/usdoj-expects-companies-to-proactively-employ-data-analytics-to-detect-fraud/>.
 Per ‘Report to the Nations: 2018, Global Study on Occupational Fraud and Abuse’, Association of Certified Fraud Examiners.
 See https://www.statista.com/statistics/330695/number-of-smartphone-users-worldwide/ (3.5 billion people have access to smartphones in 2020). See also https://www.worldometers.info/world-population/ for the current world population (c. 7.77 million people, 45 per cent of whom have a smartphone). Of note, 4.78 billion people have mobile phones..
 ‘What Fortune 500 Companies Really Need to Know About AI’, Forbes (29 June 2018) < https://www.forbes.com/sites/shamahyder/2018/06/29/fortune-500-ai/#7862c48211f6>.