Why Fresh Perspectives on Tech Solutions are Key to Evolving Data-Driven Compliance Monitoring

This is an Insight article, written by a selected partner as part of Latin Lawyer's co-published content. Read more on Insight

Technology is here to stay. With business and information flowing at a rapid pace, decision-makers must merge their knowledge and experiences with data-driven insights to navigate the vast amount of information within an organisation. Legal and compliance functions are no exception: a data-driven approach is essential to create effective compliance programmes. This is especially relevant as companies face increasing regulatory scrutiny and pressure to comply with a growing list of laws and regulations, making compliance programmes an essential component of modern business operations.

One of the key challenges facing compliance programmes is the sheer volume of data that must be collected, analysed and reported on a regular basis. Traditionally, this has been a time-consuming and labour-intensive process, requiring significant resources and personnel to manage. However, with the rise of new technologies and digital tools, companies are increasingly able to streamline and automate many aspects of their compliance programmes, making them more effective.

Anheuser-Busch InBev (AB InBev) is the world’s largest brewing company and has a history of over 600 years of beer brewing. The company operates in more than 50 countries and is known for its diverse portfolio of brands, including Budweiser, Corona, Modelo and Stella Artois. As the company continues to expand, the need for effective compliance management has become increasingly important. AB InBev has embraced the use of data-driven compliance monitoring to ensure that the company operates within the legal and ethical framework of each country in which it operates.

Technology is undoubtedly important in the task of staying one step ahead in terms of compliance processes and, at the same time, helps to position the company as a benchmark for regulators in the different countries where it operates. The added value is such that some practices are ahead of what governments are trying to do regarding corruption and money laundering issues. AB InBev is an example of what can be done to help the business be more efficient in controlling expenses and reviewing employees’ (and even vendors and suppliers) conduct.

Despite our practices and platforms, such as the many features of BrewRIGHT,[2] the biggest surprise is always how the compliance group makes proper use of something that perhaps should not be part of the day-to-day of lawyers and investigators. In fact, the great step that has been taken with BrewRIGHT’s integration into the compliance programme, is that the compliance group is now not only for lawyers, but also technologists (including data privacy experts), auditors, and business administrators. We are privileged to be able to be part of this paradigm change.

This chapter will explore the role of data-driven compliance monitoring in AB InBev’s business operations and the impact it has on the company’s overall reputation and success.

Data-driven compliance monitoring

A definition for data-driven compliance monitoring is as follows: the use of data and technology to monitor and manage the compliance activities of a company. It involves the collection, analysis, and reporting of data to identify and mitigate compliance risks. Compliance analytics can be used in a variety of areas, including but not limited to, anti-bribery and corruption, anti-money laundering, data privacy, and environmental regulations.

Less than 10 years ago, the compliance programmes, both in Latin America and the rest of the world, were ‘paper based’ programmes focused on ensuring regulatory compliance, training and investigations. This approach, although not mistaken, was limited in scope, since due to its reactive nature, it didn’t provide Compliance professionals with the opportunity to predict and subsequently advise the business on the correct course of action. Furthermore, leveraging data to drive insights made it impossible for the compliance function to be perceived as a strategic ally to the business, to reduce overhead costs, collaborate creatively, avoid unnecessary and additional costs to the company.

In the earlier days of compliance programmes, the last point would have been hard to believe, given the former viewpoint of compliance as a ‘cost centre’ department, which usually needs resources to perform its activities and solve issues that have already happened. These days, with the new data-driven approach that compliance monitoring programmes provide, that scenario is far from reality. Within AB InBev, the ethics and compliance team is launching a Quarterly Ethics & Compliance Assurance report (QECAR) as a product of the BrewRIGHT platform to monitor and assess the effectiveness of compliance programmes across areas of ethics and compliance in countries where it maintains operations. The outcome from the QECAR will be to compare areas of ethics and compliance between geographies to learn and understand areas for improvement and areas of strength. This will also yield cross-learning between geographies and transparency across the board.

This entirely data-driven information can, for instance, make a difference on the final decision between two countries that were being considered as possible choices to conduct a pilot project of a new app that requires users to provide large amounts of personal information. If Country 1 has consistently showed poor results in attendance at training courses regarding the company’s data protection policy on all QECAR of the last year, then it’s clear that the more suitable option to conduct the pilot will be Country 2. In addition, in the future, this will yield cross-pollinated information within ethics and compliance to provide a holistic view. For example, if there was a harassment case on an employee, and when reviewing the case within the BrewRIGHT investigation dashboard, additional information on the employee is shown within the investigation dashboard. The additional information is focused on the types of training taken by the employee, any compliance disclosures present for the employee, total number of travel expenses associated to the employee, etc. Leveraging data by cross-pollinate information on different topics will enable optimise decision-making.

Integrating technology

Compliance conferences witness a veritable bazaar of solutions aimed at simplifying generally accepted compliance workflows with greater or lesser benefit to companies themselves. Although not intended to be exhaustive, the following are some opportunities that compliance professionals can evaluate for possible use in integrating technology into their compliance programmes.

Third-party due diligence

One of the most significant benefits of technology for compliance programmes is the ability to conduct more thorough due diligence on third-party vendors and suppliers. In recent years, many countries in Europe have enacted legislation aimed at improving supply chain transparency and reducing the risk of corruption and other unethical practices by extending companies monitoring obligations to all members of their supply chain. For instance, the 2023 Supply Chain Due Diligence Act in Germany requires that large companies (with over 3,000 employees) perform and conduct detailed due diligences on their third-party vendors and contractors to ensure that they comply with social and environmental standards and are not engaging in unethical or illegal behaviour, such as human rights violations.[3] This increases the responsibility on German companies on not only monitoring their own activities, but also the activities of their direct suppliers worldwide and to report any violation found.

While regulations such as this are well-intentioned, they also pose significant challenges for companies that must comply with them. Conducting due diligence on multiple suppliers across various locations and industries can be a daunting and time-consuming task. Fortunately, technology can provide a solution to these challenges. For example, at AB InBev we have developed a machine learning algorithm leveraging a combination of categorical and continuous variables (e.g., GL Accounts, Cost Center, Vendor services, Invoice descriptions), to prioritise vendors through risk score for potential touch point vendors (TPV). This data-driven monitoring creates a well-rounded risk-based due diligence process for further validation or review, versus others that pose a significant less risk due to the nature of their operations This action facilitates the general volume of work and the subsequent monitoring of vendors over time, focusing on those with a greater risk profile.

Risk management

In addition to enhancing due diligence processes, technology can also help companies to develop more effective compliance programmes. In 2022, there was a significant increase in enforcement actions by regulatory agencies in both the US and Europe, and this trend is expected to continue in 2023. Companies that can demonstrate strong compliance programmes and effective risk management have a significant advantage in faring better in these investigations. Data-driven compliance programmes, powered by advanced analytics, artificial intelligence (AI) engines and natural language processing (NLP) can be used to automate compliance-related tasks, such as reviewing and analysing legal documents, while also providing companies with insights that enable them to identify and address potential compliance issues before they become major problems, along with providing recommendations for improvement.

An example of ways in which technology can assist with testing and proving the effectiveness of a company’s current risk management state is the use of a Quarterly Ethics & Compliance Assurance Reports (QECAR) system.

This soon to be reporting capability, through its standardised format, enables AB InBev companies to measure the progress on the implementation of their ethics and compliance programmes. The QECAR system provides a framework for collecting and reporting data on key compliance metrics, such as training completion rates, compliance disclosures, proactive monitoring, investigation metrics (e.g., substantiation rates) and hotline usage. The data is collected on a frequent basis, aggregated over time and through key performance indicator (KPI) tracks and measures the threshold on acceptance. This enables AB InBev companies to identify trends, areas of strengths, and improvements. Also, by using a standardised reporting system, AB InBev companies can benchmark their performance against other geographies to demonstrate to stakeholders that they are committed to promoting a culture of ethical behaviour and proactively manage its compliance risks.

Automation and process optimisation

Compliance inevitably involves a high degree of process. For example, with a compliance training programme, it’s not always easy for an organisation to certify which executives have been trained, which whistleblower reports have been investigated and which vendors have been vetted without tracking and monitoring. Compliance programmes often employ professionals who spend inordinate amounts of time tracking spreadsheets and following up with emails to ensure completion. Approaching this solution tends to be labor-intensive and does not capitalise on the insights that the data generated from such processes offer. In terms of reducing workflow, there is a growing number of platforms that provide basic functionality for following up on tasks to be automated. These platforms not only remove a lot of repetitive email and spreadsheet updating but can generate a lot of insight into risk. Ask yourself whether it is more helpful to send 100 emails asking someone to attend a training event or to identify (and perhaps publicise) which vice presidents lead teams that are consistently ahead of or behind compliance training? Would it not give better insight to establish whether a certain business unit has requested diligence on a meaningfully higher (or lower) number of high-risk vendors? In AB InBev, this year we are removing the mundane workflow in compliance training programme and allowing the compliance team to focus on analyses of trends and patterns that drive meaningful decision-making through digitisation and reporting.

Another example relates to outgoing payments and sanctions. In recent months, there have been various sanctions policies in place in many different countries where AB InBev operates and have different ERP (SAP/SYSPRO) systems in place. Within the BrewRIGHT platform, a new methodology was created called ‘alert-based monitoring’. Alert-based monitoring triggers an alert when an event has occurred and, in this case, the event is when an invoice was generated to a payable vendor in Russia or Belarus. The process will alert certain audiences in the company through email, to scrutinise and if need be, stop the invoice from being processed. This methodology (framework) can be leveraged to help compliance officers create alerts based on potential risks to manage and be notified when alerts are triggered.

Content delivery

According to the research site Statista, the number of smartphone subscriptions worldwide in 2023 surpasses 6 billion people. That number is forecast to further grow by several hundred million in the next few years.[4] This increase in connectivity offers new ways for compliance officers to interact with their workforce. The key to managing this change is to ensure that the content generated by a compliance team is fit for mobile, in a timely and relevant fashion. We are not saying that compliance will ever truly compete with a trending YouTube or Tik Tok video, celebrity exploits or the highlights of a top-level sporting event. However, the competition for attention on a smart screen means that compliance officers need to give more thought to how their information is being consumed. Does it make sense for a company policy to be converted to PDF and placed on a mobile-accessible website for employees to comb through the minuscule type? Or should the delivery of these types of documents be tailored and formatted to mobile, where questions can be asked, and relevant answers provided in an easy-to-use, easy-to-read interface?

For instance, companies like global brewer Anheuser-Busch InBev (AB InBev) have invested in chatbots, not just as customer service tools, but also as compliance ‘allies’ to identify what topics people are searching the most. These chatbots, that can be accessed through computers or smartphones alike, do not only provide insights on what are the topics most searched, to better tailor future trainings, but are also used to provide accessible, anonymous and fast delivered answers to common questions, such as how to access the compliance hotline, without human interference.

For tools such as chatbots and similar platforms, it can be greatly beneficial to rely on the insights provided by Net Promoter Score (NPS) results from user interaction with such platforms. These metrics will generate an understanding of topics such as user rates and satisfaction levels with the platform, that can be crucial to determine in what direction the platform will need to focus on the future to remain relevant and continue to add value to the organisation.

Managing data

A 2022 survey performed by KPMG showed that despite the challenging years that have taken place after the pandemic, US CEOs consider advancing digitisation and connectivity across their businesses as the top operational priority for achieving growth as immediately as the next three years. Furthermore, 74 per cent of them believe they need to act more quickly when shifting investment to digital opportunities and divesting in areas that face digital obsolescence.[5] Even if compliance officers were not traditionally leading this charge, it does not mean that the transformation being undertaken by organisations is generating data sets that can provide operational insights that are invaluable to compliance.

For instance, one of the functionalities of AB InBev’s Digital Risk Management platform ‘Lighthouse’ is to determine the appropriate data management procedures that need to be followed for data collected by the different assets of several business units across the globe. This platform provides several relevant insights, such as a breakdown of digital or data risks identified on a particular asset, intrusion management and potential biases in artificial intelligence (AI), to name a few. These insights prove valuable when later executed and analysed by the digital ethics teams across AB InBev, to better assist the business on a better course of action.

Structured data versus unstructured data

A key question for any data strategy is whether the work product generated by compliance will lend itself to useful data analysis. Implicit in this decision point is whether the company should invest the time and resources necessary to organise data in a structured way.

For those unfamiliar with these terms, unstructured data is data that is not organised in a predefined model. Text in an email, presentation or document is often considered unstructured in nature. In contrast, structured data is data arranged either at creation or shortly thereafter organised into defined buckets and categories. Numbers organised in a spreadsheet or database, with rows and columns, are typically looked at as structured data. Attorneys tend to operate within an unstructured data milieu and prefer to create precise written narratives as part of their work-product that are inherently unstructured. Imagine a narrative compliance entry in a diligence file: ‘The vendor is being paid $26,501 to advise on customs clearances in Mozambique.’ Structured data inputs tend to require selection of predetermined fields, such as a series of dropdowns or multiple-choice answers. The same information, therefore, could be reduced to four fields to the effect of (1) vendor [being paid] (2) < $30,000> for (3) services with a subcategory of (4) customs. Currently, structured data fields lend themselves to analysis far better – particularly if there is good hygiene around the data – meaning that controls are in place to ensure consistency of input. Unstructured data inputs can express information in a myriad of ways, which can make it difficult to organise them and make meaningful decisions.

Once data is structured, organisations must guarantee that the information also complies with the following requirements:

  • Standardisation: meaning there should be consistency in all fields of data input to facilitate analysis and drive consistency and objectivity in the monitoring process.
  • Harmonisation and reconciliation: to achieve this, from our own experience, the performance of a particular set of compliance analytics can be radically improved by combining human resources data inputs with the feed from the system in question.
  • Accuracy: data accuracy is critical, given that its inaccuracy could lead to flawed conclusions and decisions. Compliance professionals need to take steps to ensure the security and privacy of the data they collect, as well as comply with applicable data protection regulations, such as keeping the data in a secure auditable manner and implement robust data governance policies and procedures in place to prevent tampering or other forms of data manipulation.

Blockchain

Blockchain technology has the potential to revolutionise compliance processes by providing a secure, transparent, and tamper-proof platform for recording and verifying transactions. The decentralised nature of blockchain makes it difficult for people or entities to manipulate or alter the data, providing greater transparency and accountability. This advantage can be used to create an immutable and auditable record of all transactions, making it easier to monitor and enforce regulatory compliance.

It is precisely these transparency and traceability features that lead AB-InBev, in 2020, to launch a project in Europe that used blockchain technology to give consumers clear and direct information regarding each part of the brewing process from barley farmer to brewer. The end-to-end initiative meant that consumers were able to scan a QR code that was displayed on the packages that in turn showed information regarding the farm where such barley was grown. This innovation provided a secure method of ensuring the quality of ingredients and compliance with stipulated processes and standards, and at the same time, enhance consumer’s trust on the products and utilising data to improve the farmer’s use of natural resources.

It is also worth mentioning that one of the key advantages of blockchain is its potential to automate and streamline many compliance processes. For instance, smart contracts, which are self-executing programmes that run on a blockchain, can be programmed to enforce compliance rules automatically. This could be used, for example, to ensure that a supplier complies with a specific set of environmental or labour standards. If the supplier fails to meet the standards, the smart contract could automatically impose penalties or terminate the contract. This automation helps organisations to reduce the risk of human error and increase efficiency while maintaining a high level of transparency and accountability.

The advent of unsupervised learning

Many companies are looking at digital transformation and technology initiatives to reduce costs and seek competitive advantages. The continued buzz around AI, particularly the subset focused on machine learning (ML), is therefore an important element to understand and apply when seeking to enhance your compliance monitoring functions. Specifically, the advent of unsupervised machine learning in compliance is particularly relevant given the conspicuous and hidden nature of fraud and corruption schemes. But first, it is important to understand the differences between supervised and unsupervised learning.

In supervised learning, an individual trains a machine using data that is tagged. This means that some records (e.g., transactions) are tagged with the correct answer, such as ‘relevant’, ‘potential bribe’ or ‘potential fake invoice’. The data can be compared to learning with the supervision of a person who can fine tune and revise the model to find more statistically similar transactions. Unsupervised learning does not need a human to supervise, or train, the model by feeding it known outcomes. Instead, the machine seeks to teach itself to improve the predictive model and work on its own to discover patterns and information that are statistically relevant. Model outputs include the key variables or transactions driving certain outcomes, such as what are the outlier or unusual transactions, which patterns and trends look suspicious and who are the most anomalous vendors or customers, and why. As a result, unsupervised learning algorithms enable more complex processing tasks, across more disparate data sets, as compared to supervised learning.

Both supervised and unsupervised learning are helpful tools for compliance investigations and risk management processes for organisations. In AB InBev’s case, the BrewRIGHT platform we leverage both supervised and unsupervised learning to be able to track unusual patterns or trends on invoices and payments, touchpoint vendors and travel expenses, among others. For instance, in the case of travel and expenses, certain transactions can be tagged to determine if such expenses are outside the policy, if they are in violation of legality or cost sensitive (unnecessary expenses). Through continuous tagging and training, the platform searches for similar scenarios that will be considered as potential irregularities. Unsupervised learning is also used on BrewRIGHT, especially for transactions, such as payments, where there are multiple different data sets in areas like commercial and compliance, that need to be analysed to reach a conclusion. For instance, to measure the risk level of certain payments, unsupervised learning can be helpful to assist in scoring transaction across multiple metrics, such as higher value transaction than usual for that specific vendor or type of service provided, and to compare it with compliance categories, such as if the vendor is a TPV, to get a more accurate risk score.

It is up to each organisation to determine which technique is better suited for different scenarios, however, in our experience, the human factor still brings a real benefit in making sure the models and systems in place to collect data are not flawed and will be conducive to accurate and relevant information being collected. Relying on our own experience with AB InBev’s compliance platform ‘BrewRIGHT’, it is highly recommended that compliance professionals are involved in the implementation of improvements and updates for the AI tools. Despite its elevated potential to learn and analyse different scenarios, often, there are specific country or event period nuances that will require a human to provide feedback for the tool to decrease their error margin, especially at its earlier stages.

Compliance vision of the future

It is undeniable that, despite the challenges that could present turning a former ‘paper based’ compliance programme into a digital one, the benefits significantly pay off. By leveraging advanced technologies and digital tools, companies can streamline their compliance efforts, reduce costs and improve the overall effectiveness of their programmes, a major competitive advantage in an era of ever-increasing regulatory scrutiny.

Companies, like AB InBev believe that the future of compliance resides in leveraging data-driven compliance monitoring to manage its compliance risks and to ensure that it operates within the legal and ethical framework of each country in which it operates. The use of data-driven compliance monitoring has allowed the company to improve its compliance management, enhance data privacy and make more informed decisions about its compliance efforts. As the company continues to be more organic, data-driven compliance monitoring will play an increasingly important role in ensuring the company’s reputation and success.


Footnotes

[1] Gabriela Paredes is the compliance manager responsible for Ecuador, Dheeraj Thimmaiah is the global head of compliance analytics, Jaime Muñoz is the global director of ethics and compliance for Latin America and John Sardar is the global head of compliance at Anheuser-Busch InBev.

[2] ‘BrewRIGHT’ is a compliance analytics platform developed by Anheuser-Busch InBev. BrewRIGHT is designed to enhance compliance management and proactively monitor for potential risks. With its analytics capabilities, BrewRIGHT allows users to visualise data trends, prioritise potential risks, generate reports, and gain a holistic view of compliance programme elements across different locations. By leveraging machine learning algorithms and data driven insights, the platform aims to enhance efficiency, minimise risks, and maintain high-quality standards for the company. Overall, BrewRIGHT serves as a comprehensive compliance management platform that enables global and regional (zones) compliance teams to maintain consistency, proactively identify and prioritise potential risks and manage limited elements of the compliance programe effectively.

[3] Business & Human Rights Resource Centre, ‘German mandatory human rights due diligence law enters into force’, 27 January 2023, https://www.business-humanrights.org/en/latest-news/german-due-diligence-law.

[4] Taylor, Petroc, ‘Number of smartphone mobile network subscriptions worldwide from 2016 to 2022, with forecasts from 2023 to 2028’, 30 March 2023, https://www.statista.com/statistics/330695/number-of-smartphone-users-worldwide.

[5] KPMG International, ‘KPMG 2022 CEO Outlook’, October 2022, https://assets.kpmg.com/content/dam/kpmg/xx/pdf/2022/10/ceo-outlook-report.pdf.

Unlock unlimited access to all Latin Lawyer content