This is an Insight article, written by a selected partner as part of Latin Lawyer's co-published content. Read more on Insight
In today’s organisations, analytics are everywhere. Boards are increasingly becomng sceptical of managers that rely exclusively upon the gut feelings and instincts to manage the risk of the global marketplace. Business, and its respective information flows, simply moves at too fast a pace. Today’s decision-makers combine their talents, instincts and experiences with data-driven facts and models to better synthesise the vast amount of data flowing in and around an organisation. Relying on one’s mere opinion has become a cardinal sin. The legal and compliance functions are no exception. Effective compliance programmes require a data-driven approach. Legal and compliance professionals must embrace technology to remain relevant to their stakeholders, as depicted in the following hypothetical story.
Juan is head of investigations at Triverno Global, a medium-sized, global manufacturing company based in Mexico City. (All names and company references in this example are fictional.) The company has recently launched an enterprise-wide digital transformation and technology initiative to reduce costs and seek competitive advantages.
The question on Juan’s mind is to what extent the compliance and investigation’s function will be part of this corporate initiative. Naturally, Juan is not surprised when Miguel, the company’s general counsel and global chief compliance officer, asks him to explore how his team could embrace technology to improve the organisation’s integrity culture. Juan has just read the June 2020 US Department of Justice Compliance Guidance that raised the question of whether compliance personnel have sufficient ‘access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls and transactions?’ He also recalls a speech by the former US Deputy Attorney General Matthew Miner stating that he ‘believes the same data can tell companies where to look for potential misconduct’ as well as more recent remarks by US Deputy Attorney General Lisa Monaco about the potential relationship of ethics and compliance challenges that previously were perceived to be unrelated. Ultimately, the federal government wants ‘companies to invest in robust and effective compliance programs in advance of misconduct, as well as in a prompt remedial response to any misconduct that is discovered’.
But Juan needs more guidance. What is the required starting point for a company to apply analytics to compliance? Could a literal ‘paper’ programme of policies and procedures not support an environment in which analytics could prosper? And given all the technology buzz around data-driven risk monitoring and improved compliance technologies, such as artificial intelligence (AI), machine learning, robotics process automation and advanced data analytics, where does Juan start?
Data science is changing how compliance is run
Until recently, ethics and compliance programmes in Latin America, as around the world, have focused on the legal aspects of policy, regulatory requirements, employee training and investigating (even policing) activities. A compliance officer might also collaborate with the control and procurement functions to introduce financial and other diligence controls, but adherence to these types of processes was either left to other functions to enforce, or was subject to periodic audits, which are inherently limited in scope and often expensive, cumbersome, and disruptive to administer.
Although undoubtedly important to a business, customary activities of this nature are often indicators of trouble either well after the fact, or, worse, when a crisis is currently at hand. Moreover, they typically lack data-driven insights that enable proactive decision-making, risk mitigation and improved company performance. Chief investigators and legal and compliance professionals we have spoken with often feel overwhelmed by always having to react to situations, challenged by collaborating with other functions rather than having the tools to respond quickly to ethics and compliance events, and frustrated with their lack of ability to proactively pre-empt situations.
The analysis of business transactions – such as payments to vendors, sales transactions with customers or distributors, reimbursements of employee expenses, or patterns of communication and information – to measure compliance effectiveness proactively was typically delegated to the internal audit or finance department. As a result, traditional compliance deliverables tended to be reactive and disciplinary in nature. They also tended to be interesting only to a limited number of risk-oriented professionals within an organisation. ‘Compliance fatigue’ has become a popular buzz phrase in recent years as the surfeit of manuals, rules, policies, and procedures can be seen by employees, and sometimes management, as business inhibitors stunting growth. This no longer needs to be the case.
Integrating data science and analytics resources into traditional compliance functions gives risk professionals a tremendous opportunity to drive better business transparency, which in turn drives better business performance. Taking a metrics-driven, coaching approach (rather than an authoritative, investigative, legal approach) to driving business integrity is helping compliance professionals to:
- conduct more fact-based risk assessments, spotting high-risk geographies or business units based on, for example, the transaction-level payments to third parties that are summarised in a geospatial heat map (i.e., a colour-coded map on which red indicates high-risk countries, yellow medium-risk and green low-risk);
- evaluate awareness and effectiveness of a company whistle-blowing mechanisms and evaluate correlations between ethical challenges and broader cultural issues;
- spot risks, anomalies and process gaps significantly faster, almost halving the time and cost;
- leverage the insights from the analytics to test the effectiveness of existing policies and revise policies or update the ones that need to be adequated to a changing environment;
- conduct timely, relevant employee training that is interactive and continuously adapted to changing risk landscapes;
- reduce investigations costs by having data centrally organised and available;
- enable compliance staff to present risks in a timely, consistent, accurate and data-driven manner;
- facilitate easier collaboration across functions to address core risk management challenges; and
- improve business performance and increase profitability.
The last point above might seem counter-intuitive, as the compliance function has traditionally been viewed as a cost centre, not a profit centre. This does not have to be the case. Take, for example, our hypothetical situation involving Triverno Global. With transparency into vendor risk profiles and payment activities across the various markets in which Triverno Global conducts business, Juan and Miguel can advise the chief financial officer (CFO) and chief executive officer (CEO), from a risk perspective, about the cities in which to invest in a new manufacturing facility.
For example, City A might have lower labour costs and cheaper raw materials (data provided by the finance department). Nevertheless, the corruption risk and previous investigative matters in City A may make it less attractive relative to a slightly more expensive city with significantly lower risks of bribery and corruption. Juan and Miguel may also quickly identify a pattern of high-risk vendor activity in City A, such as a prevalence of consultants and advisers with thin diligence files who receive significant balloon payments or success fees at year’s end. The margins that the company previously enjoyed in City A may dissipate over time as the intermediaries that made such margins possible increase their expectations and demands, knowing that the company can neither easily cut ties from the operation or from its dependency on the environment that made it possible.
The reverse is also possible. Perhaps the CEO and CFO are considering the new Latin American cities in which to expand their sales force. Based on relevant compliance monitoring information, such as customer profiles and sales transactions, Juan and Miguel might recommend certain contractual limitations, such as spending caps or time frame restrictions. They also might propose conducting less extensive (and expensive) background checks, such as skipping a required site visit or moving from 10 reference checks to three, to allow faster customer acceptance and growth in cities with historically low risks. Juan and Miguel may also gain insights into optimal discounting structures in the region, and even identify patterns suggesting that some sales incentive programmes have been diverted inappropriately and aligned with neutral revenue returns; this might suggest that marketing or discount dollars be spent with more high-return customers or regions. Investments tend to have a broader business impact in this environment because they are made to a larger stakeholder base, which simultaneously gives their value more longevity while also being less dependent on any single stakeholder. In those cases, the sales team can become a valuable partner with the compliance team in ensuring that company resources are deployed in an efficient, transparent way, thereby reducing compliance risk while increasing returns.
Manual processes, such as phone call references or physical inspections, and contractual restrictions also could be reduced, with a heavier focus placed on transaction monitoring during the life of the business relationship rather than a one-time, heavy due diligence investment at the time of onboarding. This approach allows the sales team to move quickly while simultaneously allowing the compliance team to monitor for any changes to the current risk landscape. The sales team would look to the compliance team as a partner and not an enforcement officer, further helping to ensure the company’s business integrity functions and adherence to the code of conduct.
Learning to walk before you fly
We often hear the complaint that a company cannot implement analytics in a compliance department because so much of its compliance programme is paper based. There is no dictionary definition of ‘paper based’, but we find that it often refers to organisations with compliance programmes somewhere between an Excel spreadsheet for tracking investigations and initiatives and a print machine for producing endless copies of policies that invariably just sit on shelves. We often look at this kind of challenge as a huge opportunity for compliance professionals to add value to their business. Compliance conferences witness a veritable bazaar of solutions aimed at simplifying generally accepted compliance workflows with greater or lesser benefit to companies themselves. Although not intended to be exhaustive, the following are some opportunities that compliance professionals can evaluate for possible use in integrating technology into their compliance programmes.
Automation and process optimisation
Compliance inevitably involves a high degree of process. Nevertheless, it is not always easy for an organisation to certify which executives have been trained, which whistle-blower reports have been investigated and which vendors have been vetted without tracking and monitoring. Compliance programmes often employ professionals who spend inordinate amounts of time tracking spreadsheets and following up with emails to ensure completion. Approaching this solution tends to be labour-intensive and does not capitalise on the insights that the data generated from such processes give. In terms of reducing workflow, there is a growing number of platforms that provide basic functionality for following up on automated tasks. These platforms not only remove a lot of repetitive email and spreadsheet updating but can also generate great insight into risk. Ask yourself whether it is more helpful to send 100 emails asking someone to attend a training event or to identify (and perhaps publicise) which vice presidents lead teams that are consistently ahead or behind in compliance training? Would it not give better insight to establish whether a certain business unit has requested diligence on a meaningfully higher (or lower) number of high-risk vendors? If done well, automation can simultaneously remove mundane workflows and allow the compliance team to focus on analyses of trends and patterns that drive meaningful decision-making.
According to the research site Statista, 3.5 billion people, roughly 45 per cent of the world’s population, accessed the internet with a smartphone in 2020. The number is increasing rapidly and is expected to reach 3.8 billion in 2021. This uptick in connectivity offers new ways for compliance officers to interact with their workforce. The key to managing this change is to ensure that the content generated by a compliance team is fit for mobile use in a timely and relevant fashion. We are not saying that compliance will ever truly compete with trending YouTube clips, celebrity exploits or the highlights of a top-level sporting event. However, the competition for attention on smart screens means that compliance officers need to give more thought to how their information is consumed. Does it make sense for a company policy to be converted to PDF and placed on a mobile-accessible website for employees to comb through the minuscule type? Or should the delivery of these types of documents be tailored and formatted to the mobile platform, where questions can be asked, and relevant answers provided in an easy-to-use, easy-to-read interface? At one telecommunications company, for example, the keyword search for ‘what is a conflict of interest’ was anonymously asked more than 5,000 times in a year by employees using the mobile compliance app. This helped the compliance team improve training and communications around conflicts of interest and most likely helped to prevent hundreds, if not thousands, of compliance violations proactively.
A similar point can be made for training. Organisations tend to expend a tremendous amount of effort in requiring their employees to submit to compliance training but give comparatively little thought as to whether the training should be designed to engage people and influence behaviour or exist solely to document that some effort was made to train staff. There are a few providers on the market heading in the right direction, with excellent use of narratives, storytelling, and even chatbots that are making training relevant to the workforce. Rethinking compliance communication strategies can generate opportunities to attract interest in rather than merely promote access to compliance resources. Strategies that provide executives with the knowledge of where to look for guidance when certain situations arise are also potentially more effective at influencing behaviour than forcing executives to sit through extensive training on a situation that may not seem pressing and relevant. We predict that, as training becomes increasingly mobile, programmes that can capture people’s attention, communicate in a memorable way on mobile devices, and invite them to opt in to more information will have significantly more lasting power than traditional training programmes.
Identifying relevant data sets
It is safe to say that virtually all Fortune 500 companies are investing in various forms of AI. In 2017, a Forbes survey of Fortune 500 CEOs found that 81 per cent stated that AI is ‘extremely important’ or ‘very important’ to their companies’ future. Even if compliance officers are not leading this charge, the transformation being undertaken by organisations is generating data sets that can provide operational insights that are invaluable to compliance. Traditional compliance assessments in the context of the US Foreign Corrupt Practices Act tend to focus on the extent to which a business is regulated, the jurisdictions in which it operates and the financial control environment, to name a few. But few tend to look at the information technology operating environment, the quality of data stewardship, the state of systems integration and other hallmarks that will provide insight into how difficult it would be to harness quality data to gain compliance insights of the operation. Organisations that are investing in AI will be doing so to improve the data hygiene of their systems, particularly with respect to how a company pays third parties or tracks sales to customers or distributors.
These improvements can be made in areas where data is generated and curated by any part of a company – but valuable improvements to data governance can start within the compliance department itself. Take, for example, the humble whistle-blowing hotline. Hotlines tend to be critical sources of information for compliance programmes, particularly in Latin America, where use of such outlets tends to be far greater than in other parts of the world. For years, these platforms have operated with outdated technology and a lacklustre appetite for innovation. New players in the space have incorporated insights from behavioural psychology in ways that improves the whistle-blower experience, improving the quality and therefore the actionability of such reports. Such improvements to controls come with minimal marginal additional cost (or even savings) for compliance departments, allow for better prioritisation and management of cases, and offer tremendous insight into an organisation’s risk profile. For example, presenting putative whistle-blowers with the option to share their complaint anonymously after they have already written and are ready to submit their complaint (as opposed to prompting them to make this decision at the outset of the process) dramatically increases the likelihood that the whistle-blower provides their identity. Our experience indicates that whistle-blower complaints filed by a known reporter can nearly double the likelihood of an allegation being substantiated. In other words, a small change to a system can create a force multiplier for a critical part of a compliance programme and enable compliance officers to respond to issues reported on the hotline before they metastasise into full-blown crises.
To be sure, compliance insights do not need to come solely from data borne of the compliance department – in fact, in almost all cases it is more insights to business risks to gather these insights more broadly. For example, the data sets that a revenue management function would find desirable to review sales margins are the same data sets that would yield insights into graft, fraud, and abuse for compliance. Similarly, data created by a procurement function will house potential insights into third-party risk. Any risk assessment should consider the data ecosystem in which the compliance officer is operating with a view to harvesting what is ripe and identifying the areas in which activities may be less transparent (and therefore riskier), for example because of an immature data infrastructure. Make sure you are asking the right business and compliance risk questions – those that really matter to the business from an integrity perspective – then align your data resources, wherever they may lie within the organisation, to seek answers to those questions.
Structured data versus unstructured data
A key question for any data strategy is whether the work-product generated by compliance will lend itself to useful data analysis. Implicit in this decision point is whether the company should invest the time and resources necessary to organise data in a structured way.
For those unfamiliar with these terms, unstructured data is data that is not organised in a predefined model. Text in an email, presentation or document is often considered unstructured in nature. In contrast, structured data is data arranged and organised, either at creation or shortly thereafter, into defined buckets and categories. Numbers organised in a spreadsheet or database, with rows and columns, is typically considered structured data. Attorneys tend to operate within an unstructured data milieu and prefer to create precise written narratives as part of their work-product that are inherently unstructured. Imagine a narrative compliance entry in a diligence file: ‘The vendor is being paid $26,501 to advise on customs clearances in Mozambique.’ Structured data inputs tend to require selection of predetermined fields, such as a series of dropdowns or multiple-choice answers. The same information, therefore, could be reduced to four fields to the effect of: (1) vendor (being paid) (2) $30,000 for (3) services with a subcategory of (4) customs. Currently, structured data fields lend themselves to analysis far better than unstructured data – particularly if there is good hygiene around the data – meaning that controls are in place to ensure consistency of input. Unstructured data inputs can express information in myriad ways, which can make it difficult to organise the data and make meaningful decisions.
With structured data, the fields tend to remain constant, which facilitates analysis and drives consistency and objectivity in the monitoring process. So, in the four-point example above, the compliance team could identify quickly how many vendors in Mozambique were engaged within a certain period for a defined compensation range. With unstructured data that is less likely to be the case. The nomenclature and organisational philosophy will tend to have a great deal of flux between users. Accordingly, ‘the vendor is being paid $26,501 to advise on customs clearances in Mozambique’ can easily become ‘Moz. Agent paid $26,501.00 for customs advice’, making it difficult for a computer to identify that these two statements mean the same thing. And that is without typographical errors, currency variations or different languages being added to the mix. Thus, with current technology, there are benefits to requiring and ensuring that data generated from any process is standardised.
Deploying a structured data strategy
A structured data strategy is not without challenges in and of itself. It requires planning, training and organisational discipline to identify what is desirable as the information to be entered and requires operational teams to input that information in a structured way. But it is possible. As technology progresses, one can hope that it will become possible for natural language processing and more advanced data collection techniques to organise the notes of even your most long-winded colleague into something concise, well-structured and usable. But in the short run, it is better to get everyone to agree what should be input and how.
When starting a data project, compliance officers are also often presented with a choice. Should I spend resources cleaning up existing data so I can analyse a historical data set? Or should I prioritise improving processes so that I generate more usable data going forward? Certainly, there will be multiple factors that a compliance officer should weigh in making this determination. However, compliance officers should remember that a large corporation can generate terabytes of data daily and timeliness of insight is always a factor when evaluating correction or consequence. Therefore, we were seldom disappointed when we pursued a strategy of improving data hygiene to yield insights from tomorrow’s business over one that prioritised cleaning up yesterday’s flawed data. This often led to more usable insights on a shorter timetable than if we wrestled with the peculiar data entries of former colleagues.
Harmonisation and reconciliation
Despite efforts to structure data, even the most disciplined organisation may find there are differences in terminology, a misunderstanding of fields or other manifestations of human error in the analysis of any data set. What is more, data insights tend to be more powerful when coupled across multiple data sets. From our own experience, the performance of a particular set of compliance analytics (in this case, travel and entertainment) was radically improved by combining human resources data inputs with the feed from the system in question. Previously, it had been possible to identify outlier transactions (e.g., which employees spent the most on lunch in each country) but that was of limited use without the capability to readily classify employees into buckets. To do that seamlessly required connecting travel and entertainment data with an organisational schematic. Now, the analytics can say which sales manager in each province is an outlier in terms of a certain type of expense. The combination of data sets significantly improved our models.
However, to yield these insights, it is critically important to reliably combine data sets. Doing so requires a common pivot point between two separate data sets that allows for the combination of the source information. Importantly, failures of data stewardship (like those discussed in the previous subsection) become amplified when merging data sets because it can be difficult to unwind and find the root cause of ‘bad’ or mislabelled data combined into a new set. The key to ensuring that data is appropriately combined is building in a process to reconcile and audit combined data sets against the original sets to ensure the data is transferred and combined in a high-quality manner. This process is critical (and often more complex) when the same types of data are combined from two systems.
For example, global brewer Anheuser-Busch InBev has combined more than 24 enterprise resource planning systems into the foundational levels of its data analytics platform: each system has its own customisations and is owned and operated by different subsidiaries and business units. This results in a level of variation across data – even when it is structured. Many data analytics projects become frustrated by poor reconciliation. The more complex the project, the more careful one needs to be to ensure that each step is reconciled against an accurate baseline model. To do otherwise is like trying to add sugar to a cake that has already been baked.
Rule-based testing aligned to business risk and key integrity questions
Returning to our hypothetical company, Juan and Miguel elected to compile aggregate data from two accounting systems in high-risk countries for their business. They also have identified a case management solution application that allows them to run compliance workflows in a single database. Further, they have designated partners in their financial controls and IT groups to assist in reconciling and validating their source accounting data. They have also linked the data from their accounting systems to their compliance systems so that they could assess those data sets in tandem. They now have the framework for a database that is ready to apply to key business questions in the form of algorithms, but several questions remain. What are the key business risks that should be addressed? What tests should be applied? Do they have the correct data to execute those tests? How do they align the data to answer the business risk questions? What would an ideal report look like? Who has the skills to assist in developing these tests?
A common starting point in the analytics journey is the rule-based test, with which most people are familiar – perhaps without realising. For example, if you have ever organised your email inbox to pinpoint all messages from your boss (perhaps to confirm that you did not miss an assignment) or run a search for a keyword in your email (perhaps to confirm you sent your spouse a birthday note) then you have run a rule-based test. In compliance, rules often start with a greater degree of complexity, particularly if the underlying data set is filled with accounting data. For example, rather than taking a random sample of all transactions as part of a compliance review, it is arguably more sensible to look for transactions that hit certain rules that are indicative of problematic behaviour – round number payments (Rule 1) made offshore (Rule 2) on an expedited basis (Rule 3). The application of these rules can potentially yield insights into data or otherwise expedite other investigations. When investigating based on suspicions about certain patterns of behaviour in the market (e.g., a supplier reported in the news to be funnelling bribes through an offshore subsidiary), rule-based tests can be particularly useful in identifying aberrant behaviour. In other words, by relying on the compliance officer’s professional judgement as to what is important or risky about a data set, rule-based testing is a useful way to parse and sort data to find high-risk transactions, employees, vendors or customers.
In our hypothetical company, Juan and Miguel adopt this approach and develop a series of rules that, for example, look at structured data such as round dollar payments, where the payment date is within five days of the payment request date (i.e., urgent payment) combined with unstructured data rules containing certain high-risk keywords such as ‘expedite’, ‘facilitation pay’ or ‘special payment’. Miguel develops rules to identify trends within the compliance investigation database that contains the case files for all internal investigations opened by compliance (including all whistle-blowing data). Juan applies a series of rules based on prior investigations that occurred at the company to the accounting data that they have aggregated. They compare notes and insights.
Investigations case management database
Miguel promptly sees that rule-based testing shows that almost all his whistle-blowing activity is coming from four countries. He also sees that Country X has three times the number of reports around faulty accounting controls and Country Y has three times the number of reported thefts as the next highest country on those issues, respectively. Miguel modifies his training and communications plan to focus on increasing awareness of compliance in countries that under-index for whistle-blowing and collaborates with internal auditing to overhaul the accounting and security controls in response to the data.
The advent of unsupervised learning
Many companies are looking at digital transformation and technology initiatives to reduce costs and seek competitive advantages. The continued buzz around AI, particularly the focus on machine learning, is therefore an important element to understand and apply when seeking to enhance your compliance monitoring functions. Specifically, the advent of unsupervised machine learning in compliance is particularly relevant given the inconspicuous and hidden nature of fraud and corruptions schemes. But first, it is important to understand the differences between supervised and unsupervised learning.
In supervised learning, an individual trains a machine using data that is tagged. This means that some records (e.g., transactions) are tagged with the correct answer, such as ‘relevant’, ‘potential bribe’ or ‘potential fake invoice’. The data can be compared to learning with the supervision of a person who can fine-tune and revise the model to find more statistically similar transactions. Unsupervised learning does not need a human to supervise or train the model by feeding it known outcomes. Instead, the machine seeks to teach itself to improve the predictive model and work on its own to discover patterns and information that are statistically relevant. Model outputs include the key variables or transactions driving certain outcomes, such as what are the outlier or unusual transactions, which patterns and trends look suspicious and who are the most anomalous vendors or customers, and why. As a result, unsupervised learning algorithms enable more complex processing tasks, across more disparate data sets, compared to supervised learning.
In a compliance context, we can apply these concepts to our case example with Triverno. Juan and his compliance team collaborated with their analytics and data science team to use supervised machine learning to help reduce fake customer schemes by simply profiling the key attributes of known fake customers obtained from previous investigations. When certain attributes were present, such as cash-only customers, lack of in-store product displays, discrepancies in the actual versus recommended product purchases and high numbers of customer returns – among several other variables – the model predicted fake customers with a 96 per cent confidence rate. The company, when it applied the model across its portfolio of customer transactions, identified many fake customers, plus the small group of employees who were creating them to meet bonus targets and divert marketing funds, ultimately saving the company more than US$10 million.
In an unsupervised machine learning context, Juan and the compliance team took it one step further and enriched the sales data with external sources, such as regional retail product sales, customer profitability data, pricing information, product discounts and promotional spending. The result provided Juan and his team with statistical outliers and risk scores that brought profitability metrics in line with certain risks that included abusive discounts, antitrust, jurisdictional laws, theft of inventory and overall customer risk. The resulting information can be compiled to assess a cluster of customers from both risk and commercial perspectives. In fact, the data unlocks the ability for the compliance officer (or salesperson) to do both at the same time, and we would argue that such insights can be instructive in how to prioritise workflows, spot outliers that are simultaneously risky and unprofitable and therefore streamline conversations with the business and prioritise compliance resources along riskier but profitable centres.
|Customer profitability high||Ideal customers(invest)||Vulnerable customers(invest and train)|
|Customer profitability low||Free riders(possibly divest)||Lost causes(divest or risk manage)|
|Customer risk low||Customer risk high|
While the customer categories can be changed based on each business case, the general idea is that unsupervised learning can be used to assist in objectively risk scoring customers across multiple profitability and risk indicator metrics. Specific compliance and business actions could be customised. For example, high-profit customers that demonstrate high-risk features (e.g., returns, conflicts of interest and fluctuating sales) could be categorised as vulnerable, and certain sales training, customer incentives or risk mitigating factors could be implemented for those customers. Other customers that are both high-risk and low-profit could be considered a lower priority – with marketing dollars held back (or diverted to star or vulnerable customers), for example.
Driving forward the effectiveness of a compliance analytics programme through metrics
As BrewRIGHT continues in its machine learning (supervised and unsupervised) journey to improve adoption and proactive risk monitoring, the BrewRIGHT program team introduced the BrewRIGHT Metrics in late 2020 to evaluate the effectiveness of the tool and approximate operating compliance risk across several areas. These metrics cover the predicted compliance risk, algorithm effectiveness, system adoption and return on investment from the system.
Keeping track of these types of metrics are particularly helpful when trying to create partnerships within the organisation with stakeholders that might be less concerned about pure regulatory risk and doing the right thing.
Responding to the pandemic: accelerating the adoption of technology in ethics and compliance
After the initial disruption caused by covid-19 on the compliance workforce, we have seen a radical shift in the operations of compliance departments around the world. Some of the changes are the stuff of science fiction – at least through the lens of the legal practice. One does not need to roam far back through the halls of time to mark the last moment a Dictaphone was used in many a storied law office. Now artificial intelligence is starting to order our groceries and organise our calendars. It has become something we live within our day-to-day; it is the basis of what future generations must study to adapt to the jobs of tomorrow, including, without a doubt, data analysis (data analytics), artificial intelligence and machine learning.
A by-product of artificial intelligence is the creation of new products to replace old services. A commoditised legal process that had to be replicated by attorneys over time can now be replicated by a system with minimal oversight or variation. This technological blood has entered the ethics and compliance realm, with these concepts changing from being something ethereal (known but little-practised values), to something tangible, measurable and indispensable. Whether it be a document review in an investigation or the workflow to approve a gift, artificial intelligence is opening doors to a radically different practice.
All this change begs the obvious question: what should we do next? The goal should be made not to merely task robots to perform historical compliance practices, but to invent radically more effective approaches to old problems that were never really solved. The overall impact and effectiveness of compliance programmes is something that should be questioned, but not the importance of the problems that they are trying to solve. For example, few of us can say that corruption has not impacted on our lives for the worse. At the time of writing, a subway disaster in Mexico has shown that the stakes of corruption can be measured in more than impact on GDP or abstract development goals. But the economic impact should not be underestimated either. As compliance professionals, we would argue that few businesses are more profitable from participating in corrupt environments. And not because of enforcement and deterrence, but because of the externalised value inherent to a corrupt economy. The goal of compliance should be changing along with the technological opportunities of the moment. It should be less about ensuring our clients are operating with the best of intentions in the murkiest of environments and more about driving the transparency of our operating environments into the murk.
The opportunities of artificial intelligence combined with distributed ledger and federated learning technologies offer an entirely new universe of opportunities to make a positive impact. Artificial intelligence and machine learning typically deploy strategies of hypothesising outcomes based on an available universe of information. However, the information relevant to corruption or fraud tends to be disperse, drawn from events that occur infrequently and are kept secret by those aware of them. This impedes the ability of organisations to build effective models to detect this type of behaviour. Federated learning strategies, an approach to machine learning that allows for multiple parties to share insights from data while removing underlying identifying information or even without sharing the underlying data set at all, will mitigate this problem by allowing models to be built and trained across organisations. It will allow for relevant data points in unusual events (i.e., a corrupt payment) to be pooled and used to train models – without compromising data privacy or confidentiality concerns of the participating members. Similarly, distributed ledger technology will allow for traceability and audibility of complex transactions while maintaining confidentiality around the parties. These technologies combined present the near-term opportunity for organisations to operate compliance analytics functions collectively – thereby making compliance analytics cheaper, more accessible and more effective with the proverbial ‘wisdom of the group’.
It may take time, but this change in technology should influence the regulatory landscape as well. Is it correct to penalise a company for aberrant behaviour that was identified early by an army of robots? Could a consortium of organisations working together to combat corruption be guilty where an agent or a subagent putatively operating on one of their behalves does not share that mission? Will it become required by regulators to engage in collective analytics?
These are important questions and are critical to ask in this time of amazing technological change. And it may seem surprising, but companies that have not yet built or licensed a fancy compliance platform are at a tremendous advantage. 2021 saw a record increase in private equity and venture capital money in the ‘legal tech’ and ‘compliance tech’ space. This has led to a multitude of solutions that tend to generate marginal improvement at high prices. And while the authors agree that the compliance space is ripe for disruption, we hope that the smart money recognises that duplicating expensive systems across each company is an inefficient and ultimately doomed path. Companies facing similar emerging market risks will be better served operating as part of a collective. Why should companies repeat diligence, proactive monitoring and risk assessments? Operating collectively will invariably lead to cheaper, more accurate and more scalable tools. The cost of investing in any tool that is not scalable in an inexpensive way towards collective-oriented technologies should include the financial and human cost of transitioning towards such tools as they become available. And good news: the future is now. As this is being written, collective models that rely upon distributed ledger and encryption technology are coming to market, which should democratise compliance analytics and accelerate the digitisation of the function.
The pandemic has left a legacy of challenge. We have had some comfort in the degree of transparency reaped by our technology, which has helped us manage the risks of operating in this environment a little better. But at the end of the day, the technology only matters as much as the people who use it and are influenced by it. What good does a smart fridge do to you if you do not drink the milk it orders? Like many compliance teams, we have had to navigate the risk from the comfort and isolation of our homes. It has been a challenge to manage our ecosystems in the midst of demanding corporate pressure and ongoing investigations. And we are sure we are not the only ones who have thought several times, ‘this would have been easier if I could have just gone there in person’.
Below are a few ways in which AB InBev has utilised its compliance technologies during the pandemic:
- Monitoring risk without travel: the normal risks did not go away just because there is a global pandemic. The ways in which we interact with people and deal with challenges have changed. The lack of global travel is going to change how the compliance function manages ongoing risks. With the creation of BrewRIGHT four years ago, the ethics and compliance teams at AB InBev use algorithms and machine learning to isolate and prioritise risks for its local compliance officers. These risks are assessed through a workflow process that feeds back and educates the models. In other words, AB InBev compliance systems learn from historical monitoring and investigations to understand how risky anomalies in company compliance systems present.
- Corporate donations and risk management processes: while payments for donations had to be made just in time to have maximum effect, AB InBev’s data analytics-based controls and measures were in place to monitor the donations. These donations were booked through specific general ledger (i.e., the record-keeping system used to maintain financial accounts), and the machine learning model and the lookback review triggered and isolated the payments within the tool.
- Tracking covid-related cases on an investigation platform: the ABI compliance team created a new case category devoted to covid-19 on our investigation platform. Cases through our hotlines and web-intake services relating to covid-19 cases were prioritised for expedited remediation.
We experienced these and greater challenges in Latin America. As important members of communities across the region, the ethics and compliance team worked with the business to ensure timely and managed deliveries of donations to communities and denounced violations of covid-19 safety protocols. We pivoted quickly to enable effective government partnerships to ensure our resources were deployed where they could have the most impact. In any time of change there is risk of graft and corruption, but by repurposing phone-based compliance applications we were able to pivot quickly and ensure community engagement in a transparent and compliant manner.
Adapting and acting proactively in the face of the pandemic has led us to new uses of technological tools, such as the implementation of artificial intelligence in daily business operations. This has helped professionals in the fields of research, law, practice forensics, auditing and finance to identify patterns of conduct that can prevent inappropriate behaviour, possible fraud and eventual corruption. We have seen tremendous ingenuity and creativity across the compliance bar over the past year and we hope to thrive together in the year to come.
Compliance vision of the future
The compliance vision of the future is one in which compliance professionals have ultimate visibility into the core business activities of the organisation with preventive and detection controls designed to keep the business and employees out of trouble, while also improving business performance. Data science and the operationalisation of key business risk metrics through analytics technologies that are now available are changing how compliance departments are run. No longer is compliance just a legal, policy and internal investigations function of the business. Rather, it involves an integrated team of legal, information technology, data science and accounting professionals working together to drive business integrity, transparency and profitable growth using leading analytics techniques that drive, or at least influence, better, more responsible employee decision-making and integrity.
Some industries and groups have developed data-sharing consortiums in which companies contribute certain data to an aggregated database that all member organisations can access. We feel this is a key trend among global companies that will significantly expand in the next decade, particularly as the use of blockchain technologies, data cleansing, and data privacy and anonymisation becomes more mainstream. Data-sharing consortiums can help member organisations benefit from the collective data of the group to identify recurrent trends and high-risk third parties and protect themselves from known schemes in their group or industry. In a 2019 Anti-Fraud Technology Benchmarking Report sponsored by the Association of Certified Fraud Examiners and SAS, it is stated that 29 per cent of companies surveyed currently contribute to an anti-fraud or compliance consortium and another 21 per cent currently do not contribute but would be willing to contribute in the future. Clearly, in this digital age, there is a demand for compliance professionals to embrace technology and develop insights that are shared both within their organisations and perhaps among industry peers as well.
 Matt Galvin was formerly the chief compliance officer of AB InBev, and currently works as an independent consultant and Research Fellow at Harvard Business School, focusing on compliance technology, Jaime Muñoz is the global director of ethics and compliance for AB InBev responsible for Latin America and Dheeraj Thimmaiah is the global head of compliance analytics for AB InBev.
 Patzakis, John; Carpenter, Craig, ‘USDOJ expects companies to proactively employ data analytics to detect fraud’, X1 (https://www.x1.com/2019/09/25/usdoj-expects-companies-to-proactively-employ-data-analytics-to-detect-fraud).
 Per ‘Report to the Nations: 2018, Global Study on Occupational Fraud and Abuse’, Association of Certified Fraud Examiners.
 See https://www.statista.com/statistics/330695/number-of-smartphone-users-worldwide (3.5 billion people have access to smartphones in 2020). See also https://www.worldometers.info/world-population for the current world population (c. 7.77 million people, 45 per cent of whom have a smartphone). Of note, 4.78 billion people have mobile phones.
 ‘What Fortune 500 Companies Really Need to Know About AI’, Forbes (29 June 2018), https://www.forbes.com/sites/shamahyder/2018/06/29/fortune-500-ai/#7862c48211f6.