Why using data to drive your compliance program is more important than ever: Key takeaways from the latest DOJ guidance

All roads lead to data 

The repercussions from the DOJ’s (Department of Justice Criminal Division's) new guidance on evaluation of corporate compliance programs are sure to have a lasting impact. My colleague Adrian Mebane has weighed in on the important ways this guidance sharpens our understanding of the practical, real-world expectations of the DOJ with respect to compliance programs, and what Chief Compliance Officers need to know in order to adapt to it.

My focus is on the Department’s growing emphasis on data — and, in particular, how (and how well) companies are using it to improve and track the effectiveness of their compliance programs. This makes perfect sense when you consider the critical role data plays across every organization — and even more so given the enormous structural disruptions brought on by the pandemic, with work-from-home (WFH) as the new norm, face-to-face meetings largely proscribed, and internal controls and other monitoring programs disrupted.

Nonetheless, both the guidance and the pandemic offer companies opportunities to make a virtue of a necessity — and leverage digital technologies and their data for more efficient, more collaborative performance across the board. 

The key data clauses: What you need to know 

To the existing “fundamental question” of whether a compliance program is “being applied earnestly and in good faith,” the new guidance further instructs staff to evaluate whether it is “adequately resourced and empowered to function effectively.” That additional clause points to a doubling down on the focus we began to see in the 2019 DOJ guidance on leveraging data and analytics. 

Today, it is clearer than ever that the traditional way of asking questions and relying on answers has been supplanted by the need to see actual data and data-driven diagnostics. With that in mind, here are four key data practices which the new guidance suggests companies should adopt:  

1. Gather operational data continuously to update your risk assessments. The guidance stresses the importance of “tracking and incorporating . . . lessons learned” — not just from your own prior issues but even from those of your competitors and counterparts in other industries with similar operating models.
2. Use data to monitor your compliance program persistently, not just as a “snapshot” in time. Compliance and control personnel should have “sufficient direct and indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions.” They must also ensure reporting mechanisms function as intended, "for example by tracking a [hotline] report from start to finish.” 
3. Use data to manage and monitor third parties throughout their lifespan for contact with government entities and officials — not only at onboarding — using a risk-based approach. As with your broader compliance program, this is not a one-and-done process: it’s essential to periodically refresh your third-party due diligence leveraging external information, while continuing to monitor how you are doing business with them internally.
4. Ensure your policies and procedures are published in searchable format and in local language — and track how accessible those governing documents are to employees, including frequency of access.

Increase your risk agility — and make better compliance decisions, faster  

PwC’s Global Economic Crime and Fraud Survey uncovered an alarming fact: Too many companies are not getting the right value out of their data or their fraud-fighting technology. We found that only one in five companies have formal fraud training and communications that are tracked and refreshed regularly. And, for many companies, choosing, implementing — and sometimes even understanding — the technology they do have is challenging. As the regulatory stakes continue to rise, this apprehension around technology potentially exposes them to significant risk.

That’s why proper use of your data and technology is so essential, even more so in this pandemic — when employees are scattered about in remote workplaces, resources are constrained, and companies right and left are missing revenue forecasts. 

The good news is, when it comes to compliance, you actually can do more with less. Start by analyzing your organization’s priorities from a risk-tolerance, industry and regulatory perspective. Then focus on making all aspects of your compliance program — from training, testing and monitoring to identifying, detecting and reporting — fit for purpose in the most effective, resource-efficient manner possible. 

That means not just knowing what to look for, but also knowing how to look. Instead of trying to boil the ocean of every transaction, focus on monitoring the program itself using a risk-based approach. Advanced analytics — which can help link unstructured or disparate information and consolidate decentralized processes — can dramatically improve your detection efforts by minimizing false positives, optimizing machine learning, and enabling advanced data visualization. 

Finally, consider how to leverage your data and technology with functional use cases across all layers responsible for your compliance program. Historically, this process has happened sequentially, on unconnected platforms: First-line analysts monitor the risks using compliance technology, then export their work up to program managers on a spreadsheet or dashboard. Managers provide a second-level review, while assessing the effectiveness of the program itself. They may then in turn issue a separate report (typically in a presentation) to senior executives outlining both outstanding risks and suggestions for how to optimize the compliance program in terms of reach and manpower. 

Today, this process can happen seamlessly, in real time, on a single platform: enabling your teams to make better decisions, faster — and, critically, with less room for error. 

From virtue to necessity: How COVID-19 is changing the rulebook on digital compliance 

The pandemic has already profoundly (and in some ways, permanently) affected how we work. According to our survey of CFOs during this pandemic, more than half (54%) of CFOs plan to make remote work a permanent option for roles that allow it, and 44% plan to accelerate automation and new ways of working. Responding to this fast-evolving situation may not leave enough time to ponder exactly how the “post-transition” reality will affect your compliance program. The good news is that even with employees scattered to remote locations, and face-to-face interactions off the table, those charged with assessing compliance programs or business behavior — be it from a regulatory, compliance, audit or third-party due diligence perspective — can now do so by relying predominantly on data. 

If there is an upside to this sudden “virtualization" of the workplace, it’s that it both enables and requires us to pivot to a new mindset — and there are many benefits to this. For instance, while analysts have traditionally learned through close proximity to senior team members, these practices have also created a bias to tradition, while reinforcing localized learning silos. Today, compliance staff at all levels (and across geographical locations and departments) can look at the data simultaneously together, discuss issues and ask questions in real time. Not only does this establish a new baseline of trust, training and operational efficiency across the whole team, it also enables a more global understanding of compliance. 

Instead of spending money on flights, meetings and walk-throughs, companies can invest in peripherals like dashboards, interfaces and the like — tools which enable real-time collaboration and transparency, while also aligning with key tenets of the new DOJ guidance. If your organization has already started down the path of digitizing your compliance and risk efforts, you can gain further momentum from that “virtual workplace.” 

Start where you are — but start now

Refreshing your compliance program so it is up to date with today’s risks and realities doesn’t have to be a wholesale undertaking, or an expensive one. Here are five takeaways:

1.Don’t give up on technology: It holds the key to being “adequately resourced and empowered” — cost-effectively

Many companies have been uneasy about implementing technology as part of their compliance program. Get past it. COVID-19 and WFH have changed the game… and the DOJ has upped the expectations. That presents a huge opportunity to rethink your approach and let your program work smarter for you. 

2. Find the fault — and reverse-engineer it

Here’s an extremely effective method of stopping risks before they can spread: Examine your population of bad transactions (or whistleblower reports), go back and understand its attributes, then teach your machine to go look for more transactions or interactions with similar attributes: this is the true power of supervised learning. 

3. Go beyond a snapshot in time  

The new DOJ guidance recognizes that corrupt or fraudulent acts emerge from systemic issues — not one-time-only events. They want to see that your compliance program lives and breathes along with the risk. So continually update it based upon persistent access to operational data and information across functions. 

4. Look beyond due diligence

Manage your third party risk and post-acquisition operations in a similar way — on an ongoing basis, not just one time. Use monitoring tools to identify potential high-risk third party relationships and manage issues… before they become issues that can harm your business.

5. Lessons learned: Monitor your monitoring

The new guidance specifically directs prosecutors to consider whether the company has a process to track and incorporate “lessons learned” from their past issues or from industry benchmarking into periodic risk assessments. One of the best ways to gauge the effectiveness of your compliance program is to monitor its monitoring component. Keep it up to date — and keep improving it, using continuous feedback such as supervised learning.

---

How is your company looking to digitize your risk and compliance program, in light of the DOJ’s new guidance? I’d love to hear from you in the comments.

I lead a team focused on how we can use tech-enabled analytics to help our clients solve their most important problems relating to risks, threats, and compliance.  Check out our latest - PwC’s new suite of Risk Command products.