The 2020 Update to the US Department of Justice’s Evaluation of Corporate Compliance Programs outlines best practices for risk and compliance professionals on a wide variety of topics, including program design, measures, and empowerment. One common thread throughout, however, is the need for compliance programs to modernize their data collection and analysis in order to implement a proper risk-based approach informed by performance-based measures. Of course, the level of sophistication outlined by the guidance almost certainly requires even relatively small organizations to adopt technology solutions capable of process automation, continuous monitoring, and data dashboarding.
This isn’t the first time compliance programs have been told they need to automate. In 2019, the Treasury Department’s Office of Foreign Assets Control released its own Framework for Compliance Commitments, which explicitly required sanctions compliance programs to adopt information technology software and systems capable of meeting the agency’s elevated expectations.
But how equipped are compliance programs to meet these quickly evolving information technology needs?
High-performing compliance programs are 2.4 times as likely to rely on R&C technology solutions
NAVEX Global surveyed over 1,4000 compliance professionals to find out. The results, contained in our 2020 Risk and Compliance Definitive Benchmark Report, help shed new light on what organizations of all sizes, maturities, and industries are doing to help their programs meet the needs of the quickly evolving compliance landscape. The answers may surprise you – and help you prevent your company from suffering a costly compliance failure.
DOJ Offers New Guidance on Data Collection and Analysis
Before reviewing the recent survey data, it would be beneficial to review what the DOJ has said about what their expectations actually are. It’s important to remember that this is prosecutorial guidance, not regulation – meaning that you are not necessarily required to take the steps outlined. However, if you do experience a compliance failure, the ability to demonstrate these program capabilities can lessen the number and severity of the fines you will face. Bottom line: these features can help prevent a failure from ever occurring.
The first thing the DOJ guidance stresses is the ability to collect and synthesize data collected from departments throughout your organization. The 2020 updates to the DOJ guidance focused most extensively on the issues of data access and program empowerment – in large part because these issues are closely intertwined. As former Deputy Assistant Attorney General Matthew Miner stated in his NAVEXNext keynote presentation, The 2020 update “really fleshes out that notion of adequacy and empowerment…And of course, you're not empowered to function effectively if you're not allowed access to data.”
This means the ability of your compliance program to gather and analyze large amounts of information from across your business is not only good in and of itself; it’s also a demonstration of how serious your organization is about compliance. The DOJ advises asking the following questions:
- Does our program have continuous access to operational data and information across functions?
- Does that access allow for the timely and effective monitoring and testing of policies, controls, and transactions?
- What have we done to address any impediments limiting access to data?
- How are we using that data to inform your program design?
Policy and Procedure Management
While there are many new elements to the guidance’s section on policy and procedure management, two technology-dependent pieces in particular stand out: the ability of employees to search for particular policies, and the ability of your program to track policy access. Specifically, you should ask:
- Are our policies and procedures published in a searchable format for easy reference?
- Do we track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?
The ability to answer these questions in the affirmative is critical for a compliance program looking to adequately assess its policy and procedure management, as well as the effectiveness of awareness efforts.
Confidential Reporting and Investigation
Arguably no other aspect of an organization’s compliance program is as reliant on data collection, tracking, and analysis than its hotline and investigation management. This is not just important for ensuring that individual claims are adequately addressed; it is also critical in identifying underlying issues and troubling trends. Again, the ability to quickly collect and analyze data is an essential component in this process. As former Deputy Attorney General Mark Filip recently remarked:
"The ability to chase relative risk on a real-time basis is very dynamic and powerful...The notion that you can have real-time evaluation of what's going on and patch holes before you get real cracks in the foundation - that's a very exciting development in compliance over the last 20-30 years.”
Compliance officers reviewing their hotline and incident management technological capabilities should ask:
- How do we collect, track, analyze, and use information from our reporting mechanism?
- Do we periodically analyze the reports or investigation findings for patterns of misconduct or other red flags for compliance weaknesses?
- Do we periodically test the effectiveness of our hotline by tracking a report from start to finish?
Technology is a Key Driver of Performance
Last year, NAVEX Global surveyed over 1,400 respondents about the design, measures, and effectiveness of their respective programs. The analysis of this data, published in the NAVEX Global 2020 Risk and Compliance Definitive Benchmark Report, found seven key drivers of risk and compliance program performance, such as board engagement, program auditing, and leadership support. One of the most impactful drivers identified was technology adoption. Specifically, programs whose performance was rated by respondents as “good” to “excellent” were 2.4 times as likely to use R&C technology solutions than programs whose performance was rated “average” to “poor.” The report went on to make several other findings, including:
3 out of 4 Risk and Compliance Programs Use R&C Technology Solutions
Technology automation is positively associated with company size; only 66% of small organizations report using R&C solutions, while 88% of large organizations say likewise. Across industries, programs in finance and healthcare are most likely to use R&C technology solutions, while those of educational organizations are 13 percentage points less likely than programs overall to automate.
Technology Adoption is Linked to R&C Program Maturity
Program maturity – a measure of compliance program sophistication – is also positively associated with the use of technology. Virtually all (97%) of advanced R&C programs use technology solutions, while fewer than half (48%) of reactive programs made the same claim. Technology factors prominently in future planning; 40% of advanced programs and 36% of mature programs report that they plan to prioritize adoption of automated solutions for their program needs, as opposed to one-quarter of reactive (22%) and basic (25%) programs.
Most R&C Programs Spend Under 25% of Their R&C Budget on Technology Solutions
Nearly half (45%) of respondents from advanced programs spend more than a quarter of their budget on technology solutions, while over a third (36%) of reactive programs spend nothing at all.
However, there is a constant across all maturities; a majority of organizations reported spending 1%-25% of their budget on technology solutions at every maturity level. Interestingly, the percentage of spend does not vary with company size.
R&C Programs Use Technology to Boost Consistency, Streamline Workflows and Reduce Costs
Percentages differ, but all programs report that technology increases consistency, streamlines workflows, and reduces costs.
Nearly two-thirds (64%) of respondents overall cited “To enable consistent policy, training, regulatory alignment and accountability” as the top reason for technology adoption.
Advanced R&C Programs Use Technology to Integrate Program Components
More mature programs were relatively more interested in using R&C solutions to integrate their program components. Nearly two-thirds (63%) were interested in integration, making it a higher priority than formalizing and/or institutionalizing processes (51%); and reporting to management, executives, or boards (62%).
Automated Programs Perform Better
R&C programs that use one or more technology solutions to manage operations have a sizable performance advantage over non-users. The difference is big: Respondents perform better than their non-automated peers across all program activities surveyed. Programs that utilize technology are also significantly more likely to be viewed by senior management as strategic investments with ROI (40% vs. 29%). This is likely due to directors and senior leaders recognizing the value of their R&C programs and willingness to invest in technology.
Bringing it All Together
As this data shows, there are clear reasons why regulators are pushing programs to adopt technology solutions. They can handle a large amount of data and quickly align it with risks. For example, policy management software can launch a policy, or an LMS can launch training, to all employees at once for completion and mandatory certification. It could then compile data on completion rates and delinquent individuals in near-real-time, spotting risks before they occur. Technology simplifies third-party due diligence and allows ongoing management in less time than manual methods. Since regulations are a top R&C priority, automation keeps the workforce updated on these rules. Technology also can bring the latest regulations and updates into effect with a keystroke.
When auditing your risk and compliance program, make sure that you are equipped with the technology necessary to collect and data across functions; to make your policies searchable and their access trackable; and to collect reporting data and identify underlying trends. Leverage these solutions to not only streamline your workflows but to integrate your compliance program components. In the long run, the data shows technology solutions can help you lower costs, reduce the chance of compliance failure, and lessen the impacts of failures when they occur.
Learn more about what the DOJ Guidance says about strong compliance program design. You can also read the 2020 Risk and Compliance Definitive Benchmark Report to learn what other steps your risk and compliance program can take to match your peers and improve performance.