When the U.S. Department of Justice revised its Evaluation of Corporate Compliance Programs at the beginning of June, one theme was abundantly clear: the importance of data to a successful program.
That shouldn’t surprise compliance officers. Justice Department officials have talked up the importance of data analytics in numerous speeches and statements over the past year. Other regulators have used data analytics to drive regulatory enforcement actions for some time.
Now the Justice Department is clearly stating that compliance officers need to use data — and lots of it — to make their compliance programs a success. That sounds sensible enough in theory. So how does a compliance officer put those ideas into practice?
First, consider what the guidance actually says.
The latest guidance addresses the importance of data in two ways. The more important one actually appears later in the text: a specific, dedicated section declaring that compliance personnel should have access to the data they need:
Data Resources and Access – Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?
It’s worth noting that this passage about data appears in a larger section about the compliance officer’s autonomy and empowerment, so he or she can run a compliance program that advances the interests of the company. Part and parcel of that duty is the ability to look at whatever compliance and ethics issues might be threatening your company — and in modern business, you need access to data to do that.
Then comes the next question: What should a compliance officer do with all that data?
The latest update answers that, too. An effective compliance program uses data to perform a more thoughtful risk assessment and update the program as necessary. Again, consider the text:
Updates and Revisions – Is the risk assessment current and subject to periodic review? Is the periodic review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures, and controls?
What’s interesting is that the Justice Department guidance never actually says, “Thou shall use data analytics” — but when you consider these two points together, there’s no way to put them into practice without performing data analytics. Using data to assess and improve performance is what data analytics is.
So what must exist to get the data?
Two things, really. The collective will to give compliance officers access to data, and the technical competency to do it.
One critical ally in this quest will be your company’s chief information officer or head of IT. For example, your company might store all its transaction records in one enterprise software system such as Oracle or SAP. Or it may have data stored with a hodge-podge of cloud-based vendors, each supporting a specific part of the enterprise. Maybe your IT system is some hybrid of both approaches.
Either way, finding and extracting useful data is rarely an easy task. You’ll need competency and technology that’s typically beyond the compliance department’s abilities to get this done.
Compliance officers can also do themselves a favor here by knowing what data you want. For example, when the Justice Department talks about access to data for “timely and effective monitoring or testing of policies, controls, and transactions,” you should have a clear sense of what tests you want to conduct, or what key risk metrics you want to monitor (this might be one project where you could enlist the help of internal audit, if your company has that team too; building tests to assess risk is what they do).
OK, data accessed; now what?
The whole point of access to corporate data is to improve the compliance program. So, after the CIO gives you the technical help you need, or business unit leaders share what they have — you still must put it to fruitful use.
Compliance officers should always keep at least one eye on their risk assessments. What data do you need to perform an accurate risk assessment? What tests would you do, or analytics would you perform, so the data can give you the best sense of what the company’s risks are right now?
Another crucial need will be strong monitoring capability.
As the Justice Department guidance mentions, regulators will want to know whether your program is “limited to a ‘snapshot’ in time or based upon continuous access to operational data.” The stronger your monitoring capabilities, fueled by a steady stream of relevant data, the better able your program will be to achieve the latter, rather than stuck in the former.
How you configure those key risk indicators and dashboards, enabled by data analytics and versatile reporting, are subjects for another post. The bigger strategic point is that a data-driven compliance program helps the company to be more responsive to changing risks.
That’s what the Justice Department wants to see in a corporate compliance program. It’s also what makes a strong compliance program more valuable to the whole enterprise, because agility in responding to changing risks is what boards and the C-suite want, too.