IMPACT OF AUTOMATION ON COMPLIANCE PROGRAMMES AND SYSTEMS
RISK & COMPLIANCE MAGAZINE
JAN-MAR 2018 ISSUE
R&C: In broad terms, what beneﬁts can automation bring to a company’s compliance programmes and systems?
Nash: Simply put, automation increases efﬁciencies and effectiveness. Efﬁciency is the most recognised beneﬁt of automation as once- manual processes are now being streamlined without the time and strain on compliance ofﬁcers. However, the beneﬁt I ﬁnd most impactful is increased effectiveness. Automated technologies allow a ﬁnite team of compliance professionals to not only process but also better understand larger amounts of data and to reveal behavioural patterns that can better focus their efforts. For instance, sexual harassment in the workplace is reaching an inﬂection point in the media. This tells us something is obviously going on – increased incidents of harassment, better understanding of what harassment is and growing conﬁdence to report by victims. Whatever it is, there are patterns here. With automation, compliance programmes are able to identify these same trends in a much more granular and regional way within organisations. That is because technology is much better at comparative analysis than people. So when people integrate technology properly into their compliance programmes, these programmes are then equipped to be proactive in their responses to large patterns, instead of reactive to individual issues.
Kolster: An effective compliance programme should be designed to protect the company’s shareholders by creating key systems and controls to make sure that the company complies with all laws and regulations wherever it operates. This should also be done in a way that helps the company achieve its business goals. Automation can help track and monitor compliance with all legal requirements and contractual obligations, facilitate training and communication of key messages at different levels, document relevant procedures, promote internal reporting of wrongdoing and enhance internal investigative processes. Weak areas of compliance may be identiﬁed through automatic data analytics, which trigger immediate corrective actions before identiﬁed issues become major problems.
Copland-Cale: Automation can reduce the time required for repetitive tasks, such as collecting the necessary data for third-party due diligence. At the same time, the quality of collected data can be increased and maintained through optimisation and standardisation. Furthermore, it can greatly reduce otherwise manual documentation required for an audit trail. These factors reduce human effort and potentially increase the quality of those tasks that can be automated, leaving more time for people to spend on compliance tasks that cannot be automated easily, like the judgement of complex business situations. This streamlining of processes allows compliance professionals to focus on important issues and decision making. Ultimately, digitalisation is faster and provides higher quality results. It has a drastic impact on data collection and documentation tasks.
Klinger: The emergence of Big Data, predictive technologies and digital automation together have the potential to signiﬁcantly increase efﬁciency and enable compliance teams to manage risk more proactively. If leveraged correctly, these tools can reduce, if not eliminate, many manual processes and procedures, and enable compliance ofﬁcers to further focus on strategically adding value to the business units that they support.
Broecker: Automation is beneﬁcial for many compliance systems. A properly implemented system can streamline and standardise responses to many questions that reoccur. It can also provide real-time responses to many issues. Automation can also free up valuable time for the human compliance professional to focus on more important or strategic compliance issues.
R&C: In your experience, what is the general attitude toward automation and compliance at the upper echelons of an organisation? Is there often a need to change corporate culture to accept less reliance on the human element in achieving compliance?
Kolster: The way upper management sees compliance is inﬂuenced by many factors, but it depends greatly on the company’s culture and how its employees are expected to act. If the board of directors, the CEO and the management teams lead by example by acting ethically and being vocal, not only about the business goals, but also about how to achieve them, the job of the compliance function is much easier. This will also have an impact on the compliance function’s ability to innovate through automation. Another relevant element is how compliance processes and systems are integrated to the company’s operation. When the compliance function is able to use automation to embed key controls into existing operational procedures, instead of building them in isolation, it is much easier for everybody to identify how these controls actually add value.
Copland-Cale: In today’s environment, with constant cost pressures, all levels of management will be invested in automation, as long as quality and risk assurance is not compromised. I think this is a general mindset within organisations, one that is not speciﬁc to compliance. However, for complex decisions that require business experience as well as human judgment, for example in third-party due diligence, these decisions still need to be attributable to a person. As such, a person has to decide whether he or she is willing to accept a certain risk or not. Automation of these decisions could lead to unclear responsibility, which is difﬁcult when dealing with speciﬁc legal requirements. Nevertheless, non- complex processes and decisions will be able to be fully automated with or without supplement spot checks.
Broecker: I believe that most senior executives and managers have been trained over the years that compliance is a vital component of the business and it needs to be addressed with a personal, hands on approach. I think that if they understood and could see the true beneﬁts of greater automation, as they have experienced in the production environment, then there would be a change in attitude. The compliance department needs to embrace automation, not as a device to replace what they are doing, but as a tool to help them leverage their skills and backgrounds.
Nash: There is a hunger, not merely for automation per se, but for the insights and outcomes it can bring across many industries and roles – and the domain of ethics and compliance is no different. We like to see companies beneﬁt from the competitive advantage of compliance. Automation supercharges that advantage. This is desirable at every level of the organisation, with managers and practitioners being able to do more with their time, and leaders seeing increased productivity, improved reporting and audit-ready documentation. Effective compliance automation actually enhances the human element by allowing compliance professionals to make better use of their time. It allows programmes to automate manual processes when helpful, as well as take a step back and apply human judgement when that judgement is needed. Ethics and compliance leaders are in the ‘people business’, and have a unique ability to drive strong company cultures. To this end, technology makes room for compliance programmes to do what they do best – apply a human element.
R&C: What are some of the typical challenges and issues associated with automation? Can you outline any practical strategies that ﬁrms can utilise to help ensure they deliver transformational change to address their compliance obligations?
Copland-Cale: One of the typical challenges that probably all organisations face when automating processes is getting people to adopt the changes and see the numerous advantages that are associated with the development. In order to adapt, people have to truly understand the impact that the changes will have on their day-to-day business. For this matter, it is crucial to treat all advancements in the domain of automation and digitalisation as innovations and not just pure tool training that just explain how to use a new system. The conceptualisation and the treatment as innovations presents companies with a number of tools in order to promote innovation adoption. Another challenge when dealing with automation is meeting the often complex legal requirements, for example with regard to data privacy. This can only be handled with an agile and ﬂexible mode of operations that is able to adapt quickly to changes regarding all applicable legislation.
Nash: In my experience, challenges with applying automation are often not associated with the technologies themselves, but with the implementation, including setting clear and reasonable goals, and managing expectations. When compliance programmes deploy technology, they are sometimes distracted by the new functionality at their ﬁngertips. And sometimes, they expect to ‘boil the ocean’ and accomplish everything at once – or worse, increase scope of the project before the initial phase is working well. Complexity reigns and can diminish ROI because programme managers get overwhelmed, or the employee base did not get enough time to become familiar with the new tools or practices. Adopting new technology requires time for behavioural and culture change, and that needs to be accounted for in any rollout. ‘Transformational change’ is a great way to phrase what automation can deliver to ethics and compliance programmes. The key is to focus on one or two transformational changes at a time. Targeting efforts on areas with low risk and high ROI can give programmes a quick win. This creates a chance to celebrate success early on and build conﬁdence among stakeholders. It also builds the necessary momentum needed for the employee base to readily adopt other automated systems as they are implemented throughout the rest of the compliance ecosystem.
Klinger: One of the biggest challenges is the sheer volume of data available. It is easy to think that every piece of available information is valuable and therefore be tempted to cast a wide net when it comes to data collection and analysis. A key challenge is in understanding precisely which data sources, if properly leveraged, will bring real insights to the business. The incompatibility of existing data sets can also be a challenge to digital automation, so it is important to have the right IT infrastructure and support systems in place. Organisations need to ensure they have people who are technologically agile and can effectively partner with the IT department to drive innovative solutions. Having the right people in the right positions at the right time is key to ensuring that current and future business needs are met.
Broecker: Many of the issues and challenges associated with automation in the compliance function do not stem from automation as such, but are more to do with changing behaviours. I believe that the biggest challenge is trying to develop a system that is relevant for the majority of workers. If the workforce is younger, then the use of automation tends not to be as ‘scary’ as it would for an older workforce. Another signiﬁcant attitudinal challenge tends to be getting people used to the idea that their question may not be unique, so it is not necessary to talk to a human.
Kolster: The most typical challenge associated with automation is change management. It includes the whole process of moving from one way of working – generally manual and with many Excel spreadsheets – into another that includes learning a new system and developing a clear transition schedule. Part of the change management process is also how the new system is adopted and how clear the instructions are for the users. If the company operates in multiple international jurisdictions, this challenge is much more obvious and must be considered carefully for a successful implementation of the new way of working. The key to overcoming these challenges is to design a detailed communication and change management plan to explain why the change is important and to highlight the beneﬁts the organisation derives from the automation.
R&C: Could you provide an insight into how automation is impacting thecompliance functions of companies across the globe, given the mass of regulations currently in place? What lessons can we draw from the way digital strategies have been rolled out to meet these regulatory requirements?
Broecker: In many respects, automation can be a blessing and a curse. It can be a blessing because it allows the compliance function to provide real-time feedback to many routine issues. It can be a curse, because it is possible to have targeted answers to questions that may be different, depending on the locale. In this regard, I believe that most successful multinational companies generally rely on a uniform code of conduct and then base their automated system off the code.
Klinger: One example of digital automation is a compliance dashboard that provides business and compliance information in a centralised, online location, enabling users to monitor ongoing activities and manage risks. Dashboards make information easier to access, interpret and use, facilitating cross-divisional comparisons to improve transparency and enabling easy identiﬁcation of trends and anomalies. Data generated by a dashboard can help with meeting the legitimate expectations of both regulators and society at large. In addition, digital technology can also be used to enhance transparency. Bringing greater transparency to relationships with collaborators, regulators and business partners is important. It builds understanding and addresses questions the public has about industry practices, and helps companies demonstrate their commitment to ethical business practices.
Kolster: While automation can be used to track legal requirements and stay updated on new regulations, the most successful compliance functions are also using automation to support each of the elements of an effective compliance programme. Systems and technology are used to communicate key messages about compliance from the top leaders in the organisation and to train employees on the processes that impact their job. Automation is used to monitor how effectively the compliance processes are being implemented by operations, and the results of these monitoring efforts help feed a risk assessment process that identiﬁes areas where new standards and controls may need to be implemented or existing ones must be improved.
Nash: Undoubtedly, some organisations operate in highly regulated environments, such as healthcare, and manage hundreds and even thousands of policies and procedures. These policies are often tightly tied to underlying regulations, and can require review, realignment, updates, approval, distribution and attestation, each time these underlying regulations change. Software can provide compliance managers with a central repository for policy and procedure documentation, with the ability to respond to timely policy changes with cascading document edits and approvals. As we know, corporate policies are often based on underlying regulations. These regulations deﬁne how we do things like handle sensitive personal information or employ safety protocols around the ofﬁce. Many of these regulations can be woven into 10, 20 or 50 different policies at a time and are consistently referenced by employees. So when regulations change, and they always do, there will be a number of policies that will need to be updated in response. The regulatory compliance workﬂows built into compliance automation systems allows managers to track regulatory change, identify which policies are impacted and learn where in those policies they should be reviewing.
Copland-Cale: The impact on companies from different sectors will vary, depending on their regulatory requirements. Regardless, automation is probably the only possibility for companies to be compliant without increasing headcount. Furthermore, companies should implement digitalisation as quickly as possible. It can be a hard sell to delay decision making due to manual compliance processes.
R&C: How important to a successful automation project is the relationship between the IT and compliance departments? What steps can they take to ensure the process runs smoothly?
Klinger: A collaborative relationship between compliance and IT is absolutely critical to this process. Compliance needs to understand what is possible, and what is not, and IT needs to understand which potential solutions will generate the most impactful results. Collaboration needs to be deeply embedded and be championed within organisational culture. For example, it may be prudent for companies to strengthen collaboration across risk and control functions, such as integrity and compliance, ﬁnance, internal audit, legal, quality assurance, and enterprise risk management. Another key area is innovation. As with any change initiative, a smooth transition depends on organisations being open to new ways of working and having the tenacity to see them properly implemented.
Kolster: Whether the automation project involves one small process within one of the many functions of the compliance department, or whether it touches every single matter that the department handles, the relationship between the IT function and the owners of the project can determine whether it is a success or a failure. The most successful automation projects are those where, in addition to having the full support of the company’s leadership team, the IT and compliance functions work together and share accountability for the full implementation of the automation project at all levels. In some cases, especially for the implementation of systems on a large scale, a good practice is to organise dedicated multi-disciplinary teams in charge of managing the change management process.
Nash: IT is a vital partner to the success of any technology implementation. While automation enhances the competitive advantage of compliance, IT is similarly charged with delivering competitive advantage from technology. When compliance programmes bring their IT departments on board early for their technology programme implementations, they are more likely to enjoy the full potential of the software or tech. Internal IT departments must have a seat at the table, not just for deployment and maintenance, but also to make sure a company can marshal the necessary resources and budget to actually acquire their programme-changing technology. Engaging IT earlier in your process for researching, purchasing and deploying new technology is a best practice. This can bring a big picture view of the organisation’s tech stack and will be instrumental in determining how new compliance technology can be integrated across the organisation’s other systems, for example supply chain and human resources systems, when necessary. My advice is to bring in IT early and often throughout the process.
Copland-Cale: As with IT projects, the transfer of the knowledge between the people understanding the business requirements and the translation of this into a speciﬁcation are key. Getting this right is crucial. Compliance functions do not typically have data scientists, analysts or IT experts, so having people with such skills will be very advantageous when it comes to specifying business requirements in a way that is understandable for IT specialists. Furthermore having ‘digital natives’ will ensure a common understanding of what is possible to prevent implementing sub-optimal solutions. Adopting agile development methods will allow instant reviews and the improvement of IT projects even during the development, thus supporting ﬂexibility and adjustment to a fast- changing environment. One critical aspect is getting clariﬁcation on approval to access necessary systems and data. This could be with IT; however, it might have to be obtained from the data owner within the organisation. Clarifying this will ensure no late surprises.
Broecker: A smooth working relationship between IT and compliance is absolutely critical to effective implementation. Coordination and planning are the key elements. IT must know the basics of the compliance message so that it can facilitate and suggest appropriate platforms. Compliance must know the basics of the IT systems and technologies so that it can tailor the message for greatest impact.
R&C: How can companies go about managing potential disruption to their operations during the automation process?
Broecker: Planning, coordination and understanding are key. As with every technological roll out, disruptions will occur. Successful organisations will be prepared, ﬂexible and strategic enough to understand that disruptions can be a teaching opportunity for a broader message.
Copland-Cale: ‘Acceptance’ of automation relies on the general agility of an organisation. If the organisation is very process and hierarchy oriented, it is generally more difﬁcult to implement larger automation efforts. An organisation that is ﬂexible and cooperates in changing teams would, in general, have much less difﬁculty to introduce automation efforts in their next ‘team project’. Speciﬁcally, it is critical to plan sufﬁcient training, including having possibilities for a ‘help desk’ or hotline at the beginning. If possible, ramp up in stages with no ‘big bang’. Of course, depending on criticality, have an ‘emergency plan’ to deal with system downtime when time is critical.
Nash: Start with speciﬁc, reasonable goals in mind, which your compliance programme would like to achieve with the software. Determine what your success metrics will look like. Are you trying to turn a paper programme into a centralised policy database that has a digitised audit trail? Are you looking to increase completion rates of your training courses from X percent to Y percent? Are you trying to remediate a known issue in a speciﬁc organisation or location? After you identify what you want to do, you must be very deliberate about ‘onboarding’. This requires programme owners to determine how to use and manage the new systems and, in turn, onboard other employees on how to engage with it properly and conveniently. Along with metrics, identify who will need be involved, informed and consulted. A comprehensive ‘RACI’ or similar matrix is a helpful tool to give your programme a detailed playbook to launch your new programme or technology. And again, IT should be a key partner in implementation. The rollout of new software may be a ﬁrst for your ethics and compliance programme, but it is most likely not the ﬁrst time for your IT department. Partner with your IT team, leverage their best practices and reuse everything you can that is replicable from their processes.
Kolster: Spending more time in proper planning may help avoid disruptions during the implementation process. Planning includes understanding the needs of the different stakeholders, especially end users, and setting clear expectations on what the system will and will not do. Designing a communication plan for the beneﬁt of all who are going to be impacted directly and indirectly by the implementation of the system, as well as developing a training programme for the users, will help minimise or eliminate disruption. In large companies with global operations, these points are particularly relevant because their change management process generally takes longer and has more potential to create disruption.
R&C: Do you expect more companies to adopt automation for compliance purposes over the coming months and years? What overarching trends are we likely to see in this area?
Nash: Technology and automation are already ubiquitous in the business world, and they are equally pervasive in our daily personal lives. Consider already-pervasive technologies such as smartphones and social media, which better connect us and can bring us information and insights, often just-in-time. Compliance practitioners and business leaders are hungry for these same capabilities to give them the efﬁciency and effectiveness needed to add business value to their programmes and competitive advantage to their organisations. New, quickly-improving technologies, such as artiﬁcial intelligence and machine learning, promise to improve the ways we protect our people, reputation and bottom lines. So the question is not ‘if’ or even ‘when’, but how quickly can we put it to work?
Copland-Cale: Automation will continue to increase as more advanced technologies become available. Today, automation is possible with basic analytics, but as machine learning and artiﬁcial intelligence (AI) methods become available we will see an exponential increase in automation. Nevertheless, AI needs large amounts of data and reward logic to be effective and, therefore, complex decision-making tasks are likely to stay manual for some years to come.
Kolster: The question is not if automation will be adopted for compliance purposes, but how fast it will happen. Automation could be used, for example, to identify instances when third-party intermediaries (TPIs) have not received the proper approval from the relevant compliance team through the company’s due diligence process. A company could set up a process so that payments to these non-approved TPIs are automatically blocked by the accounts payable system, which makes the controls much more effective and reduces the risk of manual error. Automation may also help to document the due diligence process, facilitate the training that TPIs should receive on the company’s policies, automatically monitor any issues in the news involving TPIs and remind the company of the need to re-certify TPIs after a certain period of time. As more and more companies see the advantages of automation-enabled compliance, it will continue to evolve rapidly.
Broecker: The use of automation will continue to expand for compliance purposes. The beneﬁts to the organisation are too great to ignore. I believe that the biggest trend will be a drive toward more adaptive learning. As training programmes have become more sophisticated and interactive, they have become more effective and engaging. Participants retain the information at a greater level than with less adaptive programmes. I think that the concept of adaptive learning can be replicated to other compliance functions, for example answering routine and many follow up policy questions.
Klinger: Big Data, predictive technologies and digital automation are here to stay. In healthcare, they will impact every aspect of business and we embrace the opportunities they will bring. It is clearly recognised that automation will help to convert data into a strategic advantage for companies that are able to leverage it effectively. In the fast-paced world of healthcare, as we strive to improve and extend people’s lives, further investment will be made in digital compliance initiatives to raise standards and improve outcomes for patients.
Senior Vice President, Product Management
T: +1 (503) 906 5252
David Nash is an experienced strategic and operational leader with a demonstrated history of leading innovation throughout the product cycle, building strong teams and developing other leaders. He is a proven business development professional, skilled in product lifecycle management, user experience, enterprise software and agile methodologies.
Shannon Thyme Klinger
Chief Ethics & Compliance Officer and Head Litigation
Novartis International AG
T: +41 (61) 324 2200
Shannon Thyme Klinger has been chief ethics & compliance ofﬁcer and head litigation at Novartis since May 2016. In this role, she is responsible for all aspects of the ethics and compliance programme at Novartis, and works closely with the executive committee of Novartis and its board to drive a culture of integrity through principles-based decision making. Prior to her current appointment, she served as global head legal and general counsel at Sandoz International in Germany.
Edwin J. Broecker
Quarles & Brady LLP
T: +1 (317) 399 2828
Edwin Broecker is a partner in Quarles & Brady’s business law practice group and the leader of the international trade and supply chain team and a member of the corporate venturing team. He balances business results and mitigation of legal risks, concentrating his practice on commercial agreements and trade, corporate and board governance, software licences, ﬁnance and equipment leases and helping clients in transitional situations including asset monetisation, business expansion and capitalisation.
Legal & Compliance and Head of Risk Management & Mitigation
T: +49 89 636 00
Andrew Copland-Cale has worked for Siemens AG since 1997 and performed multiple roles, including accounting, planning & controlling, procurement, product management, project management, consulting, region management and corporate development. Over the past 10 years he has spent three years in a corporate audit function in the area of forensic accounting and four years in compliance investigations. Approximately three years ago he took on his current role within legal & compliance, as head of risk management and mitigation.
Vice President, Chief Ethics & Compliance Officer - Latin America and Africa
T: +1 (479) 268 8634
Luis Kolster is the chief ethics and compliance ofﬁcer for Latin America and Africa for Walmart International. In his role, he leads the implementation and execution of Walmart’s ethics and compliance programme, including anti-corruption, ethics and other compliance subject matter areas, in 22 countries outside the US. Prior to Walmart, Mr Kolster spent over 12 years with Schlumberger, a leading supplier of technology and services for customers in the oil and gas industry.
About NAVEX Global, Inc.
NAVEX Global is the worldwide leader in integrated risk and compliance management software and services. Our solutions help organizations manage risk, address complex regulatory requirements and foster an ethical, productive workplace culture.