The DOJ has repeatedly made it clear that companies must assess the effectiveness of their FCPA compliance programs in practice. The message is obvious: no matter how detailed your risk mitigation and anti-corruption strategies may be, it’s the outcomes of those strategies that you will be judged on.
Companies are well-versed in being able to demonstrate where their program has not been effective – the existence of substantiated investigations is an obvious example.
However, the goal now is to measure effectiveness, not ineffectiveness. With that in mind, how can you begin to validate the overall effectiveness of your program? The answer lies within the application of forensic data analytics.
Traditional measures of compliance effectiveness are flawed – and time-consuming
The tried and trusted approaches to using data to measure effectiveness have focused heavily on process metrics, such as training completion statistics, investigations data, or the number of third parties that completed due diligence.
While this data can help to show that certain program processes are working — that employees are completing training, diligence is being done on key third parties, and employees are raising compliance issues and concerns — such metrics are mere approximations of program effectiveness.
For example, the absence of hotline reports may be attributable to a culture of not reporting or a fear of retaliation rather than an effective program. Similarly, high training completion, code certifications or completed third party due diligence metrics may only represent the subjective, biased, or even wilfully inaccurate self-certifications of employees. As such, they may not match the reality on the ground in your operations.
While such metrics are often of limited value, compliance teams sometimes spend an inordinate amount of effort and time gathering such data from disparate siloed systems, such as hotline, training and due diligence systems.
Paint a more accurate picture with forensic data analytics and risk-scoring
The true incidence of non-compliance, and the correlated assessment of your compliance efforts, can be better gleaned by applying forensic data analytics to 100% of your T&E expenses, invoices, rebates, discounts and other transfers of value.
Each transaction, such as a vendor invoice, can be subjected to dozens of statistical, behavioral and rule-based analyses to assign an automated aggregate transactional risk score. Such an approach can escalate to internal compliance, audit and investigations personnel the highest-risk outlier transactions, employees and third parties for further investigation.
Aggregating the analyses to one composite score per transaction is critical, as escalating transactions that matched for a single analysis (e.g., a round dollar payment), can often produce an immense number of false positives, overwhelm reviewers with tedious follow-up, and take the legs out from under a nascent analytics and monitoring program. And tailoring a standard library of analyses to your company’s unique risks and historical issues is essential to making such efforts effective.
How does this relate to the DOJ’s expectations on continuous monitoring?
Continuous transaction monitoring of spend data squarely addresses recent DOJ guidance that companies manage risk across the lifespan of their relationships, particularly with third parties.
A third-party that was designated as low risk during the diligence process may have been misclassified or their scope of work may have changed. Monitoring them through their real-time spend, as opposed to only through periodic diligence refreshes or audits, is the best way to ensure that they are compliant and that your third party risk management program is effective.
A data-driven future for compliance
Compliance officers, regardless of whether or not they are in front of a regulator, are constantly looking for comfort that their programs are effective. Employing advanced data analytics that test your actual transactional data in real time is the most effective way to gain that comfort.
Over the next few years, compliance programs will increasingly transition to a future where compliance officers and their C-suites and Boards can all sleep better on a bed of advanced data analytics.