In June 2020, the United States Department of Justice (DOJ) updated its guidance surrounding the Evaluation of Corporate Compliance Programs. The guidance signaled a more aggressive enforcement of regulations, putting an ever greater onus on organizations to ensure their compliance programs are effective and fit for purpose.Better use of data, through the utilization of data analytics, is one way in which your organization can address these more stringent expectations. In this article we take a look at how data fits within the principles set by the DOJ in evaluating corporate compliance programs, and various ways in which data can be used by organizations to bring their compliance programs up to best practice.
DOJ Compliance Principles
There are three fundamental questions asked by the DOJ when approaching the evaluation of corporate compliance programs. Data has a role to play in all three.
1. Is the corporation’s compliance program well designed?
The base point of any successful compliance program is its design. By first understanding how best to structure your program, you can be sure that it is serving your company in the best way possible.Designing data into your compliance program from the ground up is a good place to start. Continuously monitoring transactional data and key metrics using real-time data is a step change from the traditional approach that may be overly reliant on “tick the box” controls, high-level metrics and subjective decision-making.Incorporating data shows the organizational commitment to evidence-based risk analysis and a proactive approach to detecting wrongdoing that is expected by the DOJ. That’s because it provides insight into the risks the organization faces in reality, rather than in theory.Critically, it enables risk professionals to have real, meaningful information at their fingertips to help them learn about their organization, investigate specific issues or generally identify unusual trends and patterns from their data. Those insights are critical to ensuring that the compliance program can be designed in the most targeted way to reflect the true risks your organization faces.The DOJ expects compliance programs to root out problems and effect changes. A well-designed compliance program will also consider how it presents findings to stakeholders to make decisions about necessary changes. Evidence-based recommendations founded in credible data, and visualized to bring context and clarity to the data, makes this job easier.
2. Is the program being applied earnestly and in good faith?
Once your compliance program has been fully designed, the next step is to test its application.Decisions about where to focus a program’s efforts can be negatively influenced by a range of subjective issues. These might include limited understanding of potential risks due to a lack of experience, poor judgement, errors, inexperience or even wilful intent.Using data therefore brings a level of objectivity to your compliance efforts. For example, compliance leadership likely will have a much more objective and holistic view of third-party spend risk if data analytics are applied to every third party payment globally than if data is only provided from a handful of sample-based audits and hotline reports.Investing in good data practices and automation cuts down on manual and inefficient processes, while allowing you to have broader risk coverage and controls. It frees up risk and compliance professionals to spend more of their time interpreting the data analytics and focus on high-value activity. And, by utilizing data to inform decisions about investment and resource deployment, and then using data to validate those decisions, organizations can demonstrate their compliance program is dynamic and evolving - and more than a box-ticking exercise.
3. Does the corporation’s compliance program work in practice?
Finally, you’ll need to evaluate the performance of your compliance program as it’s put into practice within your organization. The DOJ guidance makes clear that it is the effectiveness of a compliance program that is important, not simply its existence or its complexity.For example, statistics demonstrating that your workforce has completed their training obligations shows that a process is working, but provides little insight into outcomes - whether employees are actually behaving ethically. Reports to your whistleblowing hotlines can tell you where employees have been brave enough to report failures of your process, but may not provide a full picture of all your risks and may not have not been provided in a timely manner.A truly data-driven approach makes it possible to track and measure more meaningful risk information. One example of this might be measuring the risk profile of every transaction based on predefined risk analyses, which have the risk perspective of your organization and its particular issues, circumstances and norms. These types of metrics can be a more effective way to help you measure the true incidence of non-compliance within your organization.