Parth Chanda (firstname.lastname@example.org) is Founder and CEO of Lextegrity, based in New York City.
In the early 2000s, governments of less economically developed countries faced a choice on how they would make telephone communication available to their populations in the new millennium. They could follow the model of more economically developed countries and invest in landline systems, which involved massive upfront infrastructure investments and ongoing maintenance costs. And despite such large investments, they likely could reach only a small percentage of their population with no guarantees of good quality. The other choice—which was ultimately followed—was to make smaller investments in higher-quality modern cellular technology, an area where innovation would continue to move at a breakneck pace and the quality of service would be far better.
The decision to skip landline technology and move directly to cellular communications was an example of a “leapfrog” moment—where countries were able to leapfrog over an inferior legacy approach to a superior modern approach. This moment paid off over the next two decades in the form of better accessibility to telephones for far more people at lower costs. In addition, unforeseen benefits were unlocked over time. For example, the development of phone-based payment systems made commerce and access to capital easier for billions of people—an unexpected benefit of choosing the path of cellular technology.
Today, compliance functions in many organizations face a similar leapfrog moment. Legacy approaches to tackling fraud, corruption, conflicts of interest, and financial crimes are being replaced by more modern approaches deploying data analytics and automation. Organizations building or updating their compliance programs, or reassessing their legacy programs, have the opportunity today to leapfrog old approaches and embed new technology-driven strategies that already promise better outcomes and will undoubtedly lead to unexpected benefits down the road.
The legacy of compliance metrics
Humans being humans, every large organization will face a certain level of fraud or corruption among their employee base. To combat that risk, the board and C-suite expect an effective anti-fraud/anti-corruption compliance program that prevents as close to 100% of wrongdoing as possible and detects it as quickly as possible before it becomes systemic within the organization. The board and C-suite also demand evidence from the compliance function that this expectation is being met (i.e., that the compliance program is indeed effective).
The legacy approach to demonstrating effectiveness involves metrics and key performance indicators. A compliance officer routinely pulls together a standard set of metrics—hotline reports, substantiated investigations, audit findings, completed due diligence and other spend preapproval stats, code of conduct certifications, and training completion rates—to paint a picture of an effective, on-the-ground compliance program. Another approach has been to visualize spend data to find outliers indicative of risk wherein the compliance organization might pull the top high-risk vendors by spend or the top employees by meal spend with government officials. The compliance or audit function might then review some of the outlying payments to confirm their legitimacy, thereby providing an additional sense of security that fraud or corruption are not occurring.
Substantiated investigations and audits may uncover actual fraud or corruption and provide clear evidence that the compliance program is not working on the ground. These legacy types of metrics and key performance indicators can confirm that fraud or corruption is occurring and the compliance program is not particularly effective; they do not, however, provide definitive evidence that fraud and corruption are not occurring and that the program is effective for several reasons.
First, such metrics are often only a sample of information, which can also suffer from selection bias. Hotline statistics, for example, only reflect those matters that are actually disclosed and may be artificially suppressed due to a culture of retaliation or a fear of reporting. Similarly, audit findings are based on a sample of transactions that are selected from a sample of countries. The selection of countries and samples may be affected by selection bias in that the auditor may be informed by where the company believes they have risk rather than where they actually have risk. For example, an auditor might not frequently test transactions involving your office paper suppliers or entities in Finland. But what if your office paper supplier in Finland is, in fact, a sham vendor serving as a conduit for a bribery or embezzlement scheme there.
These “legacy” metrics often only show that processes are working and not necessarily that fraud is not occurring. Training completion, code certifications and approval, and diligence process stats only show that employees or third parties are completing process steps, not that they are being truthful when they complete them.
Data analytics modernized
A modern approach to fighting fraud and corruption is applying a sophisticated data analytics risk algorithm continuously to your entire set of financial transactions, such as invoice payments, travel and expense costs, and distributor transactions. Using advanced forensic analyses that humans cannot easily mimic, this method tests 100% of transactions to actually confirm whether misconduct is occurring. An ideal approach applies multiple analyses at once—tailored to your organization’s risk, industry, and historical issues—to provide each financial transaction with an aggregate risk score and escalate high-risk transactions internally for review. Risk learning would apply machine learning to the algorithm to improve analyses over time by learning from the results of prior follow-up. A compliance officer running such analytics in real time on 100% of their spend and not detecting significant fraud or corruption would be in a much better position to attest to the effectiveness of their compliance program than a compliance officer taking the legacy approach described above.
Beyond being more effective, an approach driven by data analytics is ultimately far less expensive. Technology can review far more transactions at a more advanced level than the traditional teams of auditors traveling around the world. Audit and compliance personnel can instead focus their resources and brainpower on targeting specific transactions and risk patterns, making the overall program even more effective and cost efficient. And having data analytics running on 100% of your data could mean that burdensome approval processes could be fine-tuned to better target risk, saving your business people countless hours of time on approvals for low-risk transactions, and compliance officers could save time and resources otherwise spent manually collecting and reporting on the metrics described above.