Amid stressed supply chains and inflation, can you afford reputational destruction and a damaged relationship with regulators? As organizations globally grapple with an increasingly complex risk and regulatory landscape, the growing integration of compliance, risk management, and data science is transforming the approach organizations take toward governance. This article sheds light on why “data science for compliance” has a better business case than ever, and it explains how prevention frameworks are enabled to reach their true potential. It also elaborates on how to start engaging in data-driven risk and compliance projects.
Data science: The answer to an evolving regulatory landscape
In the U.S., the Securities and Exchange Commission has enforced orders amounting to more than $5 billion in 2023, highlighting the escalating cost of noncompliance.[1] Merely introducing policies and tick-box exercises is no longer recognized as sufficient for improving or even signaling genuine active interest in assuring compliance. For example, the U.S. Department of Justice emphasizes that a company’s monitoring and evaluation of its compliance program should be data-driven and continuous.[2] This shift emphasizes a growing recognition that a proactive and data-driven approach becomes necessary as regulators demand more efficient risk management. Also, the frequency of mandating additional proactive measures by legislation is projected to increase—not only within the U.S. but also globally.
In the U.K., for example, the recently passed Economic Crime and Corporate Transparency Act requires organizations to exhibit evidence of proactive fraud detection.[3] In the EU, most financial entities are expected to be impacted by the Digital Operational Resilience Act that will come into effect in January 2025.[4] Among other factors, information and communication technology risk management—as well as advanced digital operational testing—are central to the Digital Operational Resilience Act.
These realities and more can be summarized in a sentence: A new global incarnation of compliance requires drastically improved risk management, necessitating leveraging data science. That is because data science augments both existing processes and people, and it is therefore poised to not only play a multilayered role within this newly revamped compliance landscape but also emerge as its fundamental cornerstone. Let us see how data science is related to proactive fraud risk management.
The Fraud Triangle is perhaps the most straightforward framework for understanding the relationship between data science and risk management.[5] According to the Fraud Triangle, the factors synergizing behind an individual’s decision to commit fraud are opportunity, pressure, and rationalization. Of these three components, opportunity is the only component an organization can have considerable objective control over. By strengthening and automating internal controls, data science diminishes opportunity through improved detection and deterrence, further discouraging potential perpetrators.
Data science elevates prevention frameworks
Data science supercharges risk management frameworks, enabling sophisticated risk detection and prevention by monitoring what happens, understanding why it happens, predicting what might happen, and even prescribing how to prevent it. It also allows streamlining and automating sophisticated data analysis that improves overall operational efficiencies and enhances your existing prevention framework—no matter your organization’s size.
While still relevant, traditional prevention frameworks were originally designed in simpler times when digital data was not as critical or abundant. Typically, their creation, implementation, and improvement were reactive because their business case only became apparent after confirmed breaches or whistleblowing incidents threatened their reputation. Computational and statistical techniques were siloed and only accessible to rare experts, limiting proactive implementations of prevention frameworks and hindering efficiency.
The rise of data science has fundamentally transformed this landscape not only because it introduces new advanced quantitative techniques but also because the term encapsulates the democratization of these techniques and the required computational power.
This shift levels the playing field, enabling smaller organizations to harness data-driven capabilities that were once the exclusive domain of major enterprises. Consequently, data-driven risk analyses enable fully realized proactive prevention frameworks poised to become some organizations’ highest-return activities.
Data science as a catalyst and magnifier
The game-changing potential of data science lies in its ability to widely enable the following key characteristics.
Speed and scalability
In the past, monitoring against established metrics, risk, and anti-fraud policies was technically challenging and costly. Data science now allows the analysis of large volumes of data at a low cost. This capability quantifies the extent to which internal policies, rules, and regulations are not followed, identifies root causes, and provides recommendations for enhancing internal controls and operational efficiencies.
Improved analysis
Traditional risk detection relied on threshold-defined deviations from a “normal behavior,” often defined by expected risk and fraud typologies. With its pattern recognition, novelty discovery, and anomaly detection algorithms, data science offers a more in-depth understanding of how unforeseen modes of risk may manifest.
Efficiency/automation
Leveraging machine learning and artificial intelligence (AI) addresses the impracticality and significant cost of constant human monitoring. Machine learning and AI algorithms can emulate the skills of fraud examiners, auditors, and forensic accountants, operating 24/7. This type of intelligent continuous monitoring can track parameters such as user behavior, transaction patterns, and system activities in real-time. This ensures prompt detection of unusual or suspicious activities, allowing for immediate intervention.
Fostering strategy and a culture of continuous improvement
In addition to revolutionizing risk management frameworks from a technological standpoint, data science profoundly impacts the people and processes aspects of compliance and risk management. Data-enabled approaches foster a culture of continuous improvement within organizations, necessitating proactivity, cross-functionality, and adaptability that result in dynamic and intelligent internal controls. The iterative nature of data science projects empowers employees to question, experiment, and synergize, fostering a culture of continuous improvement, accountability, and cross-functional collaboration.[6]
Additionally, data projects necessitate fixing broken processes and a deeper understanding of business strategy. For data projects to succeed, they must be closely aligned with the organization’s overarching strategic objectives. Thus, beyond its technical applications, data science catalyzes a cultural shift toward resilience and agility, positioning organizations to not only survive but also thrive in an ever-evolving risk landscape. This holistic approach not only strengthens risk management practices but also nurtures a dynamic organizational culture poised for sustainable growth and success.
Realistically implementing data science for risk management
The most important first step is related to mindset: Avoid the allure of acquiring an off-the-shelf compliance solution or building your own in-house platform without careful prior strategizing that is backed by data. Even if the aforementioned possibilities are the destination, pursuing huge change in the absence of crucial information is most likely to lead you down a lengthy and expensive digital journey, with failure rates ranging from 70% to 95%.[7] If it “succeeds,” the most typical best-case scenario is that you only have the bandwidth to use a small subset of the features you bought. Compliance costs are already high, and you should not rush to increase them.[8] Intelligent strategizing is required.
Avoiding excessive top-to-bottom strategizing is also significant because your expectations will almost certainly be inhibited by a combination of factors, including data availability issues, inadequate skill sets, and other resource limitations. Discarding the notion of magical solutions that seamlessly integrate all legacy data systems and serve your business strategy without multiple iterations and human involvement is equally critical.
The ideal is a framework tailored to your specific organization and a transformation process that generates value in a continuous rather than binary fashion. This initially requires an initial in-depth exploratory data analysis and information from the front lines to break your transformation risk into small, manageable data projects. Such an approach allows you to identify areas of improvement with a high return on investment and efficiently research the value and flexibility of your options. Let us now expand on how you can start with such data projects.
Where to begin
Like every other successful endeavor, implementing your data-driven risk framework involves identifying the low-hanging fruit first. These projects help you assess your situation by detecting both known and novel risk pathways. Additionally, as risk does not exist in isolation from the rest of the business and you need to build alliances within and between different business functions, your initial projects should also establish a direct connection to value, impact multiple stakeholders, and make it easy to envision the transformational potential of advanced data analytics.
Your data must be treated as a valuable asset. Whether it is “dirty” or not is contextual, so you should not rush into discarding it. While dirty data may pose inherent risks, it is essential to recognize that it hides some of the most invaluable and immediately actionable insights. Dirty data, for example, often arises from costly human error, providing fertile ground for the occurrence of additional risks.
To this end, data experts carrying out sophisticated data analyses must also possess a deep domain understanding of forensic accounting concerning the specific area they explore (e.g., procurement) or at least tightly collaborate with subject matter experts. It’s also important to stress that aside from data science techniques and subject matter expertise, the investigative and research capabilities of the involved data experts are paramount.
The most fruitful data-centric risk management projects—regardless of whether your focus is on procurement, anti-money laundering, or any other type of risk—start with a traditional rule-based approach. This allows you to obtain quick insights regarding assurance, compliance, and common fraudulent pathways from large volumes of data. However, rule-based approaches can be highly inefficient in areas where subject matter expertise admits uncertainty and typically yields unsustainable red flags. Statistical models may help to further focus on high-value data, and machine learning can detect new modes of risk and error through sophisticated pattern recognition and anomaly detection.
Final thoughts
Data science’s role as a central pillar for modern compliance cannot be overstated. It’s a beacon of opportunity and more financially viable than ever before. This journey starts by identifying and implementing agile, low-risk, high-value data science projects. The optimal approach necessitates fusing expertise in risk management and data science coupled with bespoke research efforts to maximize efficiency. By prioritizing such initiatives, organizations can swiftly adapt to the challenges of the data science era, fortifying their risk management frameworks while fostering a culture of innovation and resilience. As organizations navigate the complexities of the modern compliance era, those who seize the opportunities presented by data-driven risk management will emerge as leaders, equipped to thrive amid uncertainty and change.
Takeaways
-
The growing integration of compliance and risk management necessitates enhancing traditional prevention frameworks with data science.
-
The democratization of key data science attributes (speed, scalability, improved analysis, efficiency, automation) translates to compelling business advantages.
-
Successfully initiating data-centric risk management efforts requires a combination of data literacy, resources, and a pragmatic mindset.
-
Successful data-enabled risk management frameworks start with low-hanging fruit projects—quick wins that offer value and actionable guidance for further engagement.
-
The continuous improvement aspect of data science catalyzes the emergence of a culture of innovation and resilience within organizations.