Navigating compliance and risk management in the data science era

Kyriakos Christodoulides

Kyriakos Christodoulides

Kyriakos Christodoulides (kyriakos@novelintelligence.ai, linkedin.com/in/dr-kyriakos-christodoulides/) is the Managing Founder of Novel Intelligence Ltd in London, U.K.
Listen to article
8 minute read

By Kyriakos Christodoulides, PhD, CFE

Amid stressed supply chains and inflation, can you afford reputational destruction and a damaged relationship with regulators? As organizations globally grapple with an increasingly complex risk and regulatory landscape, the growing integration of compliance, risk management, and data science is transforming the approach organizations take toward governance. This article sheds light on why “data science for compliance” has a better business case than ever, and it explains how prevention frameworks are enabled to reach their true potential. It also elaborates on how to start engaging in data-driven risk and compliance projects.

Data science: The answer to an evolving regulatory landscape

In the U.S., the Securities and Exchange Commission has enforced orders amounting to more than $5 billion in 2023, highlighting the escalating cost of noncompliance.[1] Merely introducing policies and tick-box exercises is no longer recognized as sufficient for improving or even signaling genuine active interest in assuring compliance. For example, the U.S. Department of Justice emphasizes that a company’s monitoring and evaluation of its compliance program should be data-driven and continuous.[2] This shift emphasizes a growing recognition that a proactive and data-driven approach becomes necessary as regulators demand more efficient risk management. Also, the frequency of mandating additional proactive measures by legislation is projected to increase—not only within the U.S. but also globally.

In the U.K., for example, the recently passed Economic Crime and Corporate Transparency Act requires organizations to exhibit evidence of proactive fraud detection.[3] In the EU, most financial entities are expected to be impacted by the Digital Operational Resilience Act that will come into effect in January 2025.[4] Among other factors, information and communication technology risk management—as well as advanced digital operational testing—are central to the Digital Operational Resilience Act.

These realities and more can be summarized in a sentence: A new global incarnation of compliance requires drastically improved risk management, necessitating leveraging data science. That is because data science augments both existing processes and people, and it is therefore poised to not only play a multilayered role within this newly revamped compliance landscape but also emerge as its fundamental cornerstone. Let us see how data science is related to proactive fraud risk management.

The Fraud Triangle is perhaps the most straightforward framework for understanding the relationship between data science and risk management.[5] According to the Fraud Triangle, the factors synergizing behind an individual’s decision to commit fraud are opportunity, pressure, and rationalization. Of these three components, opportunity is the only component an organization can have considerable objective control over. By strengthening and automating internal controls, data science diminishes opportunity through improved detection and deterrence, further discouraging potential perpetrators.

Data science elevates prevention frameworks

Data science supercharges risk management frameworks, enabling sophisticated risk detection and prevention by monitoring what happens, understanding why it happens, predicting what might happen, and even prescribing how to prevent it. It also allows streamlining and automating sophisticated data analysis that improves overall operational efficiencies and enhances your existing prevention framework—no matter your organization’s size.

While still relevant, traditional prevention frameworks were originally designed in simpler times when digital data was not as critical or abundant. Typically, their creation, implementation, and improvement were reactive because their business case only became apparent after confirmed breaches or whistleblowing incidents threatened their reputation. Computational and statistical techniques were siloed and only accessible to rare experts, limiting proactive implementations of prevention frameworks and hindering efficiency.

The rise of data science has fundamentally transformed this landscape not only because it introduces new advanced quantitative techniques but also because the term encapsulates the democratization of these techniques and the required computational power.

This shift levels the playing field, enabling smaller organizations to harness data-driven capabilities that were once the exclusive domain of major enterprises. Consequently, data-driven risk analyses enable fully realized proactive prevention frameworks poised to become some organizations’ highest-return activities.

Data science as a catalyst and magnifier

The game-changing potential of data science lies in its ability to widely enable the following key characteristics.

Speed and scalability

In the past, monitoring against established metrics, risk, and anti-fraud policies was technically challenging and costly. Data science now allows the analysis of large volumes of data at a low cost. This capability quantifies the extent to which internal policies, rules, and regulations are not followed, identifies root causes, and provides recommendations for enhancing internal controls and operational efficiencies.

Improved analysis

Traditional risk detection relied on threshold-defined deviations from a “normal behavior,” often defined by expected risk and fraud typologies. With its pattern recognition, novelty discovery, and anomaly detection algorithms, data science offers a more in-depth understanding of how unforeseen modes of risk may manifest.

Efficiency/automation

Leveraging machine learning and artificial intelligence (AI) addresses the impracticality and significant cost of constant human monitoring. Machine learning and AI algorithms can emulate the skills of fraud examiners, auditors, and forensic accountants, operating 24/7. This type of intelligent continuous monitoring can track parameters such as user behavior, transaction patterns, and system activities in real-time. This ensures prompt detection of unusual or suspicious activities, allowing for immediate intervention.

Fostering strategy and a culture of continuous improvement

In addition to revolutionizing risk management frameworks from a technological standpoint, data science profoundly impacts the people and processes aspects of compliance and risk management. Data-enabled approaches foster a culture of continuous improvement within organizations, necessitating proactivity, cross-functionality, and adaptability that result in dynamic and intelligent internal controls. The iterative nature of data science projects empowers employees to question, experiment, and synergize, fostering a culture of continuous improvement, accountability, and cross-functional collaboration.[6]

Additionally, data projects necessitate fixing broken processes and a deeper understanding of business strategy. For data projects to succeed, they must be closely aligned with the organization’s overarching strategic objectives. Thus, beyond its technical applications, data science catalyzes a cultural shift toward resilience and agility, positioning organizations to not only survive but also thrive in an ever-evolving risk landscape. This holistic approach not only strengthens risk management practices but also nurtures a dynamic organizational culture poised for sustainable growth and success.

Realistically implementing data science for risk management

The most important first step is related to mindset: Avoid the allure of acquiring an off-the-shelf compliance solution or building your own in-house platform without careful prior strategizing that is backed by data. Even if the aforementioned possibilities are the destination, pursuing huge change in the absence of crucial information is most likely to lead you down a lengthy and expensive digital journey, with failure rates ranging from 70% to 95%.[7] If it “succeeds,” the most typical best-case scenario is that you only have the bandwidth to use a small subset of the features you bought. Compliance costs are already high, and you should not rush to increase them.[8] Intelligent strategizing is required.

Avoiding excessive top-to-bottom strategizing is also significant because your expectations will almost certainly be inhibited by a combination of factors, including data availability issues, inadequate skill sets, and other resource limitations. Discarding the notion of magical solutions that seamlessly integrate all legacy data systems and serve your business strategy without multiple iterations and human involvement is equally critical.

The ideal is a framework tailored to your specific organization and a transformation process that generates value in a continuous rather than binary fashion. This initially requires an initial in-depth exploratory data analysis and information from the front lines to break your transformation risk into small, manageable data projects. Such an approach allows you to identify areas of improvement with a high return on investment and efficiently research the value and flexibility of your options. Let us now expand on how you can start with such data projects.

Where to begin

Like every other successful endeavor, implementing your data-driven risk framework involves identifying the low-hanging fruit first. These projects help you assess your situation by detecting both known and novel risk pathways. Additionally, as risk does not exist in isolation from the rest of the business and you need to build alliances within and between different business functions, your initial projects should also establish a direct connection to value, impact multiple stakeholders, and make it easy to envision the transformational potential of advanced data analytics.

Your data must be treated as a valuable asset. Whether it is “dirty” or not is contextual, so you should not rush into discarding it. While dirty data may pose inherent risks, it is essential to recognize that it hides some of the most invaluable and immediately actionable insights. Dirty data, for example, often arises from costly human error, providing fertile ground for the occurrence of additional risks.

To this end, data experts carrying out sophisticated data analyses must also possess a deep domain understanding of forensic accounting concerning the specific area they explore (e.g., procurement) or at least tightly collaborate with subject matter experts. It’s also important to stress that aside from data science techniques and subject matter expertise, the investigative and research capabilities of the involved data experts are paramount.

The most fruitful data-centric risk management projects—regardless of whether your focus is on procurement, anti-money laundering, or any other type of risk—start with a traditional rule-based approach. This allows you to obtain quick insights regarding assurance, compliance, and common fraudulent pathways from large volumes of data. However, rule-based approaches can be highly inefficient in areas where subject matter expertise admits uncertainty and typically yields unsustainable red flags. Statistical models may help to further focus on high-value data, and machine learning can detect new modes of risk and error through sophisticated pattern recognition and anomaly detection.

Final thoughts

Data science’s role as a central pillar for modern compliance cannot be overstated. It’s a beacon of opportunity and more financially viable than ever before. This journey starts by identifying and implementing agile, low-risk, high-value data science projects. The optimal approach necessitates fusing expertise in risk management and data science coupled with bespoke research efforts to maximize efficiency. By prioritizing such initiatives, organizations can swiftly adapt to the challenges of the data science era, fortifying their risk management frameworks while fostering a culture of innovation and resilience. As organizations navigate the complexities of the modern compliance era, those who seize the opportunities presented by data-driven risk management will emerge as leaders, equipped to thrive amid uncertainty and change.

Takeaways

  • The growing integration of compliance and risk management necessitates enhancing traditional prevention frameworks with data science.

  • The democratization of key data science attributes (speed, scalability, improved analysis, efficiency, automation) translates to compelling business advantages.

  • Successfully initiating data-centric risk management efforts requires a combination of data literacy, resources, and a pragmatic mindset.

  • Successful data-enabled risk management frameworks start with low-hanging fruit projects—quick wins that offer value and actionable guidance for further engagement.

  • The continuous improvement aspect of data science catalyzes the emergence of a culture of innovation and resilience within organizations.

 
1 U.S. Securities and Exchange Commission, “SEC Announces Enforcement Results for Fiscal Year 2023,” news release, November 14, 2023, https://www.sec.gov/news/press-release/2023-234.
2 Andrew M. Good et al., “Key Takeaways From Updated DOJ Corporate Compliance Evaluation Guidance,” Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates, June 15 2020, https://www.skadden.com/insights/publications/2020/06/key-takeaways-from-updated-doj.
3 UK Government, “Economic Crime and Corporate Transparency Act 2023: Factsheets,” policy paper, February 29 2024, https://www.gov.uk/government/publications/economic-crime-and-corporate-transparency-act-2023-factsheets.
4 European Insurance and Occupational Pensions Authority, “Digital Operational Resilience Act (DORA),” January 2023, https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en.
5 Association of Certified Fraud Examiners, “Fraud 101: What Is Fraud? It’s both simpler and more complicated than you think,” accessed April 30, 2024, https://www.acfe.com/fraud-resources/fraud-101-what-is-fraud.
7 Corrie Block, “12 Reasons Your Digital Transformation Will Fail,” Forbes, March 16, 2022, https://www.forbes.com/sites/forbescoachescouncil/2022/03/16/12-reasons-your-digital-transformation-will-fail/.
8 Thomson Reuters, 2023 Cost of Compliance Report: Regulatory burden poses operational challenges for compliance officers, May 2023, https://www.thomsonreuters.com/en-us/posts/investigation-fraud-and-risk/2023-cost-of-compliance-report/.
This publication is only available to members. To view all documents, please log in or become a member.
Become a Member Login

What to read next...

How investigation tools can increase efficiency for compliance and ethics professionals

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings