Is your compliance program there to defend you?

By Kanupriya Jain

Kanupriya Jain (kanupriya.Jain@controlrisks.com) is Director of Control Risks in Dubai, UAE.

All compliance executives, investigators, and general counsels are aware of the concept of building strong policies and a tone from the top when discussing compliance frameworks. Although these are some of the key principles defined by the UK Bribery Act, they are increasingly being used by organizations as a simple tick-the-box exercise, giving the appearance of compliance when, in reality, the organization has no robust compliance framework in place to manage effectively the risks it faces.

Policy vs. risk-based compliance programs

In most cases, senior corporate employees request policy-based compliance programs to fulfill a regulatory requirement, or a prebid qualification or a prerequirement to receive investments from more mature or regulated countries. Budgetary constraints often result in these programs being a one-time, high-level exercise where policies define an organization’s vision, but they do not provide enough guidance to employees on what to do if a certain situation arises. For example, if an organization’s policy says, “do not bribe” and “conduct business ethically,” the employee reads and follows it. But when the same employee travels to countries where anti-money laundering, corruption, or sanctions risks are high, and they receive a bribe request during business interactions, they may not know how to respond without jeopardizing their career, causing reputational damage to their employer, or even endangering their own life. Should they say no immediately? Should they consider the demand as a way of doing business and fulfill the request? And if a bribe is paid, how should the employee report it or claim reimbursement?

This uncertainty is where policy-based compliance plans fail. For some companies, this policy-based approach might prove to be successful in the short term, but when put to the test in today’s age of technology, the Internet of Things, artificial intelligence, and the volume of data every organization processes, are these policy-based compliance programs enough to protect against a breach or violation and potential regulatory action?

Data analytics and risk-based compliance programs

Valuable insight can be gained into the effectiveness of an organization’s compliance program/framework by analyzing data using available tools and using artificial intelligence to analyze transactional data, behavior, and connecting information from disparate systems. Data is everywhere and is captured at various levels in an organization, and you can upgrade existing compliance programs by undertaking a robust analytics-led approach. Structured data in the form of accounting data, call logs, vendor and supplier data, human resources data, or data collected from a whistleblower hotline—when combined and compared with unstructured data such as email communications, information stored on shared folders, and information sourced from other dissimilar sources—can provide insights into areas that require focus and attention while developing and updating compliance programs.

Incorporating analytics and technology in compliance

The triple-K approach supports the main areas where an organization usually exposes itself to risks (see figure 1).

Figure 1: Triple-K approach

Know your third parties

First and foremost, knowing the reputation of your third parties is key to conducting business. Whether the risk is from corrupt practices or criminal actions or violations of human rights, you would want to know who you are paying and how that money is being used. The risk from “unusually close relationships with vendor/customer” is the second highest corruption red flag with 34% of corruption cases being related to third parties, according to the 2018 ACFE Report to the Nations.[1] Today names, addresses, and telephone numbers are being extracted from master data records, linked with self-disclosed information, and/or mapped against databases, online articles, and social media profiles to provide a predecided risk rating that helps a compliance officer and business leads decide whether they want to continue or discontinue a relationship with a third party.

Know your business processes and regulations

Managing money laundering, sanctions, and terrorist financing risks in transactions are key requirements for all organizations. With the exception of the financial sector and banks that are leading the effort in minimizing these risks, are other organizations doing enough? Not in our opinion. For example, an organization may be acquiring an entity where high-value payments are coming from a country where there are high money-laundering risks, sanctions, and corruption. This can easily be missed during due diligence, resulting in violations of international regulations. However, using advanced analytics, organizations can monitor and analyze transactions in real time to be alerted when suspicious activity occurs. In the Middle East region, according to the Basel AML Index Report, Lebanon is among the highest risk countries for money laundering and the UAE and Saudi Arabia are medium to low risk countries, which means these risks can’t be ignored.[2]

Know your employees

Mapping an employee’s behavior by analyzing expense data and/or credit card expenses (accounting data), call logs, and keywords in an email (email data) can tell you whether any transaction or a group of transactions is a cause for concern requiring deeper review. An employee may be spending on entertainment expenses prior to a government tender and be claiming the expenditure from the employer. The precoded script will flag this by comparing the employee’s expenses, certain keywords defined to pick up relevant emails, and a simple trend of higher expenses within a certain date range. Performing this exercise manually would require extraction, cleaning, and at least three additional steps, but if this process is automated by coding this logic into the information that is being gathered, this can be done in real time or in a semi-automated analytics dashboard.

Continuing from this, if an employee is in a high regulatory-risk zone due to their role and responsibility or have had a previous suspicious incident (e.g., whistleblowing records), then the company can proactively monitor and make sure that the employee knows and understands how to handle compromising situations. Going back to the example of the employee traveling to a country with high money-laundering risk, sanctions, or corruption, the compliance platform combined with a travel risk advisory system can provide the employee with necessary notifications on their phone and on email, emphasizing the gift limits and risk scenarios—whether corruption or security related—and provide emergency numbers to call if the need arises. For example, a colleague detained in a Southeast Asian country for having an incorrect visa stamped on their passport when entering the country still had a reasonably clear idea of how to respond and manage the situation, because they were made aware of the specific country practice prior to travel.

These are only some examples of how both structured and unstructured data stored within an organization’s network can be used to make decisions. Efficiently sifting through relevant information to make informed decisions is what data analytics will help us do in the area of improving compliance and governance.

It’s often said that you can’t report what you don’t know, but you should also consider if regulatory authorities are likely to give you the benefit of the doubt if you are not aware of your global business risks and have not done enough to mitigate the risks.

What can you do?

So here’s what you can do today (see figure 2).

Figure 2: Path through risk management

  • Comprehend all the risks your organization is facing based on jurisdictions.

  • Conduct a thorough risk assessment of all the actual business processes being followed in your organization.

  • Appoint a subject matter expert to review the risk assessment and processes from an outside-in perspective.

  • Set up risk and threat automated dashboard reporting to target attention and respond and reduce revenue loss.

  • Increase employee awareness of the risks of operating in high-risk jurisdictions.

  • Assess whether employees understand and comply with the training they have received, preferably by an external specialist.

  • Develop pragmatic incident response plans and help the relevant employees understand these.

Conclusion

Compliance professionals and general counsels are increasingly expected to know all aspects of their business, cross-jurisdictional regulations, dos and don’ts of all types of risks, and how to respond and manage incidents. Using technology that is fit-for-purpose for your organization to understand what information is available and where the risks can be mitigated allows compliance professionals to increase efficiency, reduce recurring costs, and avoid any kind of incident or regulatory action.

Takeaways

  • Technology can be used to identify and mitigate compliance risks.

  • Customize a fit-for-purpose technology solution depending on your organization’s existing systems. Tools that follow the one-size-fits-all approach may not be appropriate for you.

  • Consider combining data with your internal processes and your employees’ knowledge to understand what actually happens on the ground in your business.

  • Data never lies—use it to improve efficiency, reduce costs, and support decision making.

  • Use technology to create automated compliance reporting dashboards and mitigate risks in real time.

 
2 Basel Institute on Governance, Basel AML Index 2017 Report, August 16, 2017, http://bit.ly/2GUQSJR
1 Association of Certified Fraud Examiners, Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse, http://bit.ly/2PCDn49


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings