For any business, the ultimate goal of collecting data must be to inform some decision-making process. Anything less would beg the question, “why bother?” But racing headlong towards the goal of “data-informed decisions,” without considering the preceding steps, can lead to a misinformed decision-making process in which there is a great deal of confidence simply because it is “based on data.”
Compliance data is unique in the breadth and depth of its impact relative to other data residing in your organization. Regulatory action and enforcement over non-compliance, negative social media exposure and insider threats are all unfavorable outcomes that can originate from any number of avenues – many of which are compliance-related at their core.
The best defense against unfavorable outcomes is comprehensive knowledge of your risk and compliance environment. But how does one go from data collection to comprehensive knowledge? This article explores how to build a foundation of compliance-related data in order to inform more effective decision making and business resiliency.
Capture data from multiple sources
The solution lies in active observation through multiple means. There are questions that need to be answered to gain comprehensive knowledge, some of which include:
- Where do people in your organization have conflicts of interest, perhaps with third-party vendors or competitors, and what potential risks do these pose to the business?
- Are there known risk factors associated with existing or potential third-party vendors?
- Are there existing policies being attested and adhered to at each level of site and level of the organization?
- Are policies and procedures accurately managed to ensure information is up to date and relevant?
- Are employees completing training on relevant compliance topics? How are employees voicing concerns?
- How are concerns investigated and followed up on?
Having systems in place to not only reliably capture data capable of answering these questions, but also provide a means of mitigation, are the foundations upon which comprehensive compliance knowledge is built.
First data, then action
Foundation and collecting data alone are not sufficient. There must be a common framework to tie together data from different systems. Locations, conceptual terminology, common elements which relate one data point to another. Put another way, context matters, and effectively using data means telling a story.
Consider the prior questions about which policies are being properly socialized and what sites have an outsized number of concerns being voiced. Now, imagine trying to relate the answers of these two questions absent a linkage. A wealth of siloed information can only provide siloed answers.
Data from each system should have at least one element in common with data from another, so that events can be linked and categorized. Categorization allows for meaningful aggregation of data points. In general, categories should be distinct enough to separate concepts but not so numerous as to make reporting uninformative. For example, being able to consider a policy, training, and set of whistleblower reports as related through a category allows for a whole host of action related to that category.
Imagine the category is discrimination; an outsized number of reports are coming in, policies are not being attested to and training scores are low. Having a way to tie together these data points means corrective actions can be targeted. The question of “what is wrong?” can be answered, rather than merely asked.
Data science doesn’t have to be just for data scientists
Now, you may be thinking, “I’m a risk and compliance leader, not a data scientist!” Well, fair enough – but luckily there are sound core principles that can be easily leveraged by anyone – data scientist credentials or not. With a connective framework between data points, the scope of what is achievable with compliance data is widened immensely.
For example, spikes in certain keywords or phrases in hotline reports and inquiries can be identified and tied to a specific locations and then used to paint a picture for concerns that need addressing. Training results for employees at that location on topics most related to those keywords can be analyzed. A subsequent awareness campaign about workplace civility may be warranted.
Alternatively, consider the following situation: a new third-party vendor has been contracted in spite of the fact that it has a history of poor business conduct. Soon after, reports about product quality related to the parts provided by the third-party vendor start to surface. By cross-referencing conflict of interest disclosures, it becomes known that the employee in charge of procurement is related to the owner of the third-party vendor. Management now has a full picture of potential malfeasance.
Completing any of this analysis on its own is feasible, but a concerted effort aimed at uncovering root cause and remediation requires connected data.
Comprehensive data means comprehensive knowledge
Preventing embezzlement and fraud, avoiding financial penalties and regulatory enforcement by staying in compliance, preventing lapses in vital training are all tangible benefits of a well-functioning compliance program. While some benefits of such a unified approach may not always be easily quantified, less tangible does not equate to less impactful.
An employee who can trust their employer to do their level best to build a culture of compliance, rather than one that simply seeks to preserve a status quo, has far more reason to stay, grow, and speak up if they encounter a situation which presents a threat to the organization. Conversely, an organization may find itself accused of not doing enough, either by a regulatory body or in the court of public opinion. Data proving an organization’s proactivity can help refute these accusations. Preventing or mitigating reputational risk is part of a risk and compliance program, but reputations do not grow or wither in a vacuum.
The art of storytelling
We covered how and why to collect the wealth of data, now let’s talk about how to leverage it to make better decisions and improve company culture. First, without setting the context, data is effectively useless. When communicating findings, bear in mind the importance of the art of storytelling and don’t forget to use tools at your disposal to paint a picture. Regurgitating data points is not an effective way to describe the nuance of a corporate culture, and a presentation full of bar charts is likely to make eyes glaze over.
One such way to effectively communicate data is by relating it to trends in your industry and in your own data, and how your company performs against that benchmark. This sets the context and helps evaluate your performance and identifies areas of opportunity. Use the data to illuminate your audience, consider using business intelligence tools to create graphics that tell the story in an engaging way.
Other methods to use in helping tell that story include artificial intelligence capabilities such as Natural Language Processing techniques that can identify reports that look similar – or vastly different – to the norm. Think of the examples listed earlier and how just a few data points can provide valuable insight into the cultural health of your company. Data correlation will help analyze areas of risk and opportunity that may be hidden if data is only evaluated on the surface.
2024 prediction
Just as reputations do not exist in a vacuum, nor does the regulatory environment. Regulations such as the FCPA, German Supply Chain Due Diligence Act, EU CSDDD, Sarbanes-Oxley, GDPR, Sapin II, and others, will continue to drive the need for a robust compliance program. The scope and number of regulations has been growing for decades and is showing no signs of slowing. If we look at the recent DOJ guidance on compliance programs, much of it boils down to “you are expected to do everything that makes sense given your industry.” That burden of proof will require data.
With the growing rate of organizations and executives being held accountable by both the public and by regulators across the globe, the need for data to effect change will continue to grow. With the rise in AI being used across businesses large and small, we expect to see a wealth of information being more effectively acted on – or at least, expected to be used to enact change.
Top 10 Trends in Risk & Compliance
For many more insights and guidance, download the full eBook and access to the accompanying webinar featuring analysis and expert insights from Carrie Penman and Kristy Grant-Hart.