In FTI Technology’s recent report on Digital Insights & Risk Management, 76% of business leaders who are involved in information governance decision making said that they had experienced a significant or moderate increase in regulatory activity over the past 12 months. In the same report, more than one-third of chief legal, compliance and risk respondents said they expect new regulations, new enforcement priorities and employment issues to be the leading drivers of increased disputes and investigations in the coming year. These issues, alongside other global digital risk factors, are prompting risk and compliance officers to take a closer look at their approaches to compliance monitoring, enforcement and response. Often though, there isn’t a straightforward way to evaluate the effectiveness of compliance programs.
In this Q&A, Lane Spears, a Managing Director within FTI Technology’s Risk & Compliance practice, discusses the concept of measuring the effectiveness of compliance programs through data maturity modeling, including the various elements compliance teams can assess to better understand their programs, as well as how to get started with such an assessment. Lane has a broad consulting background spanning domestic and international leadership and achievement in compliance and risk governance, financial investigations, electronic discovery matters, digital forensics and advanced data analytics, including automated fraud detection. He often works alongside chief compliance officers and general counsel to design and implement efficient technology solutions to support data-driven metrics, measurement, and monitoring.
Lane, can you provide some context about the current compliance landscape, and current enforcement trends?
With the recent Monaco Memo from the U.S. Department of Justice, there has been a signal that proactive compliance measures focused on data and analytics will be central to the agency’s future treatment of organizations that run afoul of the law.
Two of my colleagues explained this issue in a recent article, noting an important distinction in the latest guidance. They wrote, “Under the new guidance, it will no longer be enough for compliance programs to address traditional information sources and communications channels. The new guidance is clear that data preservation and monitoring must also address the use of personal devices and third-party messaging platforms, including policies and training on appropriate use of personal devices and collaboration apps for business.”
We are working actively with clients in regard to preservation and monitoring issues with these types of emerging data sources and other requirements for compliance officers to navigate the challenges associated with expanded regulatory issuances, inspections and enforcements.
Against that backdrop, what are you seeing with your clients in terms of the use of technology for metrics and monitoring development?
We still see organizations at widely varying levels of progress in their compliance journey. There are also many different approaches to the organization and purview of the global compliance function, rather than any standardized method.
For example, some corporate compliance groups function as detached monitors that will sweep in to focus as project managers when significant risk indicators bubble up (acting as a kind of compliance fire fighter), while others seek to maintain a more even hand across all areas of enterprise risk, with direct involvement in individual program areas. Still others, especially in more regulated industries such as financial services and life sciences, are more focused on considering how to monitor transactions and communication appropriately and proactively. The one common thread is the aim of achieving more robustness in the use of data for monitoring and tracking compliance issues and risk.
Additionally, for enterprises developing new products or with recent mergers and acquisitions activity, measuring risk and setting up key metrics for these new risk realms is imperative.
How are clients able to assess the effectiveness of their programs?
Just like compliance programs are unique from company to company, the design of an assessment will vary dependent upon a number of factors.
From a data coverage and metrics perspective, all programs will have areas of strength and weakness. Helping clients align their overall compliance program mandate and risk matrix to their data testing program improves effectiveness. Note also that there is a difference between demonstrating that processes and controls are working versus showing if the compliance program is “succeeding.” I think that is an important distinction.
What does FTI Technology’s Risk & Compliance practice bring to the table to help companies develop audit and compliance metrics?
Most of the organizations we encounter have well-thought-out justifications for and understanding of their risk positioning, their industry drivers, and their regulatory footprint. We build on this by advising and reviewing an organization’s current state and use that as a foundation for assessing their growing their ability to use data effectively and harness advanced tools.
Our risk and compliance experts assess, recommend and consult on metrics that are critical to compliance maturity. These include occurrences, incidents, findings and trends over an extended duration of time. Metrics are tailored to client industry, regulatory environment, legal jurisdictions, and other unique factors.
We also help clients with data engineering, by integrating data from across their enterprise for compliance and audit use and establishing the critical layer of data quality checks. Once validated, quality data is in place, we can apply risk scoring rubrics that yield practical and prioritized results, and conduct recurring analyses to assess the performance of the model.
Does this work include the use of compliance dashboards, or do you find that too many organizations are suffering from “dashboard overload?”
The key is to concentrate on metrics that matter, especially for organizations that are just starting out with measuring compliance and using advanced data analytics to support it. Depending on the program, metrics may be quantitative, qualitative, or predictive, and we aim to develop a reporting structure that is uncluttered and easy to digest.
Dashboard visualizations often lack consequential and actionable information. Analytics and visualizations should be developed to show meaningful summary, allow for drill-down into key metrics and provide a synthesized vantage point.
So, we do provide our clients with dashboards in compliance data maturity modeling assessments, but only when the management dashboards are able to serve as an effective risk-sensing tool for clients, such as to provide chief compliance officers with an ability to identify root causes of certain issues. It’s also worth noting that the conversations and actions that take place once dashboards are in use are integral to enabling continuous improvement and testing for the program.
How does compliance software fit into the equation?
There are many marketplace tools that offer helpful compliance templates for questionnaires and assessments. Many also provide automated workflow around compliance, analytics and much more. At FTI Technology, we often assist in vendor selection and market mapping, helping clients in determining the right third-party software and tools to be part of the implementation solution for transactional testing, communication monitoring and/or risk management.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.