Corporations today are facing far greater regulatory scrutiny than ever before. Companies are grappling with stricter enforcement around corruption, cybersecurity, fraud, money laundering and data protection, to name but a few. Those operating in sectors such as banking, financial services, insurance, energy, pharmaceuticals and information technology are finding themselves increasingly under the spotlight, where penalties for non-compliance can be substantial.
Under the European Union’s new General Data Protection Regulation, for example – which is due to come into force in May 2018 – fines of up to 4% of annual turnover can be imposed in some cases of non-compliance.
A particular pain point for companies who find themselves under the gaze of a regulatory review is management of data. When the regulators or investigators come knocking, the timeframes in which they expect information can be challenging at best and unrealistic at worst. But that sentiment often holds true for those simply trying to keep on top of compliance for their own organisation.
Enterprise risk management (ERM) remains the traditional framework through which organisations manage both risk and opportunity, with the compliance arm operating through internal controls for specific objectives. These controls can screen ‘structured’ data – data that is typically organised into databases such as transactional systems. A critical vulnerability in ERM stems from unstructured data, encompassing huge volumes of communications such as email, audio and chat records.
But, says Nyembo Mwarabu, EMEA vice-president at Conduent Legal and Compliance Solutions, this is the very data that regulators are often most interested in. ‘For whatever reason, and this is true across all industries, people very often tend to say on the phone or on a chat something that they would never put in writing or in an email, so the regulators are very interested in these new siloes of communication,’ he explains.
Traditional methods for mining such data often rely on tools like keyword searches, which could generate hundreds of millions of records, many of which will be false positives – or irrelevant results – and which require a huge manual effort to organise. Moreover, these techniques often fail to identify nuances in communication or jargon that employees may use to hide rogue behaviour.
Conduent’s top tips for updating and safeguarding enterprise risk management
- Embrace analytics to meet regulatory burdens and protect against rogue employee behaviours in unmonitored sources of data.
- Use tools that help get inside unstructured data (such as sentiment analysis, natural language processing, anomaly detection, machine learning and statistical models), and use big data analytics to consolidate all these results, to better assess existing trends and risk levels, and identify gaps in compliance.
- Think beyond compliance, and use insights generated to form strategic partnerships within the business to enable better evaluation of risks and planning of the appropriate actions.
With in-house lawyers increasingly present in the compliance space, unstructured data is a significant risk for general counsel. Many are mindful of the need for cross-functional business partnerships to combat enterprise risk – even in organisations that structure legal and compliance separately – and of shrinking legal budgets that can be hard hit when legal liability strikes.
Robust compliance software is one solution, with the ability to uncover potential infractions and allow remediation before they become legal or regulatory issues. Such software can mine and monitor data on a look-back basis and provide actionable insights to enable proactive compliance, as well as allowing for ongoing monitoring. But rather than reaching for off-the-shelf packages – which require internal expertise such as IT infrastructure, data, and subject matter and business process specialists to effectively operate – or building your own system – which can entail long-term, complex enterprise effort and resourcing – Mwarabu suggests taking a look at the business process services market.
‘Compliance software today is really designed to transform traditional compliance systems with intelligent technology, automation and big data analytics that can easily couple with human expertise to give companies a better way of actually managing those risks,’ says Mwarabu.
‘For example, think about a pharmaceuticals company that is putting a new diet drug on the market. They want to make sure their sales force does not sell this new drug off-label. What today’s analytical tools can do is monitor and analyse all these conversations and spot trends and certain patterns that could indicate potential misbehaviours, or terms that point to an off-label conversation.’
In terms of cost, such mechanisms can be highly scalable when applied to global organisations, operating with a huge and often remote workforce, located across multiple jurisdictions.
‘Every time a company faces a new investigation or is involved in a new litigation, they go about it from inception, which is: we understand the custodians involved in this matter, we collect the data associated with these custodians, we go through the whole process of reviewing and analysing that data, and then when the case is closed, this data is cast aside. When the next case comes along, maybe some of the custodians are the same, the case is of a similar nature, but it is almost never the case that everything that has happened on previous cases is re-used,’ says Mwarabu. ‘Each new matter costs the company a lot of unnecessary time and expense.’
What companies like Conduent do, he explains, is leverage the knowhow, insight, and coding decisions from previous cases, to avoid reinventing the wheel. ‘We worked with one of our clients who wanted to understand how to leverage previous decisions on documents to save future costs and proactively identify risky data. We found, to cite one example, that one document had been reviewed 63,000 times on previous cases. If you consider that a lawyer might cost you three or four hundred pounds an hour averaging 50 documents an hour, reviewing the same document 63,000 times is a significant amount of unnecessary spend on legal fees,’ he says.
Nyembo Mwarabu
Vice-president, EMEA
Conduent Legal and Compliance Solutions
In a compliance context, says Mwarabu, companies can use this same analytics approach – applying learnings from past matters and by detecting patterns in data – to predict which data may pose future risk. ‘There is nothing worse for an organisation than to be caught unprepared by a surprise regulatory investigation or litigation. Using analytics can make sure the company has at its fingertips the subset of data that has either legal or compliance value, so it can quickly determine what happened, respond to regulators in a timely manner, and take the appropriate actions.’
Aside from minimising enterprise risk, he adds, an intelligent compliance approach can have less obvious benefits for GCs looking to add value to their business. Data analysed for legal or compliance purposes can contain critical insight that assists other business functions to do their jobs better – such as detection and securing of personally identifiable information in light of data privacy or cybersecurity regulations, for example. ‘And, being able to work cross-departmentally, to leverage insight consolidated from other departments,’ says Mwarabu, ‘could be a big plus for corporate legal and compliance departments.’