The recent popular interest in data is warranted, because advancements in computing power and the significant expansion of information available to businesses today offer the opportunity to scrutinize corporate behaviors and actions in far greater detail than ever before.
Leading practices are currently characterized by a shift away from checklist-oriented compliance programs toward a deeper understanding of corporate risk and how it evolves over time. This can only be achieved where there is strong visibility over transactional and operational activities.
According to Emmanuel Vignal, Asia-Pacific Leader, Ernst & Young (China), Forensic & Integrity Services, “Some of the stronger examples that we see include analysis around interactions and transactions with Government officials, relationships with commercial partners, anomalies in behaviors amongst the workforce or commercial advantages provided to third-party intermediaries other organizations where the business rationale is not immediately clear.”
However, there are still only a minority of businesses taking full advantage of these opportunities. In one article for Harvard Business Review, for instance, the authors highlight that tracking and measurement often lag policies and protocols, undermining the latter’s effectiveness2. They emphasize that, despite spending millions of dollars a year on compliance, and even more in highly regulated sectors, the “ubiquity of corporate misconduct” continues to surface in the media, almost continuously. They argue that this growing expense, and the frustration it can create for many executives, is not only tragic but also avoidable, and the answer lies in better measurement.
Significant investment is made into the development and execution of training programs and high completion rates are used to evidence success, but very few organizations look at whether the training is tangibly influencing corporate behaviors, reducing policy breaches or strengthening integrity within the organization.
Measuring and analyzing available information can offer robust evidence as to whether a compliance program is protecting the organization and therefore whether it is providing a suitable return on investment.
Many of our clients wish to understand how they can build out a successful analytics program. Todd Marlin, EY Global Forensic Technology & Innovation Leader, advises: “In our experience, the strongest analytics programs are built on a thorough understanding of three critical elements: the business context, the risks that arise out of the business activities and how these appear in the data. The importance of spending time digesting business processes before developing and then testing hypotheses should not be underestimated.”
It is equally important to ensure that hypotheses have been rigorously validated against real data, especially if they are based on anecdotal evidence. Maryam Hussain recalls one company that sought to explore the relationship between the length of staff tenure and fraud to test a hypothesis that staff who had worked at the firm for longer were lower risk because they were embedded in, committed to and identified with the organization. Conversely, new hires were theorized to be higher risk warranting more intense scrutiny.
After testing this hypothesis, the data showed the length of tenure increased risk in a subset of people who had not progressed in their positions, says Hussain. That information is invaluable in building risk profiles and creating a defensible approach towards this type of analysis.
In terms of the techniques that can be adopted to explore the data and test hypotheses, there is a significant variety, ranging from simple and rapidly deployable algorithms to highly complex and rigorously refined models.
Instances of some of the more basic techniques include straightforward business analysis to cut the data in different ways or ordering data into sequential timelines that highlight where, for example, a payment has been made to a third party before mandatory due diligence checks have been completed.
More advanced practices might involve graph analysis to understand the connections between different individuals or undertaking pattern analysis to profile behaviors, enabling outlier identification.
Key organizational questions
- Does the program work to our satisfaction? What are the key performance indicators (KPIs) and key risk indicators (KRIs) we should use to define and measure effectiveness?
- What Integrity Agenda outcomes should we measure? Should it be the number of violations, discipline actions, audit deficiencies, business ventures enabled or ethics attitudes?
- How do we measure return on investment and make wise resource allocations?
- KPIs — risk-specific controls (for example, third-party diligence and audit — implementation, timeliness, quality of decision support) and compliance office processes (policy deployment, training, code certification, incident response and management reporting)
- KRIs — predictive analytics from risk-specific controls (for example, third-party diligence and audit findings) and changes in business operations and enforcement trends
- Governance operations — number and quality of business unit compliance and ethics committee meetings and compliance-staffing levels