Operationalizing Data in a Compliance Program

by Thomas Fox

The use of data in compliance programs continues to be held up as either a siren’s song or a goal which simply cannot be achieved. Most of the time when compliance practitioners consider how to use big data in a compliance program, it is to obtain more visibility into siloed corporate data to allow more robust compliance oversight and monitoring. However, the basic requirement of the Department of Justice’s (DOJ’s) Evaluation of Corporate Compliance Programs, that a compliance program should be operationalized provides a compliance professional to consider another way to view big data and, more importantly, obtain resources to break down those siloes.

One manner to operationalize compliance is to use big data to improve the internal corporate processes. Compliance is a business process and doing compliance or, in the DOJ’s phrasing, operationalizing compliance means you are moving compliance into your existing or to-be created business processes. As I noted in a prior post, perhaps it is time to ‘reframe the issue’. So why not think about the compliance function’s use of big data as a business process improvement opportunity?

In a recent MIT Sloan Management Review article, entitled “How to Monetize Your Data, Barbara H. Wixom and Jeanne W. Ross considered approaches businesses can take to monetize their internal data. They stated, “Using data to improve operational processes and boost decision-making quality may not be the most glamorous path to monetizing data, but it is the most immediate.” I would also add that it is another way of articulating how to operationalize your data.

The authors note, “Executives often underestimate the financial returns that can be generated by using data to create operational efficiencies. Companies see positive results when they put data and analytics in the hands of employees who are positioned to make decisions, such as those who interact with customers, oversee product development, or run production processes. With data-based insights and clear decision rules, people can deliver more meaningful services, better assess and address customer demands, and optimize production.”

The first step for the Chief Compliance Officer (CCO) is to locate data sources which are needed to or even could operationalize your compliance program. From this point, you should locate data sources which could provide a more robust compliance solution for the company. From there consider how the data could be used in a more robust 360-degree view. Now consider this basic model in the context of gifts, travel and entertainment (GTE) data. Obviously from the compliance perspective, such information is critical to determine corporate compliance with the Foreign Corrupt Practices Act (FCPA) in connection with spending on foreign government officials or employees of state-owned enterprises. A CCO might inquire into who is being entertained and the amount of the spend by company employee or by the recipient. Additionally, if there was a pattern of high spending by one employee or high spending on one foreign official, this might raise a red flag which needs follow up investigation.

Yet the same GTE data could be analyzed for the overall spend to see if there were any suspicious patterns which might indicate expense card abuse. Such indicia might be duplicate payments, spends at just below the threshold for pre-approval or out-of-policy expense reports and out-of-compliance expenses. You could check to determine if an expense is recorded once on a T&E report and then a second time on another expense report or a P-card charge or other type of expense, i.e. double-dipping. From there you can move to determine if they might be an intentional, as opposed to an unintentional, mistake. This could present a significant cost savings or even cost recovery to the company so the data analytics tool could essentially pay for itself. Accounts payable (AP) is always seeking ways for greater efficiency and running such a data analysis is a clear example.

Now consider analysis of your GTE spend in the sales cycle as that same data might also provide insight into your sales cycle forecasting. If your company has a product or service which is complex and requires your customer’s involvement, with activities such as deploying enterprise software, the data could create a better view of “relationships with corporate customers, including what those customers bought, what issues they encountered, and how the company engaged with them.” By looking at your GTE spend on customers over a long period of time, you can help determine if these efforts have resulted in sale (is the spend worth it?), where are the critical junctures in the sales cycle and, finally, how likely a sale closing would be based upon historical data.

The authors suggest such a system of data analysis can help “sales executives more accurately manage their pipelines” because when coupled with “predictive analytics and machine learning to compute the likelihood of a successful sales engagement based on data that the salesperson provided about an opportunity.” Your own data can provide you with “Information about an opportunity’s likelihood of success, along with suggestions on how to advance engagements along the sales pipeline.” This in turn can aid salespeople to prioritize leads and act in ways most likely to achieve their goals. For instance, at “Microsoft salespeople learned how to forecast more accurately (for example, the accuracy of forecasts regarding global accounts has risen from 55% to 70%), which has led to better sales-pipeline data and, in turn, improved pipeline management.”

This example allows you to consider three different uses for your own company data which can improve process in three separate ways. Yet it is all the same data. This means that a CCO can work with other functional disciplines to fund such a project but, equally importantly, you will have more stakeholders that can create a sense of urgency and accountability for the project to acquire the data. It would also provide to the compliance practitioner other process champions within the organization who could provide strong leadership for the lifecycle of the project.

Adding a data analytics feature to your own data can help you to monetize the data in a variety of ways. For the compliance practitioner, it also allows you to operationalize your compliance program by pushing out the data analytics that you would be using into the functional business units. The authors end their piece with the following, “Impressive results from data monetization do not transpire from single “aha” moments. Instead, they stem from a clear data-monetization strategy, combined with investment and commitment.”

Compliance is a process. The DOJ has done the profession a very large favor by requiring us to focus on the operationalization of compliance. Thinking about ways to use and analyze the same data in other corporate functions, such as AP and Sales, is one way to operationalize compliance.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Thomas Fox, Compliance Evangelist | Attorney Advertising

Written by:

Thomas Fox

Compliance Evangelist on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.