This week on the Compliance Podcast Network, I am running a multi-part podcast series, Smart Automation for Risk Management, sponsored by Lextegrity Inc. As a part of this series, I had the opportunity to visit with Andy Miller, Chief Analytics at Lextegrity. We took a deep dive into risk monitoring through data analytics.
We began with a discussion about is what a continuous monitoring solution. Miller said that it “provides compliance and audit teams with a comprehensive way to keep a pulse on transactional spend and revenue risk in their enterprise.”. The key to the analytics is they are so configurable and contextual to your specific risks or your lines of business or the historical issues that your organization may have had so that the risk algorithm is actually tailored to your business and your exposure and not, um, some static configuration.” It should connect to a wide variety of EPR systems such as SAP, Oracle, Concur, Workday and others.
The Department of Justice’s (DOJ) 2020 Update to the Evaluation of Corporate Compliance Programs, (2020 Update), which mandated for the first time that compliance practitioners and the corporate compliance function have access to a company’s data lakes. Miller believes the 2020 Update has really been an eye opener for a lot of risk professionals and companies out there that they need to do better. Compliance professionals should have access to their own data as risk professionals and they need to have a plan and an actual program to monitor their company’s data. This works directly on the first two prongs of any compliance program; to prevent and detect actions which could be fraudulent, corrupt such as bribery, or other actions which could put your company in danger. This is even more true in 2021 as the DOJ is ramping up their enforcement efforts. A continuous monitoring solution provides compliance and audit teams with a comprehensive way to keep a pulse on transactional spend and revenue risk.
The key is that your continuous monitoring solution should be flexible and curable to your specific company. You should have analyses that are broken out in a variety of areas to look for specific types of risk in that general risk-based area. This allows you to identify transactions that could be associated with some wrongdoing like bribery, corruption or fraud. However, what many compliance professionals struggle with is separating the wheat from the chaff. In other words, they are bogged down in the details of a transaction such as gifts, travel and entertainment (GTE) spend, lack of approvals on discounts or third-party issues and do not have the ability to step back and look at a bigger picture.
We next turned to the differences between key performance indicators (KPIs) metrics. Metrics are more generally seen as specific data points, whereas KPIs are really metrics that are closely tied to and tracked against specific goals. Miller explained, “we might have a metric that is number of trainings completed last month. The KPI might be that we have at least 90% of trainings completed at any point in time. With that we can take our measurement manipulated into more of a KPI based on what our goal might be.” Miller explained, “when we talk about analytics, these are focused on positioning data, to be more valuable to the end user analytics, making it easier to identify something specific or generating actionable ideas and insights from the data.”
Your approach should focus on prioritizing your efforts within this monitoring of spend and revenue data, seeing the full context of the transaction and its risk results altogether, so that you can focus on the risk of that as a whole. It also is more risk focused and less control focus. One of the things to have is a scoring algorithm is calculated at an aggregated level across multiple analytics to help you cut on the false positives and the noise as well as to then better prioritize your transactions in line with risk parameters that you set. The solution should connect with your approval workflows, enabling specific analytics, such as validating your approved amounts, against your actual amounts and those people that you actually said you were going to pay is who you paid.
As third-parties are still one of the highest compliance risks, a more robust approach to third-party risk management is required. Here Miller noted that “high risk-third parties, as well any low risk third parties which showing up in high-risk expense categories, beyond transactional risk scoring and highlighting the higher risk transactions for further review.” All of this allows the compliance professional to go “in and actually explore your data with that augmented risk detail and drill into different dimensions of your data, maybe geographic, maybe a subject, or a specific subject type or that spend nature.” All down into the actual transactional level of data.
Further, it allows a deep dive into each step in business cycles, such as QuoteToCash and ProcureToPay, so that each part of the transaction can be seen. How can you both see the dots and connect the dots in a more macro view of risk? What you need to do is “to bring in that transactional data in as robust of a fashion as possible.” For instance, when looking at vendor spend data, move beyond the single payment to review across multiple invoices. From there, you can dig into the invoice line-item detail, the purchase order information, as well as the purchase requisition details at every one of those steps of the business process.
While each view could provide a small amount of detail that could be relevant from a risk perspective, it may not go into this identification of risk in that transaction as a whole. However, when you add “information coming from the financial side of the house, this provides accounts which can impact an organization from an expense perspective as there “lot of good clues there.” But then you can supplement that data with other information, such as information from the Human Resources (HR) master file. This allows you to look at who approved the Purchase Order (PO) who requested the purchase requisition and then who approved the ultimate payment or invoice, and how does your network look in regard to the overall transaction. This allows a much more holistic approach to the overall data.
We concluded by considering what connecting all these dots might look like. Miller said that by “connecting the dots of risk you start to see other things happen, you catch an exception in this area and now you say, well, so-and-so was a major part of that. Let’s see what else they’ve touched in this area or looking at the cross impact between employee spend and vendor spend, and then be on that in the compliance space”. You can also cross-reference hotline reports, due diligence metrics, audit reports, training completion data and indeed “all this other program information that compliance has a hand into that can feed into this transactional data.” It can truly provide to you the broadest look at your compliance risk.