This week on the Compliance Podcast Network, I am running a multi-part podcast series, Smart Automation for Risk Management, sponsored by Lextegrity Inc. As a part of this series, I had the opportunity to visit with Kara Bonitatibus, Head of Product. We took a deep dive into a variety of uses for data analytics in a compliance regime.
We began with a discussion of the pre-approval process and third-party due diligence monitoring tools. Bonitatibus initially noted that often times the business folks see the compliance function as the department of holding things up. She believes you should start with such questions as “how do you build a system that is easy to use, intuitive gets users in and out of the system and gets them the answers they need as quickly as possible?” By starting with such questions, you can begin to think through bringing all of your business pre-approvals together in one platform. This means business users must only go to one place to interact with the compliance function and any employee only needs to learn one compliance system. This can replace the myriad of company purchases of a third-party solution, a gifts, travel and entertainment (GTE) solution, disclosure system even to perhaps a separate conflict of interests solution. Even with a GRC vendor, who might have different modules that cover all of those processes, but even they do not necessarily talk to one another.
We then turned to the question of how companies are in many cases not using the pre-approval workflows efficiently. You should embed analytics and thresholds directly into the preapproval process, which provides approvers with data to inform their decisions. This means not simply looking at the information which is provided by the submitter or the requester. It expands out to things like aggregate spend and aggregate frequency. For example, how many gifts has this government official already received? How much has this particular healthcare professional received in the context of a meal or a consulting fee?
The important component of any such analysis is to not look at this data “in a vacuum, but rather in context of other similarly situated requests.” Bonitatibus further explained “from a recipient perspective, compare one physician to others who are also receiving meals or consulting fees. Is this an outlier in comparison to those types of data points? Then the same analysis from a submitter perspective.” Here you might look at has a particular submitter input requests that are outside the norm of people that are in similar positions? As Bonitatibus mused, “in my former life, as an in-house compliance professional, this would have been a game changer from my perspective and have given myself and my colleagues a lot more comfort in decision-making.”
We then turned to third-party due diligence. Bonitatibus admitted this was her biggest frustration as an in-house compliance professional as she was responsible for her company’s third-party due diligence program. There was no “holistic third-party risk management tool around third parties.” She channeled that frustration to help create a solution to better manage this most significant of compliance risks. The information needed for a robust holistic management of third-parties includes where your third-party population resides, both by market and region. But it also includes third parties from vendors to sales agents so that you need to be able to look at “a universe of third parties.”
She further way to “pull from a vendor master or customer master lists” so that company business administrators can master the system data and ensure that it is as clean as possible. This can be expanded to allow for tracking activity at an engagement level of existing platforms out there which focus strictly on the initial engagement, a higher level of engagement such as a Master Services Agreement with a third party. If scope creep starts, with more business users or functions using that same third party to engage them for some other type of business purpose, you can be aware of it.
Data integration, which is one of the biggest challenges facing every Chief Compliance Officer (CCO), compliance professional and indeed corporate compliance function. Bonitatibus said the starting point is to create software solutions that are intuitive, data-driven and integrated. You should create integrations in the pre-approval application, core integrations include HR systems, which are used to support approval logic. This also includes routing requests to an immediate manager through workflow. Next there is a prebuilt integration with a database check of sanctions, state owned entity and adverse media information. There can also be embedded and automated screening directly into any of the workflows. This can provide through put our third-party due diligence application process and compliance approver procedure.
This allows you to move to a true enterprise wide, risk management system, to create a truly end to end solution. Through such a preapproval system, a compliance practitioner can approve payments or third parties. Bonitatibus provided the “example for a payment request; let’s say a sponsorship, our monitoring solution, can then validate whether the payment amount matches what was in the preapproval request and the approved amount.” It can also validate that the payee has not changed in the third-party space.
Another approach allows you to review third parties which have been determined to be high risk in the due diligence phase and place additional weight on their transactions in monitoring solutions. Under such an approach a compliance function can also validate if a “low risk supplier, for example, has payment patterns or activity that suggest either it’s not truly a low-risk supplier, or if it was misclassified or abnormal is happening.” This makes the entire process truly end to end and breaks down silos.
For more information, check out the podcast series running this week on the Compliance Podcast Network.