aug / sept 2017 today’s gener al counsel
Compliance
Harnessing Technology for Legal Compliance By Suzanne Rich Folsom and Kristyn J. Hyland
T
40
he global emergence of Big Data is undeniable, and the value that it brings is enormous. Today more information is being collected and made available, and advanced algorithms enable companies to see the full contours of this library of information, allowing them to better interpret it in order to pinpoint trends – and, importantly, to recognize deviations from the norm. Simply put, data analytics is a powerful tool that corporate legal departments can harness to help achieve their regulatory and compliance objectives. This capability arrives at precisely the right time. Put to work effectively, it will make a material difference for corporate legal departments struggling to fight corruption against the current backdrop of evolving compliance standards, a borderless global economy and supply chain, an ever-growing base of partners and
company’s senior management team and board of directors, a potentially significant diminution of brand equity, financial repercussions, and some obvious openings for the competition. It’s no surprise, therefore, that in the Association of Corporate Counsel’s 2017 Chief Legal Officers (CLOs) survey, 74 percent of the respondents said that ethics and compliance issues are at the top of their worry list and “what keeps them awake at night.” Their concerns are well placed. Over the past 10 to 15 years, U.S. regulators have simultaneously escalated their enforcement efforts and added the power of negative publicity (the “name and shame” strategy) to their arsenal. As the ACC survey notes:
The continued emphasis on compliance is not surprising given that law departments report having to handle an average of just under three (internal and external) While no form of automation can compliance-related investigations in the replace the collective knowledge past year. In the most extreme cases, departof the embedded compliance ments are handling as many as 10 or more team, the power of data and investigations. And with 28 percent of analytics can provide previously respondents saying they were targeted by unavailable depth of insight. a regulatory agency in the past two years, there is a distinct suppliers, and a workforce that’s spread possibility that one in four CLOs around the world. are addressing regulatory issues It’s now well understood that the costs in addition to other complianceof corporate noncompliance are extenrelated investigations. sive and complex. There are the obvious tangible costs – the fines, sanctions, and These startling statistics underscore lawsuits that can take years to resolve. the value that a robust compliance and More pernicious are the long-term damethics program can offer to companies, ages. They include the distraction of the and they make the case that regulatory
compliance is no longer an expense to be minimized. Rather it’s an investment, to be maximized. The development, implementation and maintenance of a best-in-class compliance program is daunting, but doable. While no form of automation can replace the collective knowledge of the embedded compliance team, the power of data and analytics can provide previously unavailable depth of insight. Together this “smart pair” of team knowledge and data technology can help to assess compliance risk, provide third-party due diligence analysis, assist with employee training, and drive ongoing compliance program monitoring and management. COMPLIANCE RISK ASSESSMENTS
To establish a strong ethics and compliance program, essential steps include conducting a thorough risk assessment to identify vulnerabilities, and then mapping those vulnerabilities to inform the imposition of strong internal controls. Potentially negative events that would impede the achievement of regulatory, compliance and ethics objectives are identified by type. At that point a risk-rating formula can be constructed. The equation focuses on two key factors: occurrence likelihood (probability), and the significance of its impact (consequence), such that: Risk = Likelihood x Consequence. To begin this rating process, a quantitative value must be assigned to the likelihood that an event will occur, as well as to its impact if it should occur. There are many methods for making this measurement. One effective approach is the 5 x 5 Risk Matrix. An assessment score of one to five can be provided, using the following criteria as a guide: