Post By: Amy Matsuo, Principal and National Leader, Regulatory Insights and Compliance Transformation, KPMG LLP
Chief Compliance Officers (CCOs) must invest in enhancing data analytics and automation in order to better prevent, detect, and respond to both current and evolving risks. While most organizations have funded automation and technology projects within their business profit centers (enhancing their ability to monitor the effectiveness of internal processes and procedures, predict future outcomes, and enable better connectivity with third parties and customers), they generally have been slower to provide similar resources to support second-line risk and compliance functions.
Shifting toward a proactive, predictive examination of compliance risk enabled by advanced techniques in data analysis, will increase the likelihood that compliance issues are detected before they occur, potentially saving significant costs and reputational harm that can result from incidents of non-compliance. The use of proactive monitoring approaches using automation and analytics, however, is not widespread. Less than a third of the respondents to the KPMG 2021 CCO Survey identified metrics based on investigative findings, culture assessment results, and/or root cause trends among the top three metrics they used to assess the effectiveness of the compliance program. Instead, the respondents indicated they primarily relied upon more reactive, or “hindsight”, metrics, naming internal/external audit and regulatory actions/inquiries as the top two metrics used (72 percent and 45 percent of respondents, respectively).
Interestingly, two other findings from the survey suggest movement toward enhanced data abilities, including automation, machine learning, artificial intelligence, and predictive metrics is beginning and will be championed by CCOs:
- Predictive analytics was identified by the respondents as their top area of focus when asked to rank the ethics and compliance areas that present the greatest opportunity for automation and the greatest priority to automate.
- Nearly half of the respondents (49 percent) expected their overall ethics and compliance department budgets to increase over the next three years, while the vast majority of respondents (more than 75 percent) expected their technology budgets specifically to increase. Of those who expected their overall budgets to increase (i.e., the “49 percent”), more than three-quarters identified the use of automation and technology as a top priority.
Technology can be used to generate reporting dashboards that synthesize established compliance metrics and can demonstrate a more holistic and consistent, enterprise-wide view of compliance risks. In aggregating organizational data, dashboards can help CCOs avoid siloed views, which can undervalue risk indicators in isolation, and obtain a more comprehensive, targeted view of their compliance risks. This allows CCOs to strategically focus on improving compliance activities where they most need it and to remain vigilant in addressing their trending compliance risks. It also allows human and monetary resources to be allocated using a risk-based approach.
CCOs should be evaluating, integrating, and automating metrics to identify and highlight key insights into their compliance efforts. These data analytics can also serve as a critical input to decision makers and can greatly enhance the messaging and readability of internal and external reporting. CCOs should:
- Identify what questions need to be addressed, who the stakeholders are that are asking the questions, and whether these questions may be reflected in quantifiable data
- Evaluate existing metrics to determine whether they properly address the overall goals
- Identify additional sources of data, where necessary, to enhance or refine existing metrics or provide new insights into compliance program objectives
- Develop supplemental metrics that can tell a broader, more insightful story.
The U.S. Department of Justice (DOJ) Criminal Division suggests that well-designed compliance programs “may be unsuccessful in practice if implementation is lax, under-resourced, or otherwise ineffective.” In this context, the DOJ guidelines suggest criteria for an effective compliance program include:
- Commitment to compliance by senior and middle management, with no tolerance for greater compliance risks when pursuing new business or larger revenues
- Access to board and autonomy from senior management
- Stature within the organization that is comparable to other strategic functions
- Sufficient staffing and funding resources
- Unimpeded, full access (direct or indirect) to data sources that allow for timely and effective monitoring and testing of policies, controls, and transactions and thorough investigations, including measures to identify future risk
- Continuous access to operational data and information across functions, employed to periodically update and revise risk assessments based on changing compliance risk.
A recently proposed CCO liability framework suggests the absence of such criteria (e.g., stature and authority of CCO position, access to senior management, access to resources/funding, input into strategy and operating decisions) may constrain a CCO’s performance. It argues that the CCO might avoid personal liability if regulators conclude the CCO carried out even a flawed program to the best of their abilities and attempted to correct these flaws—even if they were not successful in convincing their firms to dedicate needed resources to compliance. (See KPMG Regulatory Alerts here and here.)
Failure to make investment in new technology or facilitate access to operational data and information across functions (and/or from disparate sources) may be considered performance constraints and may result in regulatory actions against a firm and its leadership in the event of compliance failures.
Over the next few years, we expect to see CCOs increase their access and ability to leverage appropriate structured and unstructured data across the organization, linking operational and behavioral metrics to compliance root cause analytics and actions.
CCOs should prioritize implementation of the predictive metrics that are most impactful for their organization and will provide the most value in identifying and classifying its highest risk areas.
*Source: U.S. Department of Justice, Criminal Division, Evaluation of Corporate Compliance Program, Updated June 2020, available at download (justice.gov)
About the Author: Amy Matsuo is the National Leader of KPMG’s US Regulatory Insights Practice with over 20 years’ experience providing advisory services to large domestic and global organizations. The Regulatory Insights team drives value to KPMG clients and professionals on key regulatory and public policy developments and disruptors across all major industries.