Everyone loves to talk about the value of compliance automation. First, however, we should talk about how complicated compliance automation projects can be — and how reliable data is the foundation for anything that automation does later.
Without good data, your automation project risks pulling the business to someplace it doesn’t want to be. Incomplete or inaccurate data will lead your compliance technology to reach the wrong conclusions. Potential red flags won’t get raised; high-risk third parties won’t get noticed.
Then comes the worst question of all, from your board or C-suite: “Why did we spend so much money on a compliance program that doesn’t work?”
So getting the data right — generating it, validating it, grooming it for analysis — is critical. That poses three issues for compliance officers trying to implement compliance automation technology.
Understanding Workflows
First, understand the workflows that employees and third parties will need to use. Do the business processes you currently use generate the data your compliance program will need? If not, that data needs to be created somehow.
Well, either a person can calculate and record that data manually (usually in a spreadsheet), which is a terrible idea; or you can modify your business process so it does generate data your compliance program can scoop up and analyze. Which means you need to look at workflows.
Conversations about workflows can be difficult. Employees can be possessive of “their way” of doing things. Worse, if you don’t solicit their input and support for new workflows, they might find workarounds to the new process, leaving you back at Square 1.
Still, conversations to develop thoughtful, useful workflows are crucial. Begin there, so you can start generating data to feed into your compliance program later.
Balancing Structured vs Unstructured Data
Second, weigh the balance of structured versus unstructured data, and how that unstructured data would then be harmonized.
At large organizations, it’s probably impossible to impose perfect workflows across all operating units: too much disruption, for too little benefit. Plus, it’s inevitable that some useful data will come into being that you didn’t expect, and you want to collect anyway.
So the next step is figuring out how the compliance department consolidates all those streams of data into something that can help you and other senior executives make better decisions about risk.
The question here is how much the compliance function wants to impose workflows that create structured data, which you can easily incorporate into an automated compliance program; versus your tolerance for unstructured data, which you’ll then need to harmonize before bringing the data into your program.
Today, that balancing act can be a judgment call. As machine learning and artificial intelligence improve, technology’s ability to handle unstructured data will improve (rapidly). For now, however, most compliance officers will still need to decide where that balance point is for their own organization.
Ensuring Data Accuracy
Third, think about the completeness and accuracy of data. As automation systems consume more data and process the data more quickly, completeness and accuracy of that information will become much more important. So compliance officers will need to contemplate the policies, procedures, and controls that will ensure you do get complete and accurate data.
That’s not easy. Essentially, you are trying to prove a negative (“Show us that you aren’t missing any other important data”), so your controls and documentation will need to demonstrate that you’ve given this challenge appropriate thought. Even training plays a role here, to drill employees that they shouldn’t, for example, create and store data on desktop spreadsheets.
Audit departments can help since designing and testing controls is what they do, and completeness and accuracy have been issues in financial reporting for years.
The good news: it gets better. Analytics, AI, and machine learning are improving all the time, so compliance officers will soon be able to design sophisticated automation programs that provide rich new insights into risk.
Still, like anything one builds — if the bricks are crumbly, the structure won’t stand no matter how sturdy it looks in the blueprint. Start with the data. Build up from there.
Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.