Expert View: The Future of Predictive Compliance [Brought To You By The Red Flag Group]

Too much of compliance is backwards-looking or, at best, current day looking. We are taught to write policies and then train people on them and then check to see if they complied. If they did not comply, then there is a gap identified and must be remediated. Too many failures and there might be consequences. Someone may lose his or her job, or the company may suffer losses

The backwards-looking element of compliance is at the heart of every program. It was at the heart of a program because compliance was built as a defensive initiative. It was put together by lawyers to prove that steps were taken so that when anything went wrong, a reduced sentence could be established. The U.S. even went further to develop Federal Sentencing Guidelines that somehow became the de facto standard for building a compliance program. The backwards-looking element of compliance is engrained in compliance programs globally. Thankfully, common sense has led to more standards and more forward-looking initiatives to make compliance more useful to business.

In the last ten years, compliance has moved slightly forward to be a little less backwards-looking and more towards the current day. The development and operation of compliance programs have become more useful to the business by providing more business value not just a defensive value in the old traditional compliance model. The current day compliance program looks to make compliance closer to the business and the compliance team more of a business advisor than an auditor. This development has been one of the biggest developments in the profession. Some in the industry have made this transition although many have not. The value of such a program is that the issues it tries to address are more relevant because they are more tied more closely to the business.

The compliance that we know now needs to change again. Like every part of the business world, we, in compliance, need to get forward-looking. We need to move the industry further into predicting and avoiding issues rather than focusing on identifying and managing failures. In short, we need to be able to predict when issues will happen before they happen.

Moving compliance to be more predictive will require a change of approach, a change of strategy and a new set of tactics. It will require compliance officers to look at compliance totally differently. It will require business leaders to trust that compliance can add more value by being more predictive. It will require trust and that trust needs to be earned. Every part of the world has moved in this direction and compliance should be no different.

For example, why should the following areas not be totally possible in the near future with a refined compliance program mandate to move compliance into predictive mode from reactive?

Why can’t a company predict when a transaction is likely to be tainted with bribery and catch that transaction before it gets booked? Why can’t a series of transactions be assessed in real-time searching for known patterns that suggest non-compliance?
Why do we have to conduct due diligence on the same customer that someone else just conducted due diligence on? Why can’t we rely on a published score about their integrity? Why can’t there be a standard by which we all conduct the same KYC screening and rely on it?
Why do we need people to sign off on having read and understood the code of conduct? Surely, we can identify whether their actions are consistent with the expectations of the code through observation and not by having them sign a document.
Same with policies and procedures, surely there is a way to qualify a person as having actions that are consistent with the policy without having them tick a box to say that they have read it.
When there is a suspected breach and investigation, the first thing people do is secure all the documents and emails and get ready to index them and search them for keywords. Surely, we already know these keywords. Why can’t we be scanning in real-time and identify emails before they are sent out? This can be moved to constant daily monitoring, not reactive investigation based.
Why do we need to train people on things that they already know about? Why do employees need training in areas that are irrelevant to them? Can’t we work out the areas where employees will need skills or knowledge to them ahead of time? Can’t we identify their skills and then specifically attack the areas where they need help? One size does not fit all. The training program should automatically know the skills the person or are likely to need and serve up relevant training to them automatically.
Can’t we predict the suppliers that are going to go bad before they do something wrong? We know what they are doing for us, we know the macro and micro-economic factors involved, we know the challenges in some countries and we know when companies are being prosecuted, so why can’t we work out the ones that are at highest risk for a compliance or legal breach and focus on them before it happens?
Compliance auditing should be very different going forward. It will not be focused on looking at historical data but looking at predictive models to see where things will go wrong. The auditing element is focused on the models and whether they work.

All these examples are available and possible now. These issues rely on the analysis of data and the modelling of issues using predictive analysis.

To contact the editorial team, please email ALBEditor@thomsonreuters.com.

Subscribe to our newsletter