In 2023, Data Will Make the Difference
Futureproofing Your Ethics and Compliance Program, Part 2
Interview by Bill Coffin
In this interview with Brian Beeghly, Executive Vice President of Insights & Solutions of Ethisphere, we learn about how data and analytics continue to shape the future of ethics and compliance, and how in the year to come, programs that aren’t using data to make their case might make significant difficulties for themselves.
This time last year, a lot of people in ethics and compliance were looking to the subject of data and analytics as being one of the big issues for 2022, if not the big issue. How accurate has that prediction turned out to be, and why?
It’s turned out to be very accurate. There is still a focus on data and analytics for compliance programs because the maturity level in this area is still low and the expectations of Boards, Regulators, and other key stakeholders continue to increase in this area. In addition, there are still a lot of manual processes out there which don’t lend themselves to great data nor great analytics. A lot of new tools are available and we have certainly made progress, but there is more to be done., And I think that when compliance professionals look 16
across their own organizations, they see advances not only in data analytics, but other areas such as finance, accounting, internal audit, diversity and inclusion, ESG, and environmental health and safety. Within organizations as a whole, there continues to be a very big and strong push towards better data and more data driven analytics, more automation, and more use of software. Quite frankly, I think it will continue to be a major theme in 2023 and beyond.
With informed360 becoming a part of Ethisphere this year, what are some of the most important developments you have seen in the area of program automation and workflow management? And what should we expect to see here in 2023?
We saw a lot of growth in our risk assessment tool and we see more and more companies doing risk assessments and looking for tools that not only help automate that process, but also bring an underlying framework methodology like the COSO ERM framework into the tool so that the compliance team doesn’t have to figure out what the methodology is. You might do a little bit of configuration, but they don’t have to kind of reinvent the wheel.
Surprisingly, we still see a lot of companies that are doing their risk assessments using Excel spreadsheets. I can’t think of anything more horrific, especially if you’re sending that out to a leadership group. But we still see that pretty frequently.
There has been an explosion in the area of disclosures as well. We have several customers using our disclosure tool which offers tons of workflow capabilities with lots of configurability. We’ve got a great tool that provides seventy to 80 percent of what a customer needs out of the box, and then gives them the capabilities to configure the other twenty percent, whether it’s specific workflows, specific questions, or specific resolutions. That has been a huge advantage for our customers.
We have also seen an explosion in the types of disclosures being tracked by our customers. The two biggest that we’ve noticed since the beginning of the year involve employees engaging in outside activities and outside businesses. It’s not uncommon for employees to get involved in a startup or to be part of a private equity investment group. We also see, as it relates to technology companies in particular, but also other companies that do any kind of software programming, software development engineers participating in open source projects or teaching classes in software development. That’s why companies are really focusing in on what kind of outside activities their employees are involved in, as opposed to simply sitting on the board of a nonprofit or something like that.
The other big disclosure area we see gaining a lot of traction is what is known as the politically exposed person disclosure, or the PEP disclosure. There have been some changes. recently, in mostly in Latin America (Colombia in particular), where employees are now required to disclose if they’ve got political relationships that could potentially be problematic. So we are seeing an uptick in that.
Then from a process standpoint, the other big area we’re seeing in disclosures is with pre-employment. Companies like doing background investigations; they don’t want to wait until they hire you to find out if you’ve got a conflict with a customer, supplier, or another employee. More and more companies are doing pre-employment conflict-of-interest disclosures from candidate employees. That’s a big area.
These areas just continue to evolve. Part of it is just maturing from manual or non-existent processes to more automated processes and then expanding the use of the tools from there.
When you mentioned how interest in risk assessment is exploding, what would you say is driving demand there? Is it companies looking to shed antiquated practices?
When you’ve got a manual process, you’re really limited in terms of the number of people that can be involved in that process, versus an automated process that allows you to involve many more people. There’s huge leverage in that. You’re also seeing ethics and compliance teams realizing that if the company is doing like an enterprise risk assessment, it’s kind of like an employee engagement survey as it relates to ethical culture. It’s not really giving you the granularity that you need.
What’s driving this is they’re not getting enough out of the enterprise risk assessment, and there is a growing need to do individualized compliance risk assessments, or what we call targeted risk assessments, that go deep into a particular subject area such as anti-competitive behavior. This kind of assessment asks, What is it about our anti-competitive behavior that’s really driving our risk? Is it price fixing? Horizontal or vertical restraints? Collusion? Industry trade associations? Or, they customers may be targeting a risk assessment to a new acquisition or new joint venture, the baseline of which may be different from the parent organization’s ethics and compliance risks, especially if you’re trying to expand your product line or expand into new territories.
I just think there’s a growing awareness of the need to do something, that it’s not just an annual, once and done risk assessment, where you kind of prioritize everything and then move on. More and more companies are seeing that it’s not the only risk assessment tool you have, but it’s a pretty critical piece that allows you continue to do ongoing risk assessments, monitoring, and auditing.
And finally, it’s just a great way to get people engaged in the compliance program that wouldn’t otherwise be involved. So, it’s partly an engagement tool as well.
It is no secret that regulators expect organizations to effectively manage programs and use analytics to ensure effectiveness. What changes or developments do you expect to see on this front in the coming year?
I think there will be a continued evolution of analytics to ensure effectiveness. It’s easy to say, “We ought to be doing more data and more data analytics.” But there is a journey to getting there, especially if you’re moving from a non-existent or very manual process to a more automated process. You’ve got to lay some groundwork to get the basics and fundamentals in place.
Another challenging area that we’ve seen in this applies not just to manual processes—although it’s particularly crucial there—but we also see some of the legacy systems that have been out there for a while. To be honest, performing data analytics within those systems can be difficult or challenging because the data structure is not great. For example, you might see five different ways to spell U.S.A. or United States of America. It takes time and resources to clean up your data and get it structured so you can get meaningful results from it.
I always talk about it in terms of a maturity model. If you would have asked 10 years ago if companies had a tool for conducting risk assessments, most companies would say no, they did not. If you would have asked if they had an automated solution for employees to make disclosures, the majority of companies would say no, they do not. Those things have actually become fairly standard today. So if you don’t have one, or you’re still using a PDF form on some Sharepoint site, you’re falling behind, from a maturity standpoint.
Also, if you think about how a regulator is evaluating your program, it’s not only against their standards, but it’s against what they are seeing in the industry as well. So, the less that you put into data analytics, the less you put into automation, the further you’re going to fall behind in terms of what is considered an effective program. Then you are going to have a hard time proving to a regulatory body that your program is, in fact, effective.
Tools like informed360 have done a lot to help advance the data literacy of this space. But right now, how would you rank the overall data literacy of ethics?
Well, it’s certainly a lot better than it was. One key indicator for me is the number of resources in the compliance team itself that are dedicated to data analytics. Again, I’ll use the maturity model: If you would have asked this question five years ago, the answer would have been “virtually none” for almost every company. If you had asked if your company has a data analytics person or somebody dedicated to data analytics and data visualization—not within your company and not within the IT department, but literally sitting within the ethics and compliance team—the answer would have been no. I just got off of a phone call earlier today with a customer, and they’ve got two people on their compliance team whose role is data visualization, analytics and metrics. That is their sole role, and we are seeing that more and more of that today.
Of course, it’s going to differ by size of company and what industry you’re in, but generally speaking, for larger companies, I think it is going to get back to that expectation piece and what constitutes an effective program. If you are serious about data analytics and automation, then you really need to be hiring for those skill sets in your ethics and compliance team and not just relying upon the skill set that traditionally has been out there. To me, that has been one kind of key indicator.
It will be interesting to see how that plays out in the 2023 World’s Most Ethical Companies application process, because I think we have some questions around that in terms of skill sets on the compliance team. And, I think we will continue to see that area of interest grow. Again, if you’re not devoting resources and time to this you are just falling further behind.
There are signs of economic and certainty on the horizon. And whenever that comes around, there is always the risk of the kind of belt-tightening that can slow a program’s momentum. From your perspective, what are some of the most important things an ethics and compliance program can do to build value, prove its worth to the organization, and futureproof itself against budget cuts?
As a former chief compliance officer, I have been subject to many budget cuts in my professional career, so they are no stranger to me. At the end of the day, it is not just trying to avoid budget cuts, because in some can instances you just can’t. But really, it’s about optimizing the budget and the resources that you have, and software is a great way to do that because it provides a lot of productivity enhancements and a lot of cost efficiencies in terms of collecting and analyzing data.
When it comes to showing the value of the program, there are some things you can do. Compliance teams, like many risk-focused areas of the company, always talk about cost avoidance. Or they say, “We avoided fines and penalties,” and that will get you to a certain point. Folks kind of intuitively understand that and get it.
But I think it gets back to that maturity model: showing progression in the program and backing that up with showing engagement levels around the program. If you’re not staying on top of these trends, if you’re not providing better solutions to your customers in terms of tools for automating disclosures and participating in risk assessments, then I think you’re going to run into a perception issue that you are not staying ahead of the curve, and that you are not using your resources, assets, and time wisely.
That’s probably the worst position to be in because that starts to impact the reputation of the compliance team itself. Now, I’m not suggesting that you need to be on the bleeding edge of trends. But you do need to recognize that the earth is moving, that the maturity levels are moving, and what constituted a good program five years ago does not necessarily constitute a good program today.
So how do you make investments for the long term so that there are long-term enhancements in productivity, data quality, and process? That is another critical area for compliance teams where they can show value: show that you have built sustainable processes that leverage your resources and what the company already does to drive efficiencies across the enterprise.
I don’t think any large company is ever immune to budget cuts. But I think to the extent you can show that you know you are wisely allocating resources in the program, using the budget dollars that you do have efficiently, that you’re getting a economies of scale, that you’re keeping employees engaged, and yes, you’re reducing risk and preventing misconduct from happening in the first place, I think all go towards telling that story and showing value to the company.
Looking ahead for 2023, broadly speaking, do ethics and compliance professionals have more challenges to look forward to in the coming year, or more opportunities?
I have a pretty deep background in lean manufacturing and lean principles, and one of the central tenets of lean is that problems are good. Challenges are good. It’s through that identification and resolution of problems that we not only become stronger as an organization, we become stronger as a team. Our processes get better and we become more efficient, more productive.
There’s always the macro environment that we operate in that will continue to be challenging. Sanctions has never not been a challenge, for example. But at the end of the day we’re dealing with human behavior in the workplace, whether that’s bribery and corruption or health and safety. That’s never going away. It’s something that requires constant care and attention.
I am a “risk” guy at heart. Its where I have spent my entire career. To me, challenges are the opportunities. And the key piece, as I think about it from a former compliance standpoint, is making sure that you are advancing your program, doing the risk assessments, and paying particular attention to emerging risks. You know, data privacy would not have been on anybody’s top 10 list 10 years ago, and now it’s on everybody’s top 3 list. Same thing around diversity, equity, and inclusion.
Make sure that your program is not only keeping step with industry trends and best practices but keeping step with your own organization, as well. Has your business changed? It might be a situation where you actually have scaled back what you do because your organization has gotten smaller, or you’ve gotten out of certain countries or products. You need to think about those things.
But make sure that your program is structured in order to gain maximum efficiencies from a process standpoint and also structured in a way to give you flexibility to adjust as needed and address challenges and opportunities wherever they arise. Because we all know they most certainly will.
ABOUT THE EXPERT
Brian Beeghly is Executive Vice President, Insights & Solutions, for Ethisphere. Brian is the Co-Founder of informed360, an innovative software and technology services company that became a part of Ethisphere in early 2022, Brian is the chief architect of a cloud-based platform that supports effective ethics, compliance, and risk management programs. In addition, Brian advises Fortune 500 companies on overall program design and supporting data integrations. Prior to informed360, Brian served as the Vice President of Compliance and Risk Management at Johnson Controls, a Fortune 75 company with over $44 billion in revenue and more than 170,000 employees worldwide.
This article is from the Fall 2022 issue of Ethisphere Magazine. To read the full issue, click here.