Proactive Approaches to Compliance Require Broad Optics

Highly-regulated industries such as healthcare, energy, financial and government are advised to stay on top of compliance needs which include legal and enterprise risk. This quest serves the health of the organization and keeps regulators happy. What best practices support this rather challenging goal? It begins with common-sense and continues with a centralized approach to research and investigation.

Common-Sense Approach

The goal of compliance efforts is to mitigate threats to the health of an enterprise and to stay within the legal requirements imposed by regulation and law. The primary focus in the compliance arena in most industries / sectors is on fraud and corruption. Nefarious actors are finding new ways to pillage and cheat and there are an almost infinite number of ways within which to carry out their schemes. But how does one herd these cats?

The most commonly used approach is to find anomalies – outliers that suggest activity is outside the “norm.” The idea is to find a baseline of “normal activity” and then identify any activity that falls sufficiently outside that baseline. If a salesperson’s average monthly sales at a company is $1 million a month, why is salesperson ‘A’ doing three times that amount? Does she simply have exceptional skills or is she taking bribes or kickbacks? Salesperson ‘A’ has sales that fall well outside the norm – this is an outlier or anomaly and a place to focus efforts. Using this approach, virtually any enterprise with changing needs can attempt to address risk. Merely redefine what is “normal” and the process starts anew.

How does one establish the norm? Of course, this is highly dependent on context but company records are a great place to start. Here are some ideas, to name only a few:

• What constitutes a typical transaction? Certain data analytics tools can take years of records and identify what constitutes a “typical” transaction. Are there transactions that deviate from this baseline? Do they suggest checks-and-balances are being bypassed? Are there unknown actors in the sequence of a transactional process?
• What are common communications patterns? An area of study called “graph theory” is helpful in this area; one implementation is what many know as “social network analysis.” Graph theory helps establish communication patterns that can then be used to find outliers. Among the many email domains, why do we find one small set of emails using a particular domain? Is someone communicating with a competitor? Are trade secrets being sent outside of the company?

Anomaly detection is one method. There are also technologies that find strong correlations between events or things. If there are thefts occurring, who was working at that time (i.e. is there a strong correlation)? Are dips in profit associated with transactions with certain entities (suggesting skimming or other misappropriation)? There are also ways to identify language used by those who are committing nefarious acts. The tool set is rich but the high-level attack must be a common-sense one.

A Centralized Approach to Investigation

A myopic approach to compliance only leaves cracks where risk can slip through. At times, compliance professionals focus on particular verticals within an organization without consideration of their entire eco-system.

An area of study called “Business Process Management” is used to identify all business units, their workflows and accompanying technical infrastructure. Compliance professionals are increasingly focusing in this area to wrap their solutions around the high-level needs and for a centralized approach. Some of the topics in the technical arena include:

• Review of Corporate Email – use of e-discovery tools to analyze employee communications.
• Log Analysis – collection of logs from all enterprise software applications to follow activity in a centralized way. Web servers, emails applications, ERP systems, network appliances and firewall software, among others, send their logs to one analytics’ implementation.
• Call center and Surveillance Monitoring Analytics – new solutions analyze call-center discussion in near real-time. Surveillance systems use facial recognition to help identify activity.
• Social Media and Online Sources – social media and other online sources can be monitored in real-time to track other enterprise-relevant activity.

The above approaches, while not an exhaustive list, are combined with more conventional approaches such as interviews, surveillance and database-records research to bring a holistic picture into focus.

Using common-sense approaches considered in a centralized way, compliance professionals will be able to find balanced and efficient ways to mitigate risk and to remain compliant with relevant regulation.