Risk monitoring with data analysis | Thomas fox
This week on the Compliance Podcast Network, I run a multi-part podcast series, Smart Automation for Risk Management, sponsored by Lextegrity Inc. As part of this series, I had the opportunity to visit Andy Miller, Chief Analytics at Lextegrity. We dove deep into risk monitoring through data analysis.
We started with a discussion of what a continuous monitoring solution is. Miller said it “provides compliance and audit teams with a comprehensive means of keeping track of transactional expenses and revenue risks in their business.” The key to the analysis is that they are so configurable and contextual with respect to your specific risks or lines of business or historical issues that your organization may have encountered, that the risk algorithm is actually tailored. to your business and exhibit and not, uh, a static setup. It has to connect to a wide variety of EPR systems such as SAP, Oracle, Concur, Workday and others.
The Department of Justice (DOJ) 2020 update on the assessment of corporate compliance programs (2020 update), which for the first time required compliance practitioners and the compliance function of company have access to a company’s data lakes. Miller thinks the 2020 update has truly been an eye opener for many risk professionals and businesses that need to do better. Compliance professionals must have access to their own data as risk professionals and they must have an actual plan and program to monitor their business data. This works directly on the first two components of any compliance program; to prevent and detect actions that could be fraudulent, corrupt such as bribery or other actions that could put your business at risk. This is even truer in 2021 as the DOJ ramps up its enforcement efforts. A continuous monitoring solution provides compliance and audit teams with a comprehensive means of keeping the pulse of transactional expenses and revenue risks.
The key is that your continuous monitoring solution should be flexible and adaptable to your specific business. You should have analyzes that are spread across a variety of areas to look for specific types of risk in that general risk-based area. This allows you to identify transactions that could be associated with wrongdoing such as bribery, bribery or fraud. What many compliance professionals struggle with, however, is separating the wheat from the chaff. In other words, they’re bogged down in the details of a transaction like spending on gifts, travel and entertainment (GTE), lack of approval on discounts, or third-party issues and don’t have the ability to take a step back and envision a bigger picture.
We then looked at the differences between the key performance indicator (KPI) measures. Metrics are more generally thought of as specific data points, while KPIs are actually metrics that are closely related and tracked against specific goals. Miller explained, “We could have a metric that is the number of trainings completed in the last month. The KPI could be that we have at least 90% of trainings completed at all times. With this, we can turn our measurement into a KPI based on what our goal might be. Miller explained, “When we talk about analytics, it focuses on positioning the data, so that it is more valuable for end-user analysis, which makes it easier to identify something. specific or generates insights and actionable insights from the data. ”
Your approach should focus on prioritizing your efforts within this monitoring of expense and income data, seeing the full context of the transaction and its risk outcomes, so that you can focus on the risk as a whole. It is also more risk-oriented and less control-oriented. One of the things to have is that a scoring algorithm is calculated at an aggregated level over multiple scans to help you reduce false positives and noise, as well as better prioritize your trades based on the risk parameters that you have. you define. The solution should connect to your approval workflows, allowing specific analytics, such as posting your approved amounts, against your actual amounts and the people you actually told you are going to pay are who you have. paid.
Since third parties are still one of the highest compliance risks, a more robust approach to third party risk management is needed. Here, Miller noted that “high risk third parties, as well as any low risk third parties that appear in high risk expense categories, beyond rating transactional risk and highlighting higher risk transactions. for a closer look. All of this allows the compliance professional to go “and really explore your data with that detail of increased risk and explore different dimensions of your data, maybe geographic, maybe a subject, or some type of. specific subject or which spends nature. ” All of this down to the actual transactional level of data.
Additionally, it allows for a deep dive into every stage of business cycles, such as QuoteToCash and ProcureToPay, so that every part of the transaction can be seen. How can you both see the dots and connect the dots in a more macro view of risk? What you need to do is “integrate this transactional data in the most robust way possible”. For example, when looking at vendor spend data, look beyond the single payment to look at multiple invoices. From there, you can view the invoice line detail, purchase order information, and purchase requisition details at each of these steps in the business process.
While each view may provide a small number of details that might be relevant from a risk perspective, it may not fit into that identification of risk in this entire transaction. However, when you add “information from the financial side of the house, it provides accounts that can impact an organization from an expense perspective because there are” a lot of good clues. ” But you can then supplement this data with other information, such as the information in the main human resources (HR) file. This allows you to see who approved the Purchase Order (PO) who requested the purchase requisition, then who approved the final payment or invoice, and what your network looks like in relation to the overall transaction. This allows for a much more holistic approach to big data.
We concluded by considering what the connection of all these dots might look like. Miller said that by “connecting the points of risk you start to see other things happening, you catch an exception in that area and now you say, well, so and so was a big part of it.” Let’s see what else they’ve touched on in this area or analyze the cross-impact between employee spending and supplier spending, and then talk about that in the compliance space ”. You can also come across hotline reports, due diligence, audit reports, training completion data and, in fact, “all that other program information where compliance has a hand and that can feed this transactional data. It can really give you the big picture of your compliance risk.