Podcast: R&G Insights Lab – Culture & Compliance Chronicles: Compliance Analytics Simplified (A Chat with Integrity Tech Leaders from Lextegrity, Part I)
The latest installment of R&G Insights Lab’s podcast series, Culture & Compliance Chronicles, explores the benefits of using analytics and technology in the compliance and risk management space. Zach Coseglia, managing principal and head of innovation of R&G Insights Lab, talks with two guests from compliance software company Lextegrity, founder and CEO Parth Chanda, and head of product Kara Bonitatibus. In the first of a two-part conversation, Parth and Kara talk about the benefits of a more analytically-powered approach to compliance and risk management; and specifically, how they have drawn upon their past experiences as in-house compliance lawyers to develop solutions that help companies get a better handle on their risk in near or real time. The three also discuss how technology, analytics and a user interface that prioritizes the employee’s experience can promote better business decision-making, improved compliance, and drive a more sophisticated analysis of programmatic effectiveness.
Zach Coseglia: Welcome, and thank you for joining us for our latest installment of Culture & Compliance Chronicles, a Ropes & Gray podcast series focused on data analytics and the behavioral science approach to risk management, brought to you as always by R&G Insights Lab. I'm Zach Coseglia. I'm a lawyer here at Ropes & Gray, as well as the managing principal, head of innovation and co-leader of R&G Insights Lab. On this episode, I am thrilled to be joined by Parth Chanda, founder and CEO at Lextegrity, and Kara Bonitatibus, head of product at Lextegrity, to discuss analytics and digital transformation in the compliance and risk management space. Before we get started, just a quick reminder about R&G Insights Lab. R&G Insights Lab is this new, innovative legal consulting group that lives within the walls of Ropes & Gray. R&G Insights Lab is a global function, and we're not specific to any particular industry or sector, nor are we specific to any particular practice group. Instead, R&G Insights Lab is defined by our unique point of view, which is all about the power of analytics and behavioral science as additional tools in the toolkit for solving complex legal and businesses challenges. We're also a team of just deeply creative thinkers, who pride ourselves on showing up with ideas.
So let's dig into today's topic. Strategically, for R&G Insights Lab, one of the first areas of focus for us is bringing this unique point of view to the compliance and risk management space. We're joined today by two incredible talents and terrific guests who really are thought leaders and entrepreneurs in this space. They also happen to be good friends of mine and of the firm, and are, as you will all see soon, just delightful people. So Kara, why don't we start with you – please introduce yourself to our listeners.
Kara Bonitatibus: Thank you so much for that great introduction, Zach. I am the head of product at Lextegrity. I actually have an engineering background, but I'm a lawyer by training. I started my career in private practice, first as a patent attorney and then focused on internal investigations involving pharmaceutical compliance and FCPA issues. I then spent more than ten years at Pfizer in various compliance roles, starting with roles in investigations overseeing one of Pfizer's corporate integrity agreements. I managed the U.S. monitoring function for a period of time. And before I left, just actually a little over a year ago, I had been responsible for the company's compliance policies, including its code of conduct, its anti-corruption program office, and the conflicts of interest policy. Perhaps most pertinent to my role today, I was also responsible for developing the compliance division's digital strategy. Currently as head of product, I'm responsible for product strategy and vision at Lextegrity, and I work with Parth to develop the solutions that we wish we all had when we were in-house.
Zach Coseglia: Terrific. Thanks, Kara. And Parth, introduce yourself please.
Parth Chanda: Thanks, Zach. I'm the founder and CEO of Lextegrity, as you mentioned. I'm a lawyer by training as well. I began my career as an FCPA lawyer in the early 2000s, working on a number of large investigations, two FCPA monitorships, and also some other matters at a large law firm in New York. Then I went on to spend about a decade in-house largely at Pfizer as well, with Kara, where I served as the lead anti-corruption lawyer for the company, globally, for five years. During which time I oversaw Pfizer's entry into their FCPA deferred prosecution agreement and their two year self-reporting period. In that role, I fortunately was able to oversee really a dramatic revamp of Pfizer's controls in the anti-bribery, anti-fraud space generally, globally, cutting across pre-approvals, third party due diligence, fraud analytics, and all sorts of other systems integrations. And from that, in 2017 I really decided to leave Pfizer to launch Lextegrity to try to really bring the types of cutting edge technology that I had implemented and that was only available at that point to a very small number of companies globally, to bring that technology to every company in the world, which I think, from my perspective, is an initiative that I think perfectly aligns with what you're all doing at the R&G Insights Lab. So really excited to be here with you today and to tell you more about that.
Zach Coseglia: Thanks guys – we're really excited to have you as well. I would also like to point out that I am not offended that you referenced working with Kara at Pfizer, but not working with me at Pfizer – but that was also the case. Just kidding, Parth. Before we dig into the amazing stuff that your software does, let's talk about our partnership. When we launched R&G Insights Lab, it was really important for us to be guided by and to be connected to thought leaders and experts from industry and from academia. So one of the things we did to live up to that was we created an advisory board, which is a small group of external advisors who are offering guidance to me and to the rest of the Lab's leadership team on the development and operationalization of our business strategies, who are providing us with input and insight about our new product offerings for the Lab, and who are sort of serving as thought leaders as we look to the market trends. And Parth, we're just very lucky to have you serve on that advisory board. More importantly, though, and certainly more relevant to our clients, is the relationship that we have on potential client work, and that's part of the theme for today's discussion, in fact. We're going to hear more about your technology today, of course – that really is the centerpiece of our discussion. But there's power in a strategic partnership between Lextegrity and R&G Insights Lab – there's power in an integrated offering that we're able to provide together. I think you both know, and now all of our listeners will know, that I am a loyal consumer of home improvement and other real estate reality TV shows – they're always talking about a turnkey property, and I think that's what we're able to offer together, a turnkey analytics solution for our clients. In fact, that's the theme for our discussion today: How Lextegrity and R&G Insights Lab can provide a turnkey solution to our clients to help them fulfill their compliance and risk management-related analytics and digital ambitions. So with that said, tell us more about your software. Kara, I'll throw the question to you: What does Lextegrity's software do?
Kara Bonitatibus: We have a suite of products that are focused on the entire life cycle of risk for spend. We have pre-approval and due diligence applications and we have a continuous monitoring application, which we're going to be diving into in a few minutes. But, Zach, as you, I and all of us know, risks don't end once due diligence has been conducted or an approval has been obtained. So take, for example, the paper supplier that doesn't actually supply paper or a vendor that's gone through due diligence but then submits its first invoice under a different name or using different bank account information. Our products use automation and analytics to make the risk process more efficient and more effective. Specifically, our monitoring application uses data to find hidden risks that no human may be able to detect, or in areas where a data pattern points to an increased risk, even if the individual data points don't look problematic.
Zach Coseglia: This is amazing and super exciting, and I definitely want to talk more about your continuous monitoring application. But before we get there, your pre-approval product also looks really cool and seems really impressive, so why don't you take just a couple of minutes telling us more about that?
Kara Bonitatibus: Absolutely. How much time do we have? Just kidding. Our pre-approval application includes dynamic workflows for various activities that we have – workflows for travel and hospitality, gifts and entertainment, conflicts, and engagements. This is particularly relevant in the health care industry, so HCP engagement workflow. We have pre-built template content and questionnaires that are available for our customers, or we can build a custom workflow using a company's existing content. The questionnaires are really sophisticated – they employ conditional logic and can trigger different approvals. As you may recall, when we were together, user experience was something that was extremely important to me. Our applications are responsively designed, which means they can be used on a mobile device, which is particularly important in industries where companies may have a lot of employees out in the field, like in the health care or life sciences sector – people who are not in a typical office environment. But since we're talking about data analytics today, I did want to highlight a few features about our pre-approval application which I think are really powerful. We have things like aggregate spend analysis, which are policy thresholds that are implemented in the approval workflow. We also have context analytics where we can show an approver the current request in context of other similarly situated requests or requests submitted by employees in similar roles, or similar functions. I should mention that while all of our products are available individually, they become extremely powerful when they're implemented together. So, for example, if a customer has both our pre-approval and monitoring applications, the monitoring results can help inform pre-approval decisions. We have tests in our monitoring library that look at certain pre-approval attributes – it's really, really powerful.
Zach Coseglia: It sounds that way. I'm really glad that in addition to referencing all of the analytic capabilities that you mentioned the user experience aspect of what you guys have built. One of the things that I want to underscore in all of that (that can be lost in a podcast), and also use this to encourage folks to get a proper demonstration, a demo from you all, is the user experience point. I think folks often hear us at R&G Insights Lab talk about human-centered compliance, and obviously a big part of our strategy is a focus on behavioral science. I'm such a believer that we can actually promote more effective compliance when we create user experiences that are going to resonate with people, when we don't just create process or policies that live and collect dust on a shelf, but when we're able to use digital innovation to translate those things into something that will resonate and actually bring them to life. Your platform is, in addition to being innovative and data-driven, it's also a beautiful platform, which for now, everyone will just have to take my word for that since we're on a podcast, but it's evident once someone begins to experience it and sees a demo of your product.
Let's now talk about the continuous monitoring platform because we've been teasing people by referencing it a couple of times. So, dive into the continuous monitoring and data analytics angle further, and some of the key use cases that you've developed there.
Kara Bonitatibus: Our monitoring application is focused cross-risk, so we have analyses for ABAC, fraud, sanctions and conflicts. We use a library of sophisticated algorithms which we are actually constantly adding to, which is a benefit to our customers because they get these analyses continuously to their product. The tests range from simple policy threshold tests to more sophisticated, statistical analyses to context analytics, and it uses these algorithms to risk score spend items such as invoices and expense reports. Unlike more traditional sample-based audits or monitoring activities, our application runs these algorithms on 100% of a company's spend, and risk scores 100% of the transactions. But what is really unique is that we have a user interface that enables the company representative to configure all of those pre-built algorithms that I just mentioned. You can even turn them off – so, if an algorithm isn't relevant or perhaps you're not ready to implement that particular analysis, you can turn it off or you can customize or adjust the settings to the test. So, you don't need to build an internal data science team and you don't need any specialized knowledge to have a world-class program out-of-the-box. In addition to all of this sophisticated algorithmic functionality, we also have extensive dashboards that help our users visually understand their risks. All in all, it's a powerful tool for audit and for compliance. But beyond that, we also see it as a really powerful tool for the business and leadership – so they can easily identify patterns and trends that inform their business decisions with much better risk information than what they may currently have.
Zach Coseglia: So this is incredible because I think that one of the things that puts all three of us well-positioned to talk about this topic is the fact that before I started the Lab, and before you guys launched Lextegrity, or went to Lextegrity, Kara, I think we all did it the hard way. We were building these things the hard way – we were building them from the ground up. I think that you got to this a bit, Parth, in just introducing yourself to the listeners, but I want to actually take a step back and reflect on that and ask you a more basic question that I think speaks to the broader opportunity that exists for analytics and digital transformation in risk management, and that is: Why did you start Lextegrity? What was the driver? What was the inciting incident that led you to leave an incredible career at Pfizer and in-house to launch this software company?
Parth Chanda: That's a great question, Zach, and frankly I think the same question applies to Kara and some of our other leadership team members at Lextegrity. We all left our, as you described it, really stable, in-house compliance and audit function jobs at these large companies to join a tech startup. So why did we do it? It really was pretty simple for me. We were convinced, and I was increasingly convinced over the last several years that there really was a better way to manage risk than how 99% of companies are managing risk today – an approach that's really rooted in data, but also focused on user experience and intuitiveness for those business users who need to buy into your compliance processes. And then integration – integrating disparate systems and data sources so that they work well together. So what do I mean by that in a little more concrete terms? Companies have tried to manage risk by putting into place a lot of process, but the reality is a lot of that process, in my opinion at least, is not as effective as most compliance practitioners think. First, they're often siloed, they're disconnected from each other and from key enterprise systems. Taking just third party due diligence as an example, third party due diligence process in most companies is not connected with the conflicts disclosure process, so if a conflict is disclosed related to a supplier, that's not tied to the supplier's diligence or ongoing risk management. And for me, the bigger disconnect is many companies, what I have seen, the third party diligence process is not even connected in any sort of hard way to the vendor master creation process, so an employee can really bypass the third party diligence controls and onboard a third party with really no hard controls to prevent that. So, frankly, a lot of the systems that are in place, they have these blind spots, these data blind spots as well as process blind spots, that really don't equate to powerful controls. And then ultimately, who are you relying on to detect any wrongdoing? Internal audit in most organizations – and that comes with its own serious limitations. So audit tests a sample of transactions periodically, using sometimes fairly basic analytics, and now that's all exacerbated with COVID, obviously, with audit teams grounded for the foreseeable future. So I really started, and we all joined Lextegrity to really shake up that old formula, to really use technology as a way to unify the life cycle of risk around spend. So bring all of these pre-approval processes and disparate systems into one unified platform with much better user experience for the business, so they actually buy into your processes. Integrating those systems with downstream spend and HR systems, and then ultimately using data analytics to move to continuous monitoring, continuous auditing, continuous testing of 100% of transactions globally – and really ultimately, create this closed risk loop. We're big believers, like you are, Zach, from the many conversations we've had over the years, from our time together at Pfizer to now, that the future of compliance really is about closing that risk loop. It's not about putting a process and then hoping for the best and trying to detect it 14 months, 16 months later – it's using automation and technology analytics to really have a good handle on your risk throughout your risk life cycle. And so that's the long version of our origin story in a nutshell.
Zach Coseglia: Now this is such an important point, and I want to talk more about it because I really can't underscore enough the importance of what you just said. So much of the conversation about data analytics for compliance is about how to use these tools to develop better after-the-fact insights, insights that ultimately lead to better after-the-fact auditing and monitoring, but what I see here with your tools, and where I think that there's real opportunity in this space is in using analytics to help shape decisions by the business on the front-end. I've heard you talk in the past about democratizing data for the business, and so Parth, I'll throw this question back to you. Tell us more about how your solution helps with this important piece of the risk management puzzle.
Parth Chanda: That's a core element of what we've built. We have all sorts of functionality that allows compliance organizations to segregate data and to give specific slices of data to different user groups, which could include the business, finance, sourcing, all sorts of other functions. But for me, the broader question for the business, from a business perspective is ultimately the name of the game for the business, the board, the management, the core stakeholders, your country managers, is really: How effective is the overall program? Ultimately, the DOJ compliance program guidance is all about evaluating the effectiveness of the program, but your business leaders have not read that guidance, and that doesn't really resonate for them. But they know that they're spending a lot of money on compliance every year, and they ultimately want to know, are they getting a good return on that investment? Is their program ultimately effective? And that's where I think, again, going back to the legacy, first generation approaches to many of these things, in terms of measuring effectiveness, compliance teams are often, from my perspective, looking at metrics that are too shallow and subjective to really get to whether the program is really effective. So we've already touched on, I think I mentioned audits and my criticisms of the audit-based approach in detail a little bit earlier, but again, you're looking at a sample of the overall transactions. Now, if you have a string, if I'm a businessperson and I'm sitting there and I have a string of good audit results, am I really confident that I don't have a problem – that I don't have a problem in a market where audit hasn't visited this year, or maybe even hasn't visited in a number of years, because it's not a particularly material market, but it's a high-risk market nonetheless? I may then have whistleblower stats that my compliance organization is giving to me. Again, that's looking at a sample of disclosed issues, and frankly, I think they're even harrier to use as a way to assess the program's effectiveness. So if I'm management, I'm the C-suite and I have low recording stats, is that because the program's actually effective in the region or in the country or in the company as a whole, or is it because people just aren't reporting culturally? The list really goes on and on. You have these traditional metric training stats, code certification stats – they all suffer from these same sorts of data limitation, and so from my perspective, the effectiveness of your program as a senior manager, board member, C-suite executive, really can only be assessed when you're testing. There's a lot of parallels with COVID right now – the more people you test, that's the only way you're going to really understand if your risk mitigation steps are actually working. Take the anti-corruption space – a tool like a continuous monitoring software tool can really give the business a sense of whether or not the program that they're funding is actually effective, because it's going to give you a level of comfort when you're actually testing the external flow of money and you're potentially, with our tool, testing 100% of your transactions continuously.
I can talk in length maybe later on about some of the ROI, the other types of ROI for the business and how data can be used by the business to do their jobs better and make better ethical decisions, but some of these core pieces: Is the program really effective at all? Are these investments that I'm making from a company perspective, from a business perspective, actually driving effectiveness? I think the answer is clear that the data analytics really can inform that in a way that none of these compliance metrics today really can. But I think with that, and I'd love to hear from you, Zach, we've been talking for a bit – what are you hearing from your clients about what they want to be doing more of following the DOJ guidance, and that the DOJ's clear focus on data?
Zach Coseglia: Thanks Parth. This is a great question, and to hear my response and the rest of our conversation, I encourage our listeners to tune into part two of this terrific discussion with two of my favorite people from the world of compliance and risk management. Yes, this is a bit of a cliffhanger, but on the next installment, I'll answer this question, and we'll dig deeper into the business case for a solution like this. We'll also talk about the process of implementation, and hopefully knock down some preconceptions about the time it takes and the cost involved in launching a solution like the one offered by Lextegrity. We'll also look to the future and opine about the future of compliance and specifically the role that analytics and technology will play in that future. Until then, thanks to all of our listeners. For more information, please visit R&G Insights Lab's website at www.ropesgray.com/rginsightslab. Or for more information about Lextegrity, please go directly to their website at www.lextegrity.com. In the meantime, if we can help you navigate any of the topics we discussed, please don't hesitate to contact us. You can also subscribe to this series wherever you regularly listen to podcasts, including on Apple, Google and Spotify. Thanks again for listening.