Podcast: R&G Insights Lab – Culture & Compliance Chronicles: Compliance Analytics Simplified (A Chat with Integrity Tech Leaders from Lextegrity, Part II)
The latest installment of R&G Insights Lab’s podcast series, Culture & Compliance Chronicles, continues to explore the benefits of using analytics and technology in the compliance and risk management space. Zach Coseglia, managing principal and head of innovation of R&G Insights Lab, concludes his conversation with two guests from compliance software company Lextegrity, founder and CEO Parth Chanda, and head of product Kara Bonitatibus. Picking up where they left off, the group first tackles a common question from companies, “Of all of the places where there is an opportunity to bring value with data and analytics, which is the area that we should focus on?” From there, they discuss why data analytics is more of a journey than a silver bullet. Finally, they dive into examples of how continuous monitoring with a pre-built analytics engine like Lextegrity’s can help not only individual teams in a company, such as internal audit, but also the business as a whole.
Zach Coseglia: Welcome back, and thank you for joining us for the continuation of my discussion about compliance, analytics and digital innovation with Kara Bonitatibus and Parth Chanda from Lextegrity. I'm Zach Coseglia, a lawyer here at Ropes & Gray, as well as the managing principal, head of innovation and co-leader of R&G Insights Lab. You're listening to our latest installment of Culture & Compliance Chronicles, a Ropes & Gray podcast series focused on data analytics and the behavioral science approach to risk management, which, as always, is brought to you by R&G Insights Lab. Now before we dive back into the discussion, I just want to remind our listeners where we left off. Parth, we ended our last discussion on a bit of a cliffhanger. You and Kara shared details about your technology and your journey from compliance professionals and lawyers to tech entrepreneurs. And your question to me was this: "What are you hearing from clients about what they want to be doing more of following the DOJ guidance and the DOJ's clear focus on data?" So let's dive back into that discussion.
One of the questions that I often get asked is: “Of all of the places where there is an opportunity to bring value with data and analytics, which is the area that we should focus on? So is it investigations, is it risk assessment, is it in effectiveness or is it continuous monitoring?” The way that I generally answer that question is (it's a bit like choosing my favorite child, candidly), but the one that I often wind up picking is continuous monitoring. The reason why is because I feel like continuous monitoring is the thing that gives us more detailed, more data-driven insights about actual performance. It helps us understand how we're doing, and it helps us understand how we're doing in nearer time than those older legacy ways of doing things. And if done right, for that reason, it can help us stop the next investigation. It can help drive the risk assessment and our understanding of risk. It can help answer that effectiveness question, which as you point out, lots of folks are talking about it and our clients are very much focused on. And so I see it as the place where there's the greatest opportunity because of the role it plays in helping drive a more analytically-powered approach to all of these things.
But that said, there are a couple of observations that I have from my time at Pfizer and from my work with other clients. The first is that, and I say this a lot, so you and others may have already heard me say this and will hear me say it again at some point in the future, but much of the discussion that's out there about compliance analytics, it tends to be conceptual and it tends to focus in on some buzzy words, like “artificial intelligence,” “machine learning,” “augmented analytics,” and “natural language processing” – take your pick. I think that these concepts, they can be intimidating to those that are starting their analytics journey. I even see clients either getting turned off very early in the discussion because of the perceived complexity, or spending time and money trying to operationalize some sort of non-existent silver bullet, when in fact there may be really important but less exciting preliminary work to be done to curate data, to connect systems, to invest in infrastructure that's ultimately going to support those longer-term analytics ambitions and that vision. That brings me to the second observation, which is to forget about all these buzzy words and these big, intimidating concepts for a moment. Most compliance teams, in my experience, are struggling to do much, much simpler things with their data. It may be because they're not capturing the data that they need. It may be because the data that they have lacks quality or is managed in ways that makes it challenging to use. And sometimes, even if they have good data, they just may not have the resources to ultimately dive in and to use it in a more sophisticated way, or to deploy analytics in ways that are going to do the things that you're talking about and that we often talk about together. So, what actually excites me about what you offer, and then what we can do together, is the concept of this turnkey solution that ultimately accelerates progress.
Kara Bonitatibus: That's 100% right – I think you summarized it quite accurately. Data analytics is definitely a journey for most companies, and I think you've highlighted some of the fears and hesitations that a lot of companies have, which is they're either afraid of not having sufficient resources or not having data in the right places. But you need to start somewhere and our technology can dramatically accelerate that journey, starting the journey as well as progressing down the journey out-of-the-box. Certainly there is a large opportunity to have your team support that and support your clients in designing their program so that they have the optimal structures and use cases, and have a little bit more structure around where they should start, even if it is, as you mentioned, some of the more simpler analyses. Our tool gives companies control to dynamically adjust all of those algorithms I referenced earlier so that they can take into account historical issues from things like investigations. Our solution enables people to identify subjects or key words or specific general ledger accounts, for example, that might be at issue. And certainly your team could help companies identify those things that perhaps companies should focus on because you also have a 360° view of historical issues from investigations and risk assessments and where the government is focused. So I think there's a lot of opportunity for companies, again, to get started on that journey with our solution and with the support from Ropes & Gray.
Zach Coseglia: Parth, I'm going to come back to you. We've talked about how compliance can leverage your products, but it seems like other functions could really benefit from your solution as well. So, for example, how could an internal audit team benefit from a continuous monitoring solution like yours and in ways that maybe enable them to actually improve or evolve what they currently and historically have done?
Parth Chanda: That's a great question and also I think highlights a tremendous opportunity, in my opinion. Internal audit I think is really ripe for capitalizing on software like continuous monitoring technology. The traditional internal audit model for detecting compliance risks is really much more expensive and, frankly, far less effective than the technology-driven continuous monitoring program. So pre-COVID, that model involved picking a sample of markets each year, and then a sample of transactions in each market, sometimes using fairly basic analytics or random sampling or judgmental sampling, like, looking at the top invoices from the top high-risk vendors or third parties identified in the due diligence process, and then really starting each audit with a lengthy prep process, sitting at headquarters and flying an audit team down to the market, staying in a four-star hotel for two weeks, picking a sample of transactions and then closing that audit out and going home – and then repeating that a number of times throughout the year. But that model really only scratches the surface of what's going on, in terms of the overall number of transactions and activities in the company. And really, due to the effort involved, there's significant lag time between a transaction and it being selected by audit, if it's selected at all. So really by using continuous monitoring software instead, or even to supplement that process, an internal audit team can apply advanced, multidimensional analytics, importantly, to 100% of spend across 100% of their markets entirely remotely, and then really focus those human resources, that audit brainpower on those highest-risk transactions flagged by the software. Particularly in this post-COVID world, I think that's a true game changer, as it's clearly more effective, more efficient and probably most importantly far more real-time, ultimately enabling audit to detect problems easier and quicker and more cost effectively, but also to find them before they become systemic problems.
Zach Coseglia: So Parth, when I think about software like yours and when I think about continuous monitoring innovations, I often find myself thinking about how the power is that it enables us to not just find isolated procedural, process-based or rules-based deviations – it really opens the door for us to create something that's more judgmental and more risk-based. But at the end of the day, what audit teams are often doing is looking for process-based, rules-based deviation, so are there specific use cases or analyses within your solution that you think would be particularly useful or beneficial to audit and its mandate?
Parth Chanda: I think we could probably devote an entire hour to covering all the analyses that come pre-built into our solution, but I think the best way to think about this and really frame it would be this: We've created a pre-built analytics engine in our application that provides audit as well as compliance teams with a tremendous amount of configurability without needing any specialized coding or scripting language knowledge or any data scientists on staff. So using maybe the T&E-side as an example to deep dive into this – we have analyses that operate in multiple dimensions. The first one is at an individual expense level, then at an aggregate expense level, and then even at a subject employee profile level. To make that a little bit clearer, let's take meal expenses – something that the audit team's looking at from both, as you mentioned, a policy process perspective as well as from a risk perspective. The audit team can use our tool to run analytics at that first level, which is at the individual meal level. So, for example, applying risk thresholds to the total monetary amount, or even per attendee amount for every single meal expense in Brazil involving government officials to identify any specific meals over the risk thresholds that they've set. Then they could go a level up and apply a different set of analyses and risk thresholds for the aggregate frequency or monetary amount of the same category of meals over a period of time, let's say six months. So Brazil meals involving government officials over six months to identify any meals or employees over that aggregate risk threshold. And then, finally, at the next level up is really applying analyses at an employee, supplier, vendor, third-party level that's going to look at outliers at the subject level. So in this example, looking for outlier employees in Brazil involving their meals with government officials over a period of time compared to their peers across multiple dimensions, whether it's the total amount of spend over that period of time, their frequency of spend, their per attendee costs, or maybe even their average attendee costs per meal. So you can see, if you extrapolate that out, all the different dimensions you can bring into the calculus. Again, that's only a small handful of the examples in our overall library that covers employee and third-party risks, not just in the corruption space, but across fraud, embezzlement, conflict, sanctions and other risk areas. But the most important point here, I guess ultimately, is that the application allows every company, every audit team, every compliance team to configure those analyses dynamically and in real-time without any coding or back-end data science because we've created a user interface to do all of that. Finally, our analytics library – to be clear, as a software company, we have a commitment to our customers to build that analytics library. Today, it's already growing month over month – we just released seven new analyses to all of our customers, again, out-of-the-box, but highly configurable, so that analytics engine is going to get stronger over time. We recently launched the Integrity Analytics Collective, which is an initiative with us, you guys at Ropes & Gray, Ethisphere, and other leading ethics and compliance organizations, and that's going to continue to solidify our commitment to collaborate together across the ethics and compliance community to improve that analytics library over time.
Zach Coseglia: So I think that the takeaway is we probably should schedule another hour to actually dive deeper into all of this. But for now, we've been circling around an issue that I want to dig on a little bit more, and that is on return on investment. Let's not necessarily just limit ourselves to the benefit that it can bring to the audit team or the compliance team. How would you describe more holistically the return on investment of something like this?
Parth Chanda: It's a great question – it's one we're asked all the time, and I think as we get more and more data and more and more companies go online with tools like this, the story will become even clearer, I think. But fundamentally, and I touched on this a few minutes ago, the main ROI here is really around managing your risk far more effectively and comprehensively, and at the same time, doing that at a lower cost than how you're doing it today, which is highly manual and less far-reaching. First, I should be clear and transparent that there is an investment involved in setting up software like this and systems like this, but it's actually a much smaller investment than I think most companies realize because, again, a lot of this is out-of-the-box and pre-built and is not bespoke. You're not bringing in an army of forensic accountants to build a whole SQL database and set of analytics and visualizations – it all exists today out-of-the-box. But once you're past that hurdle, and you have this continuous monitoring process and tool established, the benefits, really, from my perspective, begin to flow across functions, and we've seen this now at clients of ours. First, one group that we often don't think about when we think about continuous monitoring is investigators. For investigations, your investigators now can access the underlying financial data in the application globally immediately after a whistleblower report, so they don't have to chase audit, finance, IT to get that data. And they're not accessing simply raw data – they're getting every transaction that's risk scored and heat-mapped, so that they can scope, begin and end their investigation far more quickly and less expensively than they do today. Our analytics engine also allows an investigator even to go further and apply a higher risk weighting to a third party or employee during and after their investigation to minimize continued leakage or fraud or other ongoing challenges stemming from that investigation. So that's just one example for investigators.
On the compliance-side, the whole risk-assessment process becomes far more data-driven than it is today where compliance teams really rely on surveys and other subjective data to identify markets and activities on which they should focus. All of that risk assessment work today takes a lot of time – it takes a lot of chasing down information from market finance and legal questionnaires and things of that sort. Continuous monitoring software can really automate a lot of that, and then can point compliance teams to far more granular and data-driven risk information by geography or by employee or by third party. So a compliance team may discover that they have a pattern of expedited payments to duplicate vendors in a very traditionally low-risk country, and then they can focus their efforts on addressing that risk in near real-time. And so, over time, that can also mean that compliance teams can shift their time and resources from certain preapproval and preclearance activities to really focused efforts around data. Data analytics could give a compliance team more comfort to remove themselves from preapproval requests and shift some of that accountability to the business because now they have more comprehensive data on the actual risks. And then, some of the time-intensive work of compliance teams of creating dashboards for the business and other stakeholders, that can also become completely automated, so that's another real ROI winner for us as well. Not to mention factoring in cost savings from reducing fraud, duplicating expenses, capturing duplicate vendors, etc. – the ROI savings can really be tremendous. Ultimately, my final point on this is there're a lot of companies that are already in the press and in conferences that are ecstatic about the ROI on these types of initiatives they've implemented, but even beyond those testimonials, you can start somewhere. You can start regional, you can start with pilots at a BU level and really prove out that ROI very quickly, and then you gain that internal momentum to turn this into a global platform over time.
Zach Coseglia: Let's dig in just a little bit more on this. So you mention investigators, you mention monitoring teams. We talked at length just a moment ago about the audit teams. You mentioned risk assessment. These are all the enabling functions. Now you did mention the benefits of the business in the form of better dashboards, but what about benefits to the business on the frontline, about putting better information into the hands of the people who are actually making decisions that are creating risk day in and day out – what does this give them?
Parth Chanda: Integrating these types of insights gained from a compliance continuous monitoring tool into the business really is the next frontier of where we think companies are going with this data. There are just so many downstream benefits to the business from this risk data that a tool like ours collects that ultimately can help them make better decisions and potentially save the company, enterprise-wide, a significant amount of money. One clear area is on vendor management – rationalizing vendors, minimizing high-risk vendors, which we talked about a little bit, but really just to put a finer point on that, compliance is always looking at their high-risk supplier, vendor, distributor base. Now if you can provide your business teams and your finance teams and your sourcing teams the risk data about where those suppliers and vendors are, where we potentially have an anomalous number of such high-risk third parties or anomalous payment amounts or frequencies, and maybe there's a larger number of high-risk third parties in the category than we need, the business, finance, sourcing teams can then for commercial reasons move to cut or rationalize that number down, centralize that spend in a fewer number or smaller number of vendors, which is, again, a huge win for compliance, but it's done all in the lens of commercial leads. So it's really a win-win, and so the business can then renegotiate contracts and they can save money both at the same time they're reducing risk exposure across the enterprise.
On top of that, when you look at some of the analytics in our library, the analytics themselves have a compelling business dimension, from my perspective, beyond the compliance dimension. Just one example that I like to talk about is the expedited payments analysis that we have, so that's a compliance risk. The company’s paying a vendor or reimbursing an employee – really on the vendor-side, paying a vendor a day after their invoice comes in. That's anomalous, it's suspicious – it fits a typical fraud corruption fact pattern, but there may just be a lack of training that's driving that, really no compliance issue. Maybe your finance team wants to know – I imagine they want to know that, so they can train their internal teams to actually pay your vendors on the negotiated payment terms, which are far longer than one day. Not too quickly because there's a time value to that money. When you really think about all of these little ways where you're unlocking data that can really help the business, there's all of these ways that the data can inform commercial decisions that at the same time can change behaviors that have an impact on compliance and risk, so while there can be significant cost benefits and ROI for the business, there's also that benefit for compliance.
Ultimately, the final point I'd reiterate is, the end result of these tools and having tools like this and data is really to give your compliance team much more comfort around the effectiveness of the program and where the risks truly are. What that equates to, in my opinion, is giving the compliance and control functions much greater ability to trust the business because the risk is much more objective, and those functions have a much better handle on where the risks are. And so, ultimately, what that can also mean is that compliance can loosen the reins on the business around a lot of the bureaucracy that the business is subjected to, a lot of the approval requirements, preapproval processes, which are sometimes a key pain point for the business. So if I now in compliance have real-time visibility into the risks for, let's say, charitable contributions globally, I may be able to focus my preapproval requirements to allow the business to go through fewer hoops in most cases, which really ultimately is a win for everyone. It's fewer hours spent by the business as well as compliance on the manual work of reviewing and approving those requests, but at the same time, the risk exposure level hasn't really changed and, if anything, it's improved for the company. So that's another, I think, key area where the business benefits from having more data.
Zach Coseglia: Yes, and it's about having more data. You've talked about the risk analytics, you've talked about the ability to do a more robust effectiveness analysis, but to me, there's almost something more basic, which is just more data. It's just knowing how much, knowing when, knowing who, in a way that, as much as we'd like to believe that that's readily available to all business people, it's often not. So I feel like there's this very baseline thing that you guys have created that shouldn't be understated, which is just communicating, as you guys say this from time to time, democratizing data for the business in ways that gives them all of these really sophisticated, wonderful analytics about risk, but is also just telling them how their business is operating. I don't want to undersell that – I think that that's huge.
Parth Chanda: I appreciate that, and I fully agree. Again, I think sometimes we get caught up on more data is always better. I also want to be clear – more data's not always better. I think a lot of approaches typically in this space have involved giving the business these massive dashboards, where it's just a scatter plot of all sorts of spend. These are your highest spenders – they're out here. These are your median spend vendors. Sometimes that's counterproductive because it's really closer to raw data that doesn't really give you a lot of insight, so tools like this apply that risk dimension. When you get that transactional scoring at a one-foot level, you can then extrapolate that data up and give your business really targeted, again, objective, risk-weighted data, which is beyond just giving them a dashboard to look at, where they're not going to know, “Am I supposed to look at this dot out here, or this dot our here?” If you get that risk layer on top where you've really identified and pinpointed the risks for them, that's really enabling the business to have data that's useful that they can really action.
Zach Coseglia: Let's go back to the investment-side of the ROI analysis. You and Kara have built something, and the rest of the team at Lextegrity, have built something that's really great, really special, and as you've said a couple of times, in ways that obviate the need for an analytics staff within compliance, but does the technology do everything? When you're assessing the cost-side of the ROI analysis, is it just the cost of the tech or are there other considerations as well?
Parth Chanda: Yes, you're completely right. An out-of-the-box configurable technology by its definition is not going to answer everything for you. We've built our technology so that it is highly configurable. I mean, there are some smart presets that we have in our application, but it is ultimately configurable, because monitoring programs should also be run on a risk basis and really targeted to your risks and configured to your risk. So you still need a team of internal stakeholders as well as advisers like the team at Ropes & Gray, who know our products well from prior joint client engagements who are going to really bring their advisory services coupled with our technology to really help you unlock the ROI and efficiency gains a lot quicker. Coupling our technology with your knowledge and expertise from a risk perspective is really what's going to enable you to accelerate both the adoption of the technology like this, as well as really targeting it and focusing it on the company's highest risk activities. So it's almost like going back to your point about our technology being out-of-the-box yet configurable – I think of Ropes & Gray as the same type of out-of-the-box yet highly configurable advisers. You bring a tremendous amount of compliance, analytics and risk assessment expertise from having advised hundreds of companies over the years on these exact risk areas, across industries and within industries, deep within industries. So then you can tailor that advice, that baseline advice to the specific company you're representing to really help them understand what are the high-risk GL categories that we see in this industry? What are some of the patterns that we've seen in your investigations, as well as other peer or company investigations? We're going to then take the power in our tool of configuring those analytics and really bring that knowledge expertise of both your client, as well as the industry as a whole, and really bring those to bear to really target those analytics to be the most effective. From my perspective, it's really a compelling combination, the one-two punch that really enables companies to make the best use of these types of tools.
Zach Coseglia: Terrific, Parth. I literally could not agree with you more – this is the future of compliance. It's not, as you say, in building bigger armies of compliance and risk professionals or auditors or monitoring teams. It's about shifting the analysis from the after-the-fact risk spotting to before-the-fact risk prevention. When done right, when a commitment is made to developing tools like yours that actually advance the ball in this space, it will lead to leaner compliance teams, to more efficient programs, and ultimately and maybe most importantly, to more thoughtful risk-based decision-making, more risk-aware internal constituencies, and therefore, better compliance. We hear folks talk about shifting accountability to the business, which is a good idea, but it's also a bit of a hollow aspiration when it's not accompanied by tools like this that actually empower accountability and that empower ownership. With that said, I think this is actually a really perfect place for us to wrap things up, and for me to thank both of you for joining us for this discussion – it's been really great. And thanks to all of our listeners. For more information about this or anything else that's going on with R&G Insights Lab, please visit the R&G Insights Lab website at www.ropesgray.com/rginsightslab. For more information about Lextegrity, go directly to their website at www.lextegrity.com. If we can help you navigate any of the topics we discussed, please don't hesitate to contact us – we're here and looking forward to hearing from you. You can also subscribe to this series wherever you regularly listen to podcasts, including on Apple, Google and Spotify. Thanks again for listening.