We are back to consider the next five stories from The Casebook of Sherlock Holmes, mining each story for themes and lessons related to the compliance professional, leadership and business ethics. For the fourth offering, I consider The Lion’s Mane. This is one of two stories narrated by Holmes himself and not reported by Dr. Watson. The final problem solved informs today’s discussion that it is risk-based monitoring which allows a person (or company) to operate safely so that no injury occurs.

Holmes is enjoying his retirement in Sussex when one day at the beach, he meets his friend Stackhurst, the headmaster of a nearby preparatory school called The Gables. Almost immediately the science teacher, Fitzroy McPherson, staggers up to them, clearly in agony and wearing only overcoat and trousers. He collapses, manages to say something about a “lion’s mane” and then drops dead. He is observed to have red welts all over his back, possibly administered by a flexible weapon of some kind, for the marks curve over his shoulder and round his ribs.

Moments later, Ian Murdoch, The Gables science teacher, appears. Murdoch is an enigmatic fellow with an occasional bad temper who once threw McPherson’s dog through a plate-glass window. Although Murdoch is suspected, he has an alibi. Subsequently, Murdoch is also seen with the same welts on his back and in dire health. It turns out he had been swimming in the same pond where both McPherson and his dog had been seen. Holmes returns to the pond and finds the deadly Cyanea Capillata or Lion’s Mane jellyfish whose tentacles wrap around their victim and administer toxic poisons.

Yesterday, I considered The Creeping Man as an introduction to risk management and compliance at the very top of an organization. Today I want to discuss risk-based monitoring. Ben Locwin has stated, “Risk-based monitoring is really about continuous, ongoing monitoring for those things which provide the most potential future risk to you. In other words, instead of a static risk registry that may come in part with forecasting, where you would say, “We’re trying to anticipate these risks.” By using risk-based monitoring to review issues on an ongoing basis, and the models that are behind the risk-based modeling, risk-based monitoring models, they’re continuously refined based on incoming data.”

The problem for many companies is they are siloed in not only their data but also in the systems. Locwin explains that because of the disparity of data systems, “They may not be tracking rigorous, quantified information all the time.” He cited to an example from the pharmaceutical world where a company could well have 50 worldwide sites where a drug product is being tested. Some patients receive a placebo and some patients receive the medication being tested. “As data comes in you begin to note patterns in certain patients and groups, which might actually point towards a variety of testing errors by physicians administering the test.”

By using risk-based monitoring, you can begin to see things in “almost real-time, time-based trends of real data that you can then jump on and try to make adjustments before things get really wacky.” The implications to the compliance practitioner? Having access to information around sales, the sales process and corporate largess in areas from corporate social responsibility work, to gifts, travel and entertainment, to conferences for customers and end users. With such risked-based monitoring a compliance professional has the opportunity see trends developing which could allow an intervention for a prescriptive solution which could prevent an issue from becoming a Foreign Corrupt Practices Act (FCPA) violation.

Yet, Locwin cautioned that compliance professionals should guard against bias. In an article, entitled “Be Careful When Appraising Industry Trends”, he stated, “Social media has rapidly accelerated the agility with which the public can change allegiance and direction. It used to be that when information dissemination was slower and more compartmentalized within regions and market segments, that the market resistance to fluctuation was more robust. Now well-placed advertising, social commentary, or public response to corporate missteps can swirl into a maelstrom of market changes within hours that is agnostic to region or market segment.”

In today’s world, the speed at which reputational damage reigns out can overwhelm a corporation’s ability to respond. Here one might consider Wells Fargo and how fast the situation spun out of control for them after its $185 million fine was announced. It is using risk-based monitoring, which allows for this almost real-time input, that a response to a forecasted, assessed or even unassessed risk can be developed. In the compliance world, such tools could be brought to bear when considering not only the expense side of such areas as gifts, travel and entertainment but also sales side data. This could be internal company data on its own salesforce and also information developed from or concerning your third-party sales team.

In Locwin’s primary world of pharmaceutical testing and product development, the need for such real-time information can be more critical. Yet, through the development of these techniques as compliance tools, the compliance profession can add value to an organization by using risk-based monitoring. With the plethora of data on where and how corruption is likely to occur, coupled with meaningful sales and expense data, the compliance professional should be able to move from detect to prevent to prescriptive compliance solutions to prevent legal violations.

Finally, the beauty of all these techniques is that they are tools that can make companies more efficient and, at the end of the day, more profitable. They also move compliance into the fabric and DNA of an organization or to use another well-worn phrase, operationalize compliance. The Department of Justice (DOJ) has made clear what it expects around the risk management process. You need to develop your response now.

Join us tomorrow as we mine the story of The Veiled Lodger for its compliance lessons.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2019