I conclude my week-long exploration of the intersection of Sherlock Holmes, innovation and compliance by asking: is your compliance function ready for a digital future? For if it is not, not only will you fail as a Chief Compliance Officer (CCO) in your role as a leader, you will fail in your role as a compliance practitioner in helping your company do business ethically and in compliance; you will also not be able to demonstrate the effectiveness of your compliance program as now required by the Department of Justice (DOJ).

Today’s blog post is informed by The Adventure of the Copper Beeches, in which Holmes exclaimed “‘Data! Data! Data!’ he cried impatiently. ‘I can’t make bricks without clay.’” In this story, Violet Hunter, a governess is paid an outrageously high salary to cut her waist length hair short, wear a blue dress and sit with her back to the gardens of the estate. She is forbidden from one wing of the manor and of course, the owner and staff are all eccentric. Holmes and Watson arrive to discover not a mad woman in the attic but the owner’s step-daughter being starved and tortured so she would sign over the inheritance her deceased mother had left her, which her step-father wants to purloin. Holmes and Watson free the daughter and the owner’s starved Mastiff attacks and mauls him. Holmes’ inference from his quote was that one cannot draw solid conclusions without data, much the same as you cannot build solid bricks without clay. The materials you use to build your business is just as or even more essential than your expected outcome. You need the right data, from the right people, on the right platform before you can expect any type of return.

Yet it is this need for data that drives Holmes. One thing has been made clear about the current compliance profession is that it has evolved considerably and the need for data and its accurate interpretation is even more paramount. Hui Chen and Eugene Soltes, writing in a Harvard Business Review (HBR) article, entitled “Why Compliance Programs Fail—and How to Fix Them”, discuss the use of metrics to help design and evaluate compliance programs. They stated, “simple univariate metrics will not adequately capture a program’s effectiveness. Successful compliance engineering requires some creativity, some testing, and careful model design to appropriately measure outcomes.” This means data, data, and data.

Are you, as a CCO, ready for this innovation and more importantly is your compliance program ready for such rigor? In a MIT Sloan Management Review article, entitled “Is Your Company Read for a Digital Future?”, authors Peter Weill and Stephanie L. Woerner explored pathways that businesses can use to become more efficient in the digital future. They apply equally to a corporate compliance function.

The authors note, “Future-ready enterprises are able to innovate to engage and satisfy customers while at the same time reducing costs. Their goal is to meet customers’ needs rather than push products, and customers can expect to have a good experience no matter which service delivery channel they choose. On the operations side, the company’s capabilities are modular and agile; data is a strategic asset that is shared and accessible to all those in the company who need it.” If you substitute “employees” for “customers” in that quote, you have a very good description of a future focused compliance program.

The problem generally is that compliance services are supported by a complex set of business processes, systems, and data. The result is a fragmented, labor-intensive, and frustrating employee experience, often made worse by product silos within the company. The authors identify four ways to achieve a better digital future. The first is to standardize your platforms so that compliance solutions can be delivered. This manner allows a more integrated service experience for the employee. It requires a strong design for your compliance solution with input from your users for their experiences. This is a feedback loop system, feeding information back into your compliance system, in a continuous loop allowing for continuous improvement.

The second approach is improving your employees experience first through a more integrated approach to operationalizing compliance. It can include such non-compliance concepts as more mobile apps and access to more useful websites, improving compliance communications through a greater speak up culture and empowering relationship managers, all with the goal of increasing your employees’ compliance experience. This ties into Chen and Soltes discussion of whether compliance training works to prevent misconduct and reinforce a company’s ethical values.

The next approach is to tie the operationalization of compliance to the business objectives. Obviously doing business ethically and in compliance should be a standard business objective but if your compliance program can help the business run more efficiently and then more profitably, it will certainly take your compliance program to the next level. The authors note, “With this approach, the difference between success and failure is having a road map that informs everyone’s efforts versus taking a haphazard approach. The best way to tell the difference is to ask a manager how a specific project fits into the overall plan. The advantage is that the steps, which consist of tightly coordinated sets of projects, are smaller, reducing risk.”

Whichever route your organization might take to more robustly embrace a digital future, the real work will begin after you decide how to proceed. You will need to have stick-to-it-ness which will require real commitment not just from yourself as the CCO but also the Chief Executive Officer (CEO), senior management and the Board. Then all company stakeholders will need to understand where compliance is going and how it plans to get to that digital future. Finally, the authors state “the digital era is a great opportunity for leaders to reinvent the enterprise. The most successful enterprises will need to become future-ready and ambidextrous — constantly innovating to improve customer experience while also working to reduce costs.”

I would add that if you do not embrace the digital future for compliance, not only will your company not have a documented, effective compliance program; yourself as a CCO or compliance professional will likely become consigned to the dustbin of those left behind. Innovation in compliance is here to stay; embrace it or you will be overtaken.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2018

The top compliance roundtable podcast is back with a wrap up with a review of  the first year of the Trump Administration and its impact on the compliance profession. Stayed tuned to the end for riffs and rants in this edition.

  1. Is Jay Clayton who we thought he was? Matt Kelly takes a look at SEC Chairman Jay Clayton and explores some of the SEC’s changes, initiatives and what did not change. Matt riffs on the new compliance officer comedy, which will be piloting on FX television. 

For Matt Kelly’s musings on Jay Clayton, the PCAOB, government rule-making and the SOX compliance debate, see the following: 

8 Compliance Events to Watch in 2018

Clayton, Congress Talk Cybersecurity

The Private Market Stresses Driving SOX Compliance Debate

Framing the Arguments Over SOX Compliance

Treasury Report Eyes SOX Compliance

Regulatory Czar Eyes Agency Guidance

COSO Names New Chairman 

  1. Mike Volkov summarizes the Mueller investigation, using a timeline to highlight where it has been, key pleas from key players and where it may be going. Belying his normal contrarian state, Mike relates how doing yoga has put him in a blissful state. 

For Mike Volkov’s excellent 3-part podcast series on the Mueller investigation and related blog posts, see the following: 

Obstruction of Justice-A Primer

Understanding Special Counsel Mueller’s Authorization

Perspective on the Russian Investigation — Analysis and Review of Manafort/Gates Indictment and Papadopolous Plea (Part I of III)

Perspective on the Russian Investigation — The Michael Flynn Plea Agreement (Part II of III)

Perspective on the Russian Investigation — Next Steps for Special Counsel Mueller’s Investigation (Parts III of III) 

  1. Did anything really change over the past year for the compliance practitioner? Jonathan Armstrong considers what really changed in the world of anti-corruption compliance under the Trump Administration and answers with a resounding Not Much. Jonathan Armstrong rants on Hudson’s News stores at airports which inevitably do not have anything Traveler Armstrong needs.

For the Cordery Compliance client alerts see the following: 

EU Conflict Minerals and Metals Regime

Bribery Due Diligence

Disruptive Technology Start-Ups & The Need For Legal Compliance

New Schrems Case Poses a Threat to International Data Flows? 

  1. In a year where it appeared not much happened in the FCPA, Jay Rosen says the new FCPA Corporate Enforcement Policy is a significant step forward for compliance. Jay Rosen rants on his New England Patriots Super Bowl loss.

For Jay Rosen’s post on the new FCPA Corporate Enforcement Policy see the following:

Jay Rosen’s Most Significant FCPA Event from 2017 – FCPA Corporate Enforcement Policy (or a 5 Min History of How We Got From There to Here) 

The members of the Everything Compliance panel include:

  • Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
  • Mike Volkov – One of the top FCPA commentators and practitioners around and the Chief Executive Officer of The Volkov Law Group, LLC. Volkov can be reached at mvolkov@volkovlawgroup.com.
  • Matt Kelly – Founder and CEO of Radical Compliance, is the former Editor of Compliance Week. Kelly can be reached at mkelly@radicalcompliance.com
  • Jonathan Armstrong – Rounding out the panel is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.com

I continue to explore the intersection of Sherlock Holmes, innovation and compliance by starting today with the story The Adventure of Silver Blaze. In this story a valuable race horse is stolen just before the big race in which the owner has literally bet the estate to try and get himself out of debt. If Holmes and Watson cannot find the stolen horse, the owner Colonel Ross, will lose everything he owns and be forced to declare bankruptcy. The story informs today’s post on interpreting data.

Interestingly this matter turns on a clue which was not present or “curious incident of the dog in the night-time”. It was because the barn’s guard dog did not bark, from that Holmes is able to deduce it was the Stable Foreman who stole the horse, hoping to hobble it with a slight hamstringing. Holmes notes that because the dog did not bark, no stranger was present. As Holmes explains: “I had grasped the significance of the silence of the dog, for one true inference invariably suggests others…. Obviously, the midnight visitor was someone whom the dog knew well.”

I thought about the insight of the clue which was not was the clue itself when considering another innovation in compliance, which has largely bedeviled compliance practitioners. Today’s blog post is informed by two articles from the MIT Sloan Management Review, Is Your Company Ready for HR Analytics by Bart Baesens, Sophie De Winnie and Luc Sels and “Why Big Data Isn’t Enough” by Sen Chai and Willy Shih (‘Big Data’ article).

Obviously, data analytics can be a valuable tool for the Chief Compliance Officer (CCO) or compliance professional. Yet many wonder not only what the data might mean but what it might not mean. Another issue is how to leverage it for your key compliance customer base: your employees or, as the Department of Justice (DOJ) would say, to operationalize your compliance program. One key insight is that you must match up your data to areas not often considered by the compliance professional, the employee network dynamics. This can be as straight-forward as an international subsidiary’s employees’ loyalty which is to their local organization and not to the US corporation. This can not only help shape behaviors but can place a cohesive band around the compliance insights you might receive and try to implement.

The next area is around the concepts of big data and data analytics. These are not simply panaceas. They are certainly valuable tools, but they do not make the decisions for you. It is not simply the greater amount of the data, the more robust the insights and findings. Compliance professionals need to have some caution about the limitations and proper use of data analytics. Moreover, just as your business and operational conditions evolve and change, you must realize the data you are considering is a static shot-in-time, so the compliance professional must interpret the data based upon such factors as compliance expertise, knowledge of the problem and your organization. This interpretive role is akin to Holmes understanding the lack of an event, a dog barking, as a significant factor. This means you must apply some insight to the lack of hotlines calls beyond simply believing there is nothing untoward out there to report.

Always remember that statistical performance itself is not the goal but the insights you can draw from the data. Interpretability for the compliance professional means that any compliance decision to operationalize based upon data analytics should be properly motivated and can be explained simply to all stakeholders involved; literally from the Board Room, to senior and middle management all the way down to the front-line troops who are fully operationalizing the insight. This move towards simplicity discourages the use of overly complex analytical models that focus more on statistical performance than on proper business insight. For compliance to succeed beyond the simple legal response to laws, such as the Foreign Corrupt Practices Act (FCPA), and move into a true business enabler, this type of simplicity is required.

Finally, you must be aware of internal biases in your data and work towards testing your data insight with those who will implement the solutions. You must be aware of deviations and that they might mean nothing going forward. In the Big Data article, it stated, “A pitfall in studying large datasets with billions of observational data points is that large deviations are often more attributable to the noise than to the signal itself; searches of large datasets inevitably turn up coincidental patterns that have no predictive power.” Ben Locwin refers to this as “white noise”. In his paper entitled Better risk-based thinking will help produce better risk-based monitoring”, he notes that for the compliance officer the issue is that “you need to know what to fix first; and this usually goes wrong in the form of companies being unable to differentiate the signal from the noise. To not do it properly leads to a lot of organizations that I’ve seen expending a tremendous amount of resource and capital on trying to fix what actually isn’t the problem.”

This leads to the next interpretive problem, that of false correlations. The Big Data article noted, “It’s important to recognize that the number of data points required for statistically significant results needs to increase as the number of variables grows. Otherwise, there will be a greater risk of false correlations.” The authors concluded, “researchers must be mindful of both sample size and sample variation.” I certainly recognize this is not an area many lawyers received training in but it points to the need for every compliance practitioner to work with their internal data resources.

Finally, compliance professionals need to be aware of the systematic biases in simple data collection. This can most easily show up when your data comes from disparate sources, if it has been collected from different technologies, at different times or simply aggregated from multiple sources. You must find a way to standardize this data so you can remove any distortions. Moreover, the average lifespan of your data model may be only two to three years. However, given the impact of compliance decisions on both the company and its employees, you will need to take feedback and loop it into your model going forward. From the theoretical approach, it is important that analytical models are constantly backtested by contrasting the predictions against reality, so that any degradation in performance can be immediately noticed and acted upon. The DOJ would call this feedback, where you take information from your designed program and loop it back into your compliance program on a regular basis.

Whether your interpretive basis is an algorithm or the well-practiced eye of a seasoned compliance professional, the continued mining of large corporate data bases for insights to improve a compliance program will continue. Sometimes the answer will present itself to you but sometimes you will need to ascertain why the dog didn’t bark by delving more deeply to come up with an appropriate solution.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2018

In this episode Matt Kelly and I go meta as we podcast about another podcast that Matt posted this week on his site, Radical Compliance, where he interviewed Paul Sobel, the incoming Chairman of COSO. We discuss how Sobel sees his new role at COSO, some of the initiatives that he has in mind for the organization and how companies can use the various COSO frameworks, including the Internal Controls and ERM frameworks to better manage risk some the strategic perspective.

We use the Sobel interview as a starting point to consider how Boards of Directors can think about risk management for a wide variety of issues, from climate change to cybersecurity to sustainability. We also discuss how the COSO frameworks can be used in conjunction with more tactical forms to create a more robust overall risk management program. Join Matt and myself as we go meta this week and take going into the weeds to a new level.

For Matt Kelly’s interview with Paul Sobol click here.

For Matt Kelly’s blog post on the COSO ERM Framework see, “COSO Debuts Final ERM Framework

For Tom Fox’s blog post on the COSO ERM Framework see, The COSO ERM Framework

I continue my innovation themed blog week, overlaid with a Sherlock Holmes premise. Today I use The Adventure of the Speckled Band to introduce the topic of the Chief Compliance Officer (CCO) as a data translator. This Holmes tale is a particularly grim tale of patricide by a step-father against his two step-daughters who will inherit their deceased mother’s fortune when they marry. The story takes place some two years after the older sister died on her wedding night, her last gasping words being the speckled band. Now her younger sister is betroved and will marry soon. Her step-father moves her into the room in which her older sister died, which is one of the clues Holmes finds “suggestive”.

When it comes to the physical clues present in the room, Holmes initially deduces that there is a dummy bell cord hanging just above her bed and a ventilator which opens into the adjacent room, which he says, “They seem to have been of a most interesting character — dummy bell-ropes, and ventilators which do not ventilate.” At the end of the story, Holmes explains, “My attention was speedily drawn, as I have already remarked to you, to this ventilator, and to the bell-rope which hung down to the bed. The discovery that this was a dummy, and that the bed was clamped to the floor, instantly gave rise to the suspicion that the rope was there as a bridge for something passing through the hole and coming to the bed. The idea of a snake instantly occurred to me, and when I coupled it with my knowledge that the doctor was furnished with a supply of creatures from India, I felt that I was probably on the right track.”

All of this demonstrates Holmes ability of a data translator. In a Sloan MIT Management Review article, entitled “Why Your Company Needs Data Translators, authors Chris Brady, Mike Forde and Simon Chadwick explore this issue. The authors find a “persistent cultural divide between the decision makers on the field and the data analysts who crunch numbers off of it.” They suggest various strategies to overcome this divide, which they call “the interpretation gap”. However, I found their analysis, prescient for the CCO or compliance practitioner as their remedies speak directly to many of the strategies a CCO or compliance practitioner could employ.

The first is data hubris and while this is not something that most CCOs or compliance practitioners necessarily engage in, the underlying causes do often afflict compliance professionals. The authors refer to a 2014 Science article by David Lazer and co-authors, who described it as the “implicit assumption that big data are a substitute for, rather than a supplement to, traditional data collection and analysis.” To overcome it, compliance professionals need to understand what R. C. Buford, the General Manager (GM) of the San Antonio Spurs, calls the “alignment of multivariable—the eyes, the ears and the numbers.” In other words, it is not just about the data but the human interpretation and then use of the data.

Next is decision-making biases. The authors identify two: the overconfidence bias and the emotional bias. The first occurs when you believe your process will help you to make the decision. This is most clearly seen in talent evaluation for pro-sports teams. As recently as this year, the Number One pick in the National Basketball Association (NBA) cannot shoot the basketball outside the lane. It may be he was injured when drafted, had a mental block or simply lost his ability to shoot the ball. It really does not matter but all the prognosticators on the Philadelphia 76ers who pushed to trade up to draft him in the first slot were wrong. Emotional bias occurs “when the decision maker lets the outside noise influence his decisions.” Whatever that noise is, the decision maker needs to silence it.

The next obstacle a compliance professional must overcome is to speak the language of data or at least data analysts. This language must then be translated for senior management so they understand the compliance risks involved. Here the authors suggest “replace[ing] standard reporting techniques with approaches that bring otherwise dry information to life. These approaches include data visualization, process simulation, text and voice analytics, and social media analysis.” The authors noted, “There’s more to effective translation than simply rendering scientific language in plain terms. The best translators also frame the information in a way those receiving the translation will find useful. In the plainest language, a translator must ask one blunt question: How does this data help the person I’m speaking to?”

The authors then posed a list of skills they believe a data translator needs in today’s business environment. I have adapted the list for the CCO or compliance practitioner.

  1. Sufficient knowledge of the business side to pass the “street cred” test with executive decision makers. This means more than simply being able to read a spreadsheet but understanding your organizations business processes;
  2. Sufficient analytics knowledge – or a willingness and ability to acquire it – to communicate effectively with the organization’s data scientists. As data analytics are not taught or even valued in law school education, if you are a lawyer, you will have to work on this going forward;
  3. The confidence to speak the truth to executives, peers, and subordinates. Hopefully your organization values and respects your voice as a CCO. If not, you certainly have larger problems than poor data translations;
  4. A willingness to search for deeper knowledge about everything. Look at any great CCO and you will find someone who is infinitely curious;
  5. The drive to create both questions and answers in a form which others in your organization find accessible and, most importantly, useful;
  6. An extremely high sense of quality standards and attention to detail. This is probably a defining quality of most lawyers; and
  7. The ability to engage at team or organizational meetings without being asked for input. As a CCO or compliance professional, you have to be willing to speak up if something has gone off track.

The authors end with two techniques which lend themselves to greater CCO communication skills. The first is to connect with decision makers through questions and not assertions. It is a developed skill to use data to set up questions which allow senior management to “come up with the answer, ostensibly by themselves.” The final insight is to use the data to create stories. Storytelling in compliance is a favored technique which I hope will improve your overall corporate compliance program.

By using some or all of these techniques, a CCO or compliance practitioner should be able to bridge the gap often seen between data and the final decision. One of the clear themes of this week-long exploration of the intersection of innovation and compliance (overlain by Sherlock Holmes) is the need for the human experience with technological innovations. The same is true with data, its analysis and translation.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2018