Minimizing Time Spent Identifying FCPA Compliance Risks And Maximizing Time Spent Mitigating Them
A recent study found that 45% of respondents who handle risk compliance believe they spend too much time trying to locate issues. It certainly makes you wonder: If you spend all your time looking for risk, how much time to you have to mitigate it? Finding business risk is only part of the problem. The whole purpose of finding these risks is that you reach them in time to stop them. Financial compliance can make this difficult, due to a complex and seemingly ever-changing set of laws. That’s why some choose to leave the finding of that risk to technology and devote their human resources to stopping it.
Automated checks and balances can be your first line of defense in defending your company from compliance issues. Whether there are concerns regarding FCPA violations or FINRA compliance, technology that’s capable of thinking logically can be leveraged. The key is to remember that this technology is a tool and not an outright solution.
The Challenges in Managing Compliance Risk
It used to be the only way to mitigate compliance risk in the financial world was to hire more staff. That opened up a risk in and of itself. Employees cost money, limiting the money that can be used to grow company wealth. At the same time, employees represent their own risks, as much of the issue with compliance comes from human error, whether intentional or not. Compliance risk management is generally made up of three key areas:
- Incident Management – This is the process through which systems can be used to analyze high-risk activities, like an employee attempting to make an unauthorized withdrawal or signing on to a system that isn’t approved. This can get extremely complex at a large globalized company, and many of these incidents are false flags. Someone not trying to exceed their authority could have simply misplaced a decimal point. Someone signing on to an unauthorized system may not have been aware they were unauthorized. IT professionals don’t have time to individually check every one of these issues.
- Internal Auditing – Internal auditing is supposed to be a safeguard in compliance risk, but in some cases it can create more problems than it prevents. These auditors are there to monitor for and eliminate business risk. However, when done incorrectly, these audits can have a domino effect, causing issues to go unresolved and even result in fines and penalties due to poor record keeping. Again, for a large, multi-national company, this is a very real possibility.
- Operational Risk – The risks your employees and third-party vendors expose you to all fall under this category, as does pretty much everything else. Operational risk is simply the risk that you get due to standard, everyday business. Because it’s such a broad category, it’s also one of the most difficult to monitor for.
All of these risks are risks that need to be constantly monitored for. This task often proves cumbersome and difficult to manage when you consider that millions of transactions at one large company a day are possible. That means leveraging technology to locate risk so you can spend less time monitoring for it and more time mitigating it.
Using Cognitive Tech to Find and Minimize Compliance Risk
Consider this scenario. An employee in accounts payable has authority up to $500 to make payments to foreign authorities under the financial code “facilitation payments.” Then, that employee is in a hurry, not paying attention and accidentally enters a payment for $5000. The payment doesn’t go out. Instead, this triggers a compliance alert. The employee’s supervisor is notified and the compliance officer opens an investigation. After several hours, it’s determined that this was a simple error. However, because the system isn’t intelligent enough to understand this, it creates alerts that must be cleared.
Now, consider an opposite scenario. An employee has authority to make payments up to $500 with no daily limit. They decide to cover up a bribe they’re planning on making using the facilitation code and they cut ten checks, over ten days, never exceeding their authority. The system is never triggered at all because it’s not intelligent enough to see a problem.
The issue in the past was that technology, while smart, wasn’t intelligent. It might have been able to read data but it couldn’t put that data into context. Context is the key to mitigating risk. That’s why to improve your risk detection, you need to:
- Prioritize – Prioritizing risk is the first step to mitigating it. For example, a good compliance system would have looked at the first two scenarios mentioned. They would have put the issue with the $5000 check as a low priority, knowing from experience that this was likely a technical error. On the other hand, that second scenario would have received a high-risk mark, as the pattern clearly shows an attempt to game the system.
- Review – Actionable follow up means there’s a specific process in place for every possible scenario. A low-risk instance would have only notified a direct supervisor to double check the issue. The higher risk second scenario would have received a compliance alert.
- Act – A good program will ensure that the issue like the first one stops at the supervisor. The second one however, is reason for additional concern. Someone attempting to get around the system to send out payments is likely already involved in something shady. At that point, you’d want to create a more in-depth investigation.
The trick is to use your technology to lessen your work, not create more. The above two scenarios are very common. More often than not, a compliance issue is a mistake. However, sometimes it’s a real issue. Intelligent tech can tell you the difference.
Remote Risk Assessment (RRA) is an example of the intelligent tech you can use to improve your investigation efficiency. Our system is dependent on biometric data, combined with an automated telephone interview process, to find areas of high risk in an organization. For more information on how RRA could work with your business, contact Clearspeed.