Executive Briefings

Spotting Unknowns in a Sea of Data & Separating Critical Compliance Risks from the Noise

Former U.S. Secretary of Defense Donald Rumsfeld famously addressed the absence of evidence of weapons of mass destruction in Iraq with a statement that was oddly prophetic for today's global business:

"There are known knowns; there are things we know we know.  We also know there are unknowns; that is to say we know there are some things we do not know.  But there are also unknown unknowns - the ones we don't know we don't know."

Fast-forward nine years and the vast majority of multinational corporations are now fighting their own battle with unknown unknowns lurking in their global supply chains.  The phenomenon is the result of dueling trends: as more firms expand into high-risk emerging markets, governments have ratcheted up their enforcement of anti-bribery laws.

According to data tracked by the law firm Gibson Dunn & Crutcher, the number of Foreign Corrupt Practices Act (FCPA) enforcement actions increased 85 percent from 2009 to 2010, with 48 new DOJ cases and 26 new SEC actions filed.   In total, companies paid a record $1.8bn in financial penalties to the DOJ and SEC in 2010, according to data from both agencies.

Multinationals have responded with an aggressive ramp-up of compliance efforts complete with data and analytics on everything from vendor background checks to regional country risk monitoring.  The result?  As The Wall Street Journal reported in September, "Companies are being inundated with data... But many managers struggle to make sense of the numbers."

In our work developing anti-corruption screening programs for hundreds of large and mid-market multinationals over the last several years, we have found that the data overload problem is most frequently the result of decentralized data management processes that have not been standardized across an organization. Too often, the process of screening and monitoring international fraud risk is done manually with e-mails back and forth to third-party vendors, documents stored in a variety of locations and individuals in different business units following different processes.  Thus, despite a surfeit of available data, companies are missing key red flags through simple mismanagement of resources.

To help standardize the process, there is a four-step data management process to help multinationals spot unknowns more effectively:

1. Define a Third-Party Screening Policy: Amazingly, many multinationals are collecting terabytes of data from their global operations with no unified corporate policy on how to use that data across the organization.  The first step in any risk management project of this scale is to clearly define what key criteria a company is screening for, notification rules in the case that red flags are found and specific report types that will be produced worldwide.  Without this core set of guiding principals, companies are bound to quickly become slaves to their data.

2. Build a Centralized Online Database: A typical multinational operating in high-risk emerging markets will have thousands of vendors and agents working on its behalf.  Basic background checks on each of these entities would create an overwhelming data deluge without standardized processes.  By hosting all third-party screening data in a secure, encrypted, centralized database, it is possible to set up rules for easy review.

3. Standardized Reporting: The only way to accurately analyze the myriad of different red flags that crop up around the world is to use a consistent reporting structure.  To be useful, third-party screening reports must report the same data in the same order globally.  This includes global compliance database checks, adverse media in the local language on the company and its management, address history, corporate registry information, civil court checks, criminal court checks, bankruptcies and several others in a uniform format.  An organization must agree on what they are screening across the organization and stay consistent in their approach.

4. Annual Review: Risk profiles change over time, making it important to regularly screen third-parties for any changes in their structure, management team, lines of business or regions of operation.  Ideally, the review process should be initiated annually.

When it comes to systematically identifying potential fraud risks before they result in enforcement actions, there is no shortage of data.  The key to a successful compliance program is accessing the correct data to analyze threats and draw clear conclusions.

Source: Kroll Associates

Former U.S. Secretary of Defense Donald Rumsfeld famously addressed the absence of evidence of weapons of mass destruction in Iraq with a statement that was oddly prophetic for today's global business:

"There are known knowns; there are things we know we know.  We also know there are unknowns; that is to say we know there are some things we do not know.  But there are also unknown unknowns - the ones we don't know we don't know."

Fast-forward nine years and the vast majority of multinational corporations are now fighting their own battle with unknown unknowns lurking in their global supply chains.  The phenomenon is the result of dueling trends: as more firms expand into high-risk emerging markets, governments have ratcheted up their enforcement of anti-bribery laws.

According to data tracked by the law firm Gibson Dunn & Crutcher, the number of Foreign Corrupt Practices Act (FCPA) enforcement actions increased 85 percent from 2009 to 2010, with 48 new DOJ cases and 26 new SEC actions filed.   In total, companies paid a record $1.8bn in financial penalties to the DOJ and SEC in 2010, according to data from both agencies.

Multinationals have responded with an aggressive ramp-up of compliance efforts complete with data and analytics on everything from vendor background checks to regional country risk monitoring.  The result?  As The Wall Street Journal reported in September, "Companies are being inundated with data... But many managers struggle to make sense of the numbers."

In our work developing anti-corruption screening programs for hundreds of large and mid-market multinationals over the last several years, we have found that the data overload problem is most frequently the result of decentralized data management processes that have not been standardized across an organization. Too often, the process of screening and monitoring international fraud risk is done manually with e-mails back and forth to third-party vendors, documents stored in a variety of locations and individuals in different business units following different processes.  Thus, despite a surfeit of available data, companies are missing key red flags through simple mismanagement of resources.

To help standardize the process, there is a four-step data management process to help multinationals spot unknowns more effectively:

1. Define a Third-Party Screening Policy: Amazingly, many multinationals are collecting terabytes of data from their global operations with no unified corporate policy on how to use that data across the organization.  The first step in any risk management project of this scale is to clearly define what key criteria a company is screening for, notification rules in the case that red flags are found and specific report types that will be produced worldwide.  Without this core set of guiding principals, companies are bound to quickly become slaves to their data.

2. Build a Centralized Online Database: A typical multinational operating in high-risk emerging markets will have thousands of vendors and agents working on its behalf.  Basic background checks on each of these entities would create an overwhelming data deluge without standardized processes.  By hosting all third-party screening data in a secure, encrypted, centralized database, it is possible to set up rules for easy review.

3. Standardized Reporting: The only way to accurately analyze the myriad of different red flags that crop up around the world is to use a consistent reporting structure.  To be useful, third-party screening reports must report the same data in the same order globally.  This includes global compliance database checks, adverse media in the local language on the company and its management, address history, corporate registry information, civil court checks, criminal court checks, bankruptcies and several others in a uniform format.  An organization must agree on what they are screening across the organization and stay consistent in their approach.

4. Annual Review: Risk profiles change over time, making it important to regularly screen third-parties for any changes in their structure, management team, lines of business or regions of operation.  Ideally, the review process should be initiated annually.

When it comes to systematically identifying potential fraud risks before they result in enforcement actions, there is no shortage of data.  The key to a successful compliance program is accessing the correct data to analyze threats and draw clear conclusions.

Source: Kroll Associates