Tag: ongoing monitoring

Categories
Blog

The Muppet C-Suite: A Compliance Professional’s Guide to Culture, Controls, and Chaos Part 3: Gonzo as Chief Innovation Officer: Innovation Without Governance Is Just Operational Risk

This week we are honoring the return of The Muppets for a 2026 Special Edition. I thought it would be fun to look at business leadership teams through the lens of The Muppets. Every compliance professional has worked with a Kermit, managed a Piggy, worried about a Gonzo, or tried to contain an Animal. This series uses the Muppet executive team as a framework to explore leadership, governance, innovation, operational risk, and corporate compliance through the lens of the DOJ’s Evaluation of Corporate Compliance Programs and modern governance expectations.

Every company eventually hires a Gonzo. Not literally, of course. But every organization eventually encounters someone who believes the limits of the possible are merely suggestions waiting to be ignored. That is Gonzo. He is creative, fearless, experimental, unconventional, and absolutely convinced that launching himself out of a cannon remains a reasonable business strategy despite overwhelming evidence to the contrary. Naturally, he becomes the Chief Innovation Officer.

At first glance, Gonzo appears to represent innovation at its most dangerous. He ignores procedure, embraces uncertainty, and treats risk as entertainment. But beneath the chaos sits a lesson that modern compliance professionals urgently need to understand: innovation itself is not the problem. The problem is innovation without governance.

That distinction matters enormously in today’s corporate environment, where organizations face relentless pressure to adopt the following:

  • artificial intelligence,
  • automation,
  • advanced analytics,
  • digital transformation,
  • agentic AI, and
  • and emerging technologies that often evolve faster than governance structures can respond.

In other words, many organizations are currently operating inside a large-scale Gonzo experiment.

Gonzo Represents Innovation Pressure

One overriding instinct: pushing boundaries drives Gonzo. That instinct exists in virtually every modern enterprise. Boards demand innovation. Investors reward disruption. Executives fear being left behind by competitors. Product teams move quickly. Technology leaders promise transformation. Vendors insist their tools are revolutionary. The result is predictable: governance often lags behind implementation.

This is exactly the environment the DOJ’s ECCP increasingly expects organizations to manage. Prosecutors now ask whether compliance programs can identify and respond to evolving risks. They also ask whether organizations adequately understand the technologies they deploy and the risks those technologies create. In practical terms, the government is asking:

Do you know where your Gonzos are? ”Many organizations do not.

The Problem Is Not Innovation. It Is Uncontrolled Innovation.

Too many compliance discussions frame governance and innovation as opposing forces. That is incorrect. Good governance should enable innovation by allowing organizations to experiment responsibly. The objective is not to stop Gonzo from inventing new things. The objective is preventing Gonzo from accidentally detonating the theater during testing. This distinction becomes critical in AI governance.

Consider what often happens inside organizations:

  • business units adopt generative AI tools without approval,
  • employees upload sensitive data into external systems,
  • procurement bypasses security reviews,
  • automated decision systems are deployed without testing,
  • vendors market “AI-powered” solutions nobody fully understands,
  • and leadership assumes innovation itself justifies the risk.

That is not a transformation. That is unmanaged operational exposure. Gonzo would absolutely deploy experimental AI tools without reading the documentation. He would also enthusiastically demonstrate them during a live performance before anyone completed legal review. Many companies are doing exactly that right now.

Shadow AI Is the Modern Gonzo Problem

One of the most significant emerging governance risks is shadow AI: technology adoption occurring outside formal oversight structures. This happens because innovation pressure rarely waits for policy development. Employees want efficiency. Business units want speed. Executives want results. Vendors promise a competitive advantage. Eventually, someone says:

“We cannot afford to fall behind.”

At that point, governance often becomes reactive rather than proactive. The compliance challenge is not preventing experimentation. It is creating governance structures that enable safe experimentation. This is why mature AI governance programs increasingly rely on:

  • approved use-case inventories,
  • risk-tiering frameworks,
  • data-governance protocols,
  • human oversight requirements,
  • testing standards,
  • escalation procedures,
  • and continuous monitoring.

Or, stated differently:

Someone needs to verify whether Gonzo’s cannon is aimed at the audience.

Innovation Requires Documentation

One of Gonzo’s defining traits is enthusiasm without paperwork. That creates a governance problem. The ECCP repeatedly emphasizes documentation, testing, continuous improvement, and evidence-based compliance. Organizations must demonstrate not merely that policies exist, but that controls operate effectively in practice.

Innovation functions often struggle here because innovation culture tends to prioritize speed over documentation. This creates dangerous blind spots:

  • unclear accountability,
  • undocumented approvals,
  • undefined ownership,
  • missing testing records,
  • inconsistent monitoring,
  • and inadequate escalation procedures.

If the organization cannot explain:

  • why a technology was adopted,
  • who approved it,
  • how risks were assessed,
  • what controls exist,
  • and how effectiveness is monitored,

Then the organisation does not truly govern the technology. It merely hopes for the best. Hope is not a control.

Gonzo and the Myth of the Brilliant Exception

Another important compliance lesson emerges from Gonzo’s personality itself. Organizations often tolerate elevated risk from highly creative or high-performing individuals because leadership perceives them as uniquely valuable. This is a dangerous governance instinct.

Every major corporate failure eventually contains some version of:

  • “We assumed he knew what he was doing.”
  • “Nobody wanted to challenge the innovation team.”
  • “They moved too fast for the controls.”
  • “The business results were too good to slow down.”

In many organizations, innovation teams become culturally insulated from oversight because questioning them appears anti-progress or anti-growth. That is precisely when governance becomes most necessary. The role of compliance is not to suppress innovation. It is to ensure innovation remains accountable to the enterprise.

Gonzo should absolutely continue inventing things. But somebody must still ask:

  • Was the system tested?
  • Is the data reliable?
  • Who owns the risk?
  • What happens if the model fails?
  • Is there human oversight?
  • Can we explain the outcome?

Those questions are not barriers to innovation. They are what keep innovation from becoming litigation.

Continuous Monitoring: The “Day Two” Problem

One of the most overlooked governance failures occurs after deployment. Organizations frequently focus intensely on implementation but pay far less attention to ongoing monitoring. Yet most technology risks emerge over time through:

  • model drift,
  • scope expansion,
  • vendor changes,
  • data degradation,
  • user workarounds,
  • and control fatigue.

Gonzo perfectly represents this problem because he rarely revisits prior experiments. Once the cannon fires, he is already planning the next stunt. Modern compliance programs cannot operate that way. AI governance, digital governance, and innovation oversight require “Day Two” discipline:

  • continuous testing,
  • ongoing review,
  • updated risk assessments,
  • incident reporting,
  • and remediation protocols.

The question is not merely: “Did the innovation work? ”The real question is:

Does the control environment still work six months later? ”That is where mature governance separates itself from performative governance.

The Board’s Role in Innovation Governance

Boards increasingly face direct oversight expectations regarding technology and innovation risk. That means directors should ask:

  • Do we have formal AI governance?
  • Who owns innovation risk?
  • How are emerging technologies reviewed?
  • What testing standards exist?
  • How do we monitor ongoing performance?
  • What happens when innovation conflicts with compliance requirements?
  • How quickly can issues be escalated?

These questions are no longer theoretical. Regulators increasingly expect boards and senior leadership to demonstrate understanding of operational technology risk, especially where AI, automation, or sensitive data are involved. In governance terms, the age of “let the technology team handle it” is over.

5 Key Takeaways for the Compliance Professional

1. Innovation is not the enemy of compliance.

The real risk is innovation that operates outside governance structures, documentation, and accountability.

2. Shadow AI creates significant operational exposure.

Organizations must identify and govern unauthorized or poorly supervised technology adoption.

3. Documentation is a governance control.

If an organization cannot explain how a technology was approved, tested, monitored, and governed, it does not truly control the risk.

4. High-performing innovators still require oversight.

Organizations should not exempt innovation teams from compliance expectations because they generate results or move quickly.

5. Governance continues after deployment.

Continuous monitoring, testing, escalation, and remediation are essential to managing evolving technology and innovation risk.

From Gonzo to Animal

Gonzo teaches compliance professionals that innovation creates risk when governance cannot keep pace with experimentation. But there is another danger waiting behind the pressure to innovate: the normalisation of unmanaged operational chaos. That is where Animal enters the story.

Because eventually every organization encounters a moment when high-energy operational risk stops being an exception and starts becoming part of the culture itself. In Part 4, we will examine Animal as Chief Operating Risk Officer and what he teaches compliance professionals about operational volatility, escalation failures, crisis management, and the dangers of unmanaged high performers.

Categories
Blog

Failure to Prevent Fraud Mastery: Enhancing Due Diligence, Training, and Improvement

We conclude our deep dive into the Economic Crime and Corporate Transparency Act 2023, which has elevated the expectations for senior leadership and boards across large organizations. Our guide in this journey has been the UK government, which has put out a document entitled “Economic Crime and Corporate Transparency Act 2023: Guidance to organisations on the offence of failure to prevent fraud.” (The Guidance) Today, we conclude with the final three sections on Due Diligence, Training, Ongoing Monitoring, and Continuous Improvement.

As compliance professionals prepare diligently for the upcoming implementation of the Failure to Prevent Fraud (FTPF) offense, it becomes imperative to understand and apply comprehensive fraud prevention measures effectively. Central to a robust anti-fraud framework are due diligence, training, monitoring, and review processes. Each of these areas must be executed diligently, proportionately, and tailored specifically to address the unique risks faced by an organization.

Due Diligence: Building Trust Through Vigilance

Due diligence is a cornerstone of an effective fraud prevention strategy. Organizations must apply meticulous and proportionate due diligence procedures to mitigate fraud risks associated with individuals or entities performing services on their behalf.

For organizations facing heightened fraud risks, standard due diligence might not suffice. Comprehensive screening, including the use of technology-driven third-party risk management tools and vetting checks, becomes vital. Contracts should explicitly state compliance obligations and consequences of non-compliance, while mergers and acquisitions must include rigorous assessments of criminal, regulatory, and tax backgrounds.

Moreover, ongoing due diligence is essential; periodic reviews and updates ensure that an organization remains alert to emerging risks or changes in the status of associated persons. Continuous monitoring can detect potential red flags that may arise post-engagement, such as sudden changes in financial stability, reputation issues, or new regulatory concerns. Additionally, organizations should ensure transparency in their due diligence processes, clearly documenting their methods and findings. This not only enhances accountability but also ensures readiness in demonstrating compliance to regulatory bodies or stakeholders during audits or investigations.

Organizations might also consider collaboration with external experts or industry peers to refine their due diligence methodologies, leveraging collective insights to strengthen their anti-fraud defenses. Regular training and awareness sessions about due diligence expectations can further embed vigilance into organizational culture, ensuring that all stakeholders understand and uphold their roles in fraud prevention.

Five Key Takeaways on Due Diligence:

  1. Leverage Technology: Use advanced screening tools and third-party risk management platforms to enhance due diligence effectiveness.
  2. Contract Clarity: Clearly articulate compliance obligations and termination clauses for fraud breaches within contracts.
  3. Monitor Employee Well-being: Regular monitoring to identify stressors or workload issues that might increase susceptibility to fraud.
  4. Mergers and Acquisitions Scrutiny: Conduct thorough fraud prevention assessments during acquisitions, integrating robust prevention measures post-acquisition.
  5. Dynamic Review: Keep due diligence processes proportionate, up-to-date, and responsive to evolving risks.

Training: Empowering Prevention Through Knowledge

Training is critical to embedding an anti-fraud culture within an organization. A clear and regular communication strategy ensures all associated persons fully understand and internalize the organization’s fraud prevention policies and procedures.

Proportionate training tailored to the specific risks of roles within the organization, especially high-risk positions, is essential. Training must detail the nature of the FTPF offense, the particular procedures required, and the clear protocols for whistleblowing. Continuous evaluation and updates ensure training remains practical and relevant, particularly as personnel change. Effective training should also encompass interactive and engaging methods such as workshops, simulations, and scenario-based exercises, which help employees understand the real-world implications of fraud and the critical importance of adhering to procedures.

Incorporating case studies of relevant fraud incidents can significantly enhance learning by illustrating practical examples and reinforcing key lessons. Organizations should also regularly evaluate the impact of training through assessments, quizzes, and feedback surveys, ensuring that employees retain the information and can effectively apply it in their roles. Integrating fraud prevention messages into routine communications, such as team meetings and newsletters, can further reinforce an anti-fraud mindset. Ultimately, a robust training program not only builds awareness but also empowers employees to identify and address potential fraud risks proactively.

Five Key Takeaways on Training:

  1. Risk-Based Training: Deliver bespoke training programs specifically targeted at roles identified as high risk.
  2. Integration with Existing Programs: Leverage and integrate fraud prevention messages into broader financial crime training initiatives.
  3. Effective Communication: Communicate internal policies, the importance of whistleblowing, and the procedures to follow.
  4. Regular Updates: Keep training modules current with evolving fraud risks, regulatory updates, and personnel changes.
  5. Monitoring Effectiveness: Regularly assess and monitor training efficacy through feedback and performance evaluations.

Monitoring and Review: Continuous Improvement and Adaptation

Monitoring and review constitute the continuous feedback loop critical to fraud prevention. Organizations must regularly assess and refine fraud detection systems and response protocols based on real-world performance and evolving risks.

Monitoring involves detecting fraud, conducting robust investigations, and assessing the effectiveness of preventative measures. Organizations should ensure that sophisticated data analytics and AI-driven detection tools are employed effectively. Investigations must be independent, well-resourced, fair, and transparent, with results communicated to stakeholders.

Review processes ensure organizations adapt and improve continuously. Regularly scheduled reviews, supplemented by event-driven assessments in response to incidents or significant changes in risk, underpin an agile and resilient fraud prevention strategy. Utilizing external feedback and industry-wide insights, organizations can benchmark their strategies and implement best practices.

Five Key Takeaways on Monitoring and Review:

  1. Regular and Responsive Reviews: Schedule regular evaluations, complemented by prompt reviews triggered by specific fraud incidents or risk changes.
  2. Data-Driven Detection: Invest in advanced data analytics and AI tools to proactively detect fraud and fraud attempts.
  3. Independent Investigations: Ensure fraud investigations are conducted independently and transparently, with clearly documented processes and outcomes.
  4. Continuous Adaptation: Maintain flexibility in fraud prevention measures, promptly adapting strategies based on review outcomes and industry developments.
  5. Sectoral Benchmarking: Collaborate and engage with external entities and industry peers to adopt best practices and maintain practical fraud prevention standards.

Concluding Thoughts

As the countdown to the FTPF offense go-live continues, compliance professionals are tasked with a critical responsibility: to ensure their organization’s preparedness through meticulous due diligence, targeted training, and robust monitoring and review practices. Each component is integral to creating an effective, proportionate, and responsive fraud prevention strategy. By embedding these practices into the organizational fabric, compliance professionals not only safeguard their organizations but also reinforce ethical standards, protecting both reputation and long-term sustainability.

Categories
Blog

Lessons on Ongoing Monitoring and Continuous Improvement from Star Trek: Spectre of the Gun

Last month, I wrote a blog post on the tone at the top, exemplified in Star Trek’s Original Series episode, Devil in the Dark. Based on the response, some passionate Star Trek fans are out there. I decided to write a series of blog posts exploring Star Trek: The Original Series episodes as guides to the Hallmarks of an Effective Compliance program set out in the FCPA Resources Guide, 2nd edition. Today, I will continue my two-week series by looking at the following Hallmarks of an Effective Compliance Program laid out by the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) in the FCPA Resources Guide, 2nd edition. Today, we look at lessons learned about ongoing monitoring and continuous improvement from the episode Spectre of the Gun, which provides a compelling narrative to explore the compliance concepts of ongoing monitoring and continuous improvement within a best practices compliance program.

In “Spectre of the Gun,” Captain Kirk and his crew are sent to make contact with the Melkotians, a reclusive alien species. Despite a warning buoy advising them to leave, the crew presses forward, and as a result, the Melkotians transport them into a surreal, incomplete version of the American Wild West. The crew finds themselves in a reenactment of the infamous Gunfight at the O.K. Corral, with Kirk, Spock, McCoy, Scotty, and Chekov cast as the doomed Clanton gang. The situation forces the crew to adapt rapidly, relying on their ingenuity and continuous assessment of their circumstances to survive. This scenario provides valuable lessons for compliance professionals on monitoring and constant improvement.

Lesson 1. Ongoing Monitoring and Continuous Assessment

In the Melkotian scenario, the Enterprise crew must continuously assess their environment to understand its limitations and potential dangers. The partial nature of the setting indicates that their perceptions can influence outcomes, requiring constant vigilance and situational awareness.

Continuous assessment is crucial for effective compliance programs. Organizations must be keenly aware of their regulatory environment and internal operations to identify potential risks and changes affecting compliance. This involves regular audits, risk assessments, and monitoring of key performance indicators to detect issues early. By maintaining situational awareness, compliance teams can proactively address emerging risks and ensure adherence to policies and regulations.

Lesson 2. Adapting Strategies Based on Feedback

Throughout the episode, the crew receives feedback from their interactions within the environment, leading them to adjust their strategies. Spock’s logical deductions and Kirk’s leadership guide the crew in adapting their actions to overcome the perceived threat.

Adaptability and flexibility are essential components of continuous improvement in compliance programs. Organizations should encourage a culture where feedback is sought and used to refine compliance strategies and controls. Implementing regular reviews and updates to compliance policies based on feedback and lessons learned ensures that the program remains effective and responsive to changes. Continuous improvement processes, such as after-action reviews and root cause analyses, enable organizations to refine their approaches and enhance compliance outcomes.

Lesson 3. Leveraging Expertise and Collaboration

The crew relies on Spock’s logical analysis and each member’s unique skills to navigate the challenges of the scenario. Their ability to collaborate and leverage individual strengths is key to their survival.

Effective compliance programs rely on the expertise and collaboration of diverse teams. Organizations should foster cross-functional collaboration, bringing together individuals from different departments to address compliance challenges comprehensively. Leveraging expertise from legal, risk management, operations, and other areas enhances the organization’s ability to monitor compliance effectively and implement improvements. Encouraging open communication and teamwork ensures that diverse perspectives contribute to developing robust compliance solutions.

Lesson 4. Proactive Problem-Solving and Innovation

The crew’s success in the scenario depends on their ability to innovate and develop creative solutions to their challenges. Spock realizes that the bullets are not real, and the crew’s collective belief in this fact allows them to avoid harm.

Proactive problem-solving and innovation are critical for continuous improvement in compliance programs. Organizations should encourage employees to think creatively and explore innovative solutions to compliance challenges. This involves fostering a culture that supports experimentation and learning from successes and failures. By empowering employees to propose and test new approaches, organizations can continuously enhance their compliance programs and remain agile in the face of change.

Lesson 5. Staying Vigilant

In the episode, the Enterprise crew is transported to an alternate reality where they must participate in a deadly reenactment of the O.K. Corral shootout. The crew must constantly adapt their strategies and tactics as the scenario changes. Similarly, compliance professionals need to remain vigilant and be prepared to adjust their compliance programs to address evolving risks, regulations, and business environments. Compliance professionals should take a comprehensive approach, conducting holistic risk assessments that consider obvious and obscure compliance risks across the organization.

As the crew faces new challenges in the alternate reality, they must quickly learn from their experiences and refine their strategies. Compliance professionals should similarly adopt an iterative approach to improving their programs, constantly evaluating their effectiveness and making adjustments as needed. By drawing these parallels between the lessons from “The Spectre of the Gun” and the practices of effective compliance management, compliance professionals can strengthen their programs and foster a culture of continuous improvement within their organizations.

Spectre of the Gun provides valuable insights into ongoing monitoring and continuous improvement compliance concepts. The episode highlights the importance of constant assessment, adaptability, collaboration, and proactive problem-solving in navigating complex and dynamic challenges. For compliance professionals, the key takeaway is the need to establish robust monitoring systems, encourage adaptability and innovation, and foster a culture of collaboration and continuous improvement. By applying these principles, organizations can enhance compliance programs, effectively manage risks, and achieve sustainable success in an ever-evolving regulatory landscape. Just as the Enterprise crew adapted to and overcame the challenges presented by the Melkotians, compliance professionals must remain vigilant and proactive in navigating the complexities of modern compliance environments.

Join us tomorrow as we consider the lessons on mergers and acquisitions from the Star Trek episode The Ultimate Computer.

Categories
Blog

Transforming Culture: Part 5 – Ongoing Monitoring and Continuous Improvement of Culture

Boeing is not the first company to find itself amid a massive scandal. You can think of Siemens’ bribery and corruption scandal, the VW emissions-testing scandal, the Wells Fargo fraudulent accounts scandal, or any other myriad of corporate scandals where culture failed and created a toxic culture. The question for any organization in such a situation is how to transform its culture. Currently running on the Culture Crafters podcast on the Compliance Podcast Network is a 5–part of podcast series with myself and Sam Silverstein, the most trusted voice in America on accountability. (The Culture Audit™ is the sponsor of this blog post series.)

In this companion, 5-part blog post series, we have looked at how a company in the depths of such a toxic culture can begin to make a comeback by planning and taking concrete steps to turn around and rebuild its culture. In this concluding Part 5, we show why you must not simply stop after implementation but must monitor your culture continuously and work to improve it continuously. It is an ongoing work in progress, and you can always continue working on your corporate culture.

Ongoing monitoring is not something compliance professionals are unaware of or have never heard about. This concept must be used in your culture management strategy as well. You must assess how your culture management strategy is doing continuously. This is one of the power outcomes of The Culture Audit™ (the sponsor of this blog post series). Not only have you created a baseline of where your culture is at any point in time, but through ongoing use of the Culture Audit, you can measure your specific indices of culture on a go-forward or ongoing basis. You can then continually work to update as appropriate. If your organization needs greater trust, you can put further work into this through your speak-up culture.

Creating an organization’s speak-up culture is essential for fostering open communication, transparency, and employee trust. Such a culture encourages individuals to raise concerns, flag potential issues, and contribute to a safer and more accountable work environment. By prioritizing a speak-up culture, companies can proactively address challenges, prevent safety risks, and promote a culture of continuous improvement.

The significance of a speak-up culture must be balanced as a critical factor in ensuring organizational success and psychological safety. Silverstein emphasized the need for employees to feel safe, valued, and empowered to voice their opinions without fear of reprisal. He highlighted the role of trust and psychological safety in enabling individuals to speak up, noting that a culture that supports open communication leads to better decision-making processes and overall performance. The insights shared underscored the pivotal role of a speak-up culture in shaping a positive and proactive organizational environment.

Accountability in leadership is fundamental in setting the tone for organizational culture and fostering a sense of responsibility and integrity among team members. Leaders who demonstrate accountability model desired behaviors and create a culture where individuals take ownership of their actions and outcomes. By holding themselves and others accountable for their commitments and decisions, leaders cultivate a culture of trust, respect, and ethical conduct.

Leadership will always have a transformative impact on organizational dynamics. Emphasizing that accountability is a way of life rather than a mere task demonstrates leaders’ profound influence in shaping the values and norms within their teams. There must be consistency and fairness in holding individuals accountable. Leaders play a pivotal role in setting expectations and driving cultural change. The discussion underscores the critical role of leadership accountability in fostering a culture of integrity and excellence within organizations.

Changing organizational culture is a complex and multifaceted endeavor that requires a deliberate and strategic approach. Organizations seeking to shift their culture must assess the existing norms, values, and behaviors that shape their environment. By identifying areas for improvement and aligning cultural practices with desired outcomes, companies can embark on a journey of cultural transformation that enhances employee engagement, performance, and overall organizational success.

Companies can initiate meaningful change by defining and measuring the current culture, investing in training and education, and holding individuals accountable for upholding cultural values. You must align cultural initiatives with business objectives and ensure that cultural transformation efforts are embedded in every aspect of the organization. Organizations face challenges and opportunities when navigating cultural change, highlighting the critical role of leadership in driving lasting transformation.

The crucial role of leadership in shaping organizational culture provided valuable insights into the steps leaders can take to create a positive and thriving workplace environment. By prioritizing values, fostering open discussions about culture, and making data-driven decisions, organizations can pave the way for long-term success and employee well-being.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties – Ongoing Monitoring of 3rd Parties

One of the key themes in the Evaluation of Corporate Compliance Programs is the use of data and data analytics in a best practices compliance program. This has specific application to third-parties. In the section entitled, Risk-Tailored Resource Allocation, the following question was posed, Does the company devote a disproportionate amount of time to policing low-risk areas instead of high-risk areas, such as questionable payments to third-party consultants, suspicious trading activity, or excessive discounts to resellers and distributors? Under the section entitled, Control Testing, the following question was posed, Has the company reviewed and audited its compliance program in the area relating to the misconduct? More generally, what testing of controls, collection and analysis of compliance data, and interviews of employees and third parties does the company undertake? Finally, under the section entitled, Payment Systems was the following query, How was the misconduct in question funded (e.g., purchase orders, employee reimbursements, discounts, petty cash)? What processes could have prevented or detected improper access to these funds? Have those processes been improved?

All of these questions make clear that the DOJ expects data analytics to be used to help detect or prevent bribery and corruption where the primary sales force used by a company is third-parties. A clear majority of FCPA violations and related enforcement actions have come from the use of third-parties. While sham contracting (i.e., using a third-party to channel the payment of a bribe) has lessened in recent years, there are related data analysis that can be performed to ascertain whether a third-party is likely performing legitimate services for your company and is not a sham. There are several more complex analytics that can be run in combination to identify suspicious third-parties, and some of the simplest can be to look for duplicate or erroneous payments. This final concept of finding patterns that can be discerned through the aggregation of huge amounts of transactions, is the next step for compliance functions. Yet data analysis does far more than simply allowing you to follow the money. It can be a part of your third-party ongoing monitoring as well by allowing you to partner the information on third-parties who might come into your company where there was no proper compliance vetting. Such capabilities are clearly where you need to be heading.

Three key takeaways:

  1. Always remember to follow the money to see where a pot of money could be created to fund a bribe.
  2. Transaction monitoring techniques around fraud monitoring translate to data analysis for compliance.
  3. Do not forget to check names against known PEP and SDN lists.