Technology and Compliance - Benefits, Pitfalls and the Human Factor
By Anna Romberg, VP & Chief Ethics and Compliance Officer, Code of Conduct Company and Niina Ratsula, Ethics & Compliance Adviser, CEO, Code of Conduct Company
What is known is that a company, that has implemented effective compliance procedures, will benefit from this when it comes to defending the company and hopefully negotiating rebates to the penalties. And solutions are presented to automate the problem solving, risk identification, risk mitigation, compliance monitoring, policy management, training efforts and the like. Which in a perfect world sounds great, who would not want to be able to implement a system that would ensure that business is conducted ethically and in compliance with all applicable rules and regulations and have automated mechanisms for detecting possible lapses and misconduct?
And without a doubt technology can be a compliance enabler. With modern technology, compliance leaders can have wide visibility and access to relevant data and statistics. This ultimately helps developing the program and ensuring that it is relevant and not a static check-the-box exercise. Technology allows compliance professionals to keep up with multifaceted internal and external expectations, the evolving legal landscape, enforcement trends, and increased demands over transparency, better oversight, and board and c-suite visibility.
After spending over a decade managing and overseeing various types of audits, internal control and compliance programs as well as audit activities, the advantages of technology and automation seem evident. The potential benefits from technology cannot be questioned; however, the pitfalls from automated solutions should not be ignored. No matter how much the technology evolves, it can never fully tackle the challenges of ethical decision making and the human factor. Technology can prevent and detect human errors and fraud and facilitate the compliance programs in multiple different ways. However, a significant portion of the fraud and unethical behavior that we have witnessed, has not been detected or prevented by technology. Let’s explore why.
• Fraudsters usually know the technology. A fraudster from inside the company will definitely make sure that s/he’s complying with the rules—technically. This means that when looking at the controls from the technical point of view, it’s not always possible to identify the fraud. The list of potential red flags include much more than just budget discrepancies, toxic job combinations, or unauthorized transactions. In fact, by looking at the controls from the technical “tick the box” point of view, we might miss the red flags that are embedded in the corporate culture and unwritten rules of conduct.
• Secondly, if the questionable practices have become part of the organizational culture, the ones who authorize the transactions may have become blind. This means that the technology may also become blind. Many times the fraud investigations get stuck if you simply cannot find valid evidence of a policy violation. From the systems’ point of view, the transactions may appear justified, even if the substance would seem shady. To evaluate the ethical side of the business transactions, we will always need the human consideration.
Technology can pick up breaches and violations of rules; however, one should not forget that a human commonly is behind the breach and misconduct.
Technology is a good slave but a poor master— remember that the information that you get have to be analyzed and acted upon. Do not set a trap for yourself with a risk of being drowned in information that will not be used. A compliance program should always be designed so that it is tailored to the particular business and specific risks, not to fit the systems and tools that have been developed. A compliance program that does not work without a system will probably not work and be effective with a technological system in place. So our message is simple—automate what you can, avoid doing routine tasks that a system can do, integrate the technological aspect of the compliance work to as large extent possible into the existing technology and systems and never forget the human factor. At the end of the day we still live in a world where humans make the decisions, to abide to or circumvent the rules and no technology in the world can compensate for a colleague standing up to what is right when a colleague is being discriminated or saying no when the entertainment practices are well beyond decent and respectful. Technology can pick up breaches and violations of rules; however, one should not forget that a human commonly is behind the breach and misconduct.