Compliance Programs Need Data Analytics
By Ryan Berry and Guy Filippelli
The financial services industry has long embraced data analytics as a powerful crime prevention and policy enforcement tool. Many defense contractors, by contrast, have resisted incorporating advanced technology products into their compliance programs.
Without these tools, companies remain dependent on human identification of risks and violations, whether flagged by employees, hotline tips, whistleblowers or government auditors. Their compliance efforts often consist only of training employees to spot misconduct, and in setting aside financial reserves to fund expensive, after-the-fact investigations by outside counsel.
This approach to compliance harms contractors’ ability to proactively identify risk, and may even expose them to potential litigation. Those contractors that fail to use state-of-the-art technical tools in compliance will inevitably expose their company to avoidable claims and even criminal prosecution and will decrease the odds of securing cooperation credit.
In deciding whether to charge a corporation following suspected criminal misconduct by employees, Department of Justice prosecutors rely on the Principles of Federal Prosecution of Business Organizations, also known as the Filip factors. One Filip factor directs the department to consider the existence and effectiveness of the corporation’s pre-existing compliance program.
What determines the effectiveness of a compliance program? According to the U.S. Attorney Handbook, critical factors in evaluating any program include whether the program is designed for maximum effectiveness in preventing and detecting wrongdoing by employees and whether the contractor periodically revises the program in light of lessons learned. It directs prosecutors to consider the timeliness of any disclosure of wrongdoing to the government and whether the corporation’s compliance staff is sufficient to audit, document, analyze and utilize the results of the corporation’s compliance efforts.
In public remarks this October, Marshall Miller, principal deputy assistant attorney general for the criminal division, declared that “in many ways the heart of effective corporate cooperation [is] whether that cooperation exposed and provided evidence against the culpable individuals who engaged in criminal activity. Even the identification of culpable individuals is not true cooperation, if the company fails to locate and provide facts and evidence at their disposal that implicate those individuals.”
He further stated that Justice “will use our own parallel investigation to pressure test a company’s internal investigation: to determine whether the company actually sought to root out the wrongdoing and identify those responsible, as far up the corporate ladder as the misconduct goes, or instead merely checked a box on a cooperation punch list. Companies that have not conducted comprehensive investigations will not secure significant cooperation benefits.”
Miller’s comments echo those of Leslie Caldwell, assistant attorney general of the criminal division: “We want companies to know that they will not get credit for cooperation when they fail to provide full, factual information that’s at their disposal about culpable individuals.”
With the Filip factors and Justice comments as background, conscientious contractors need to ask themselves some uncomfortable questions. For example, is a compliance program effective if it omits widely available technologies to detect misconduct unlikely to be detected by the human eye? Are such compliance programs designed for maximum effectiveness in preventing and detecting wrongdoing by employees?
In light of data analytics products on the market, can defense contractors, however geographically dispersed, seriously contend that data within their organization is not readily at their disposal?
How prompt is a disclosure of wrongdoing to the government if detection of the wrongdoing through human means significantly trails the offense, while data analytics could alert compliance personnel to the misconduct in near real time?
How prompt is a disclosure when it takes months for an army of outside counsel to collect and assemble a puzzle of facts? Doesn’t the availability of technology that collects, filters, sorts and displays enterprise-wide data on demand raise the bar in assessing the promptness of a disclosure?
Data analytics products do not play politics or curry favor. Wouldn’t their adoption instill greater government confidence that a contractor is timely rooting out wrongdoing and identifying those responsible, however far up the corporate ladder the misconduct goes?
Isn’t it sensible from a business perspective to deploy available technologies to a modest number of compliance personnel trained in how to leverage those systems effectively? Wouldn’t that approach promise better return on capital and better ensure a “compliance staff sufficient to audit, document, analyze and utilize the results of the corporation’s compliance efforts” than relying on a large litigation reserve and gaggle of outside attorneys after the fact?
If answers to the questions above confirm that an existing compliance program is not currently designed for maximum effectiveness in preventing and detecting wrongdoing by employees, then now is the time to modify it while 2015 budgets are fresh and a company can make a worthwhile short-term compliance investment before a major infraction goes undetected, and thereby avoid a much larger long-term expense. Recall that periodic program modifications based on lessons learned are an important factor that Justice considers.
And in order to preserve attorney-client privilege in counsel’s legal assessment of the current compliance program’s shortcomings and recommendations for enhancing the program’s effectiveness going forward, retain outside compliance counsel who know the industry, supported by technology consultants who understand the technology that will streamline compliance processes and make existing resources more efficient. Ryan Berry, a shareholder at Greenberg Traurig LLP, represents defense contractors and technology companies in compliance, investigations and litigation. Guy Filippelli, president of RedOwl Analytics, is the founder of several defense contractors. The views expressed are solely those of the authors.