In the first article of this three-part series, we outlined why legal departments are becoming more proactively involved in enterprise risk management (ERM). Now, we will explore why traditional risk management approaches remain necessary but are no longer sufficient to proactively detect real-time risk. Rather, evolving approaches that rely on data analytics to detect hidden and emerging compliance and legal risks are the future of ERM.
Mischief is outrunning traditional approaches to ERM
Legal departments have long deployed proven methods to identify and thwart organizational risk. Policies, procedures, risk committees, task forces and audits are all tried-and-true approaches to ERM. In recent years, legal departments have expanded their ERM role to encompass the increasing risks associated with their organization’s information and information systems. For example, inside counsel have become increasingly involved with the implementation of corporate policies and employee training on procedures for managing electronic communications, BYOD, social media and the acceptable use of technology. They are becoming anchors on intradepartmental committees and working groups addressing emerging challenges such as data privacy, regulatory compliance and information and network security. They are much more closely monitoring the risks inherent in new forms of IT infrastructure and projects such as cloud computing, distributed data storage and migration, and third-party software and services.
Though these approaches remain critical to ensuring organizational compliance, they are no longer sufficient to detect the accelerating variety of risks that are percolating within a global organization that is subject to widely disparate regulatory schemes, and has empowered local work groups to leverage new relationships, services and technologies in real time.
Using data analytics to identify emerging risks
Enter Big Data. Many have abused this buzzword, but it is still the best moniker for key technologies and methods used to collect, process and programmatically analyze terabytes, petabytes, exabytes, even zettabytes of data, in real time. We have seen them used by governments to predict terrorist behavior; by R&D groups to gauge “customer sentiment” about their products; by retailers to predict Black Friday traffic or customer pregnancies (really?); and by HR departments to predict employee departures.
Within the legal, risk and compliance space, we have seen “continuous monitoring” and “continuous auditing” technologies used to detect fraud and other risks within structured financial data. To some degree, in such industries as financial services, companies have been employing technology to monitor “unstructured” data in transit for keywords that trigger human surveillance. And recently within electronic discovery, we have seen analytics technologies applied to unstructured data such as emails and social media to visualize communications patterns and identify responsive or hot documents.
In the following examples, we highlight emerging applications of these technologies “behind the enterprise firewall” to detect potential regulatory infractions and legal landmines, including fraud, lapses in drug handling and compliance.
Real-life examples of using analytics to detect emerging risk
In many instances, there is existing technology or software within the enterprise that may be used by the legal department for risk management purposes. These innovative uses of available technology can increase the return on investment in the technology and provide an added incentive to move forward with new approaches to risk management.
Big pharma: Off-label marketing
Recently, a major pharmaceutical company used data analytics available through e-discovery technology used in litigation and investigations to detect and avert potential liability relating to off-label marketing, unapproved patient populations, Sunshine Law compliance and unsupported product claims. The legal department interviewed subject-matter experts to gather the keywords, concepts and metadata necessary to construct a profile of documents requiring closer scrutiny. After sampling email and other unstructured data, the company used predictive, concept and relationship analytics, as well as email communication visualization to automatically segment the 1 percent of documents that indicated a potential compliance violation.
Financial institution: Post-merger integration risks
Following a series of mergers, the IT team sought to decommission the legacy email systems of several acquired companies. This posed significant regulatory and legal hold risks. So the legal and IT teams used a number of analytics technologies commonly used in e-discovery to process, automatically de-duplicate and isolate high-risk data subject to retention and legal hold requirements. This net result was a substantial risk reduction and a 40 percent reduction in data to be migrated.
Transportation company: Potential loss of confidential information
The legal department had growing concerns about employees emailing sensitive data outside of the company, to personal email accounts and other destinations, in violation of company policy. Working with information security, the legal department implemented technology already obtained by information security for other purposes to evaluate outgoing email and automatically detect violations for escalation and review. This implementation succeeding in identifying employees who were in fact sending large volumes of confidential client information to their home email accounts.
Where are legal and ERM headed?
As the volume, velocity and variety of enterprise legal and compliance risks continue to accelerate, legal departments must increasingly adopt the same data tools and techniques in play by other corporate functions. The world of email, social media and other unstructured data is not only relevant to investigations and lawsuits, it is a critical resource in proactively identifying the risks emerging within a global organization.
In our next article, we will discuss the challenges of real-time data monitoring in an era of data and how organizations are managing those challenges — including protecting employee and customer privacy.