Compliance seems to divide enterprises into three categories: Those that primarily publicize it as proof of “good governance,” those that actually push the boundaries far enough to bring consequences, and everyone else with their heads down, trying to address whatever regulatory standards govern their industry and the seemingly ever-changing nature of those standards.
Now a fourth group is emerging, charting their own course. These enterprises are turning compliance to their advantage by mining compliance data for digital gold: insights that increase efficiency and competitive advantage. Like the governance crowd, they have automated many compliance functions with emerging software solutions. They are looking at the resulting data with fresh eyes and using it to improve their businesses.
Most people think of compliance in terms of rules and regulations imposed by lawmakers and other governing bodies, for good reason: There is a proliferation not just of new regulations but of whole new regulatory frameworks such as Dodd-Frank and GDPR. Even long-time frameworks such as SOX, HIPAA, and FCPA continue to evolve. Yet at the same time, many enterprises are setting rules of their own to address an increasingly complex environment that includes global supply chains, cybercrime, trade wars, Brexit, and other evolving risks.
In the end, it doesn’t matter where the rules come from: Compliance, and the documentation that comes along with it, is essential for managing risks and maintaining brand reputation. The roster of damaged brands from just the past few years illustrates what can happen when risk and compliance management break down.
Until recently, enterprises managed compliance risks with home-grown, often siloed and disparate initiatives that focused on people and processes. The components included manual record-keeping, time-consuming audits, constant training, ever-lengthier supplier questionnaires, C-level compliance positions, and board-level reporting. The reams of information gathered and presented were considered useful mainly for answering a simple question: Are we compliant or not?
Then a new question arose: Can we at least automate and digitize risk and compliance data, like we have done with so many other processes? The answer to that question is clear: We can, thanks to a growing community of companies providing governance, risk, and compliance (GRC) technology solutions that automate the process of collecting, aggregating, analyzing, and presenting relevant data while reducing their costs to the organization.
…Meets Smarter Compliance
We believe that just as homegrown compliance structures created the opportunity for digitization, a critical mass of companies are now positioned for a new opportunity that may eclipse the earlier one. Data that was once viewed merely as fuel for the compliance machine can now be considered a strategic output in its own right, with value to the business beyond compliance.
Whether it’s a bank mining Know Your Customer data to pitch targeted travel insurance to its customers or a CPG manufacturer analyzing complaint data from the Consumer Financial Protection Bureau to improve its manufacturing methods, we see an opportunity for companies to extract incremental, “offensive” business insight from large risk, compliance, and regulatory data sets.
This opportunity represents a convergence of what may seem unrelated factors. But let’s remember that in a globalized, highly competitive economy there are few trends that arise in isolation.
The first trend we note is a dramatic change in the people sitting in the chief compliance officer (CCO) chair. Russell Reynolds Associates analyzed the career backgrounds of 72 CCOs in banking, insurance and asset management and reported that “gone are the days of principally legal and compliance executives nabbing the top job in the compliance function.” So who’s getting the job instead? According to the report, it’s “broader-focused appointees from consulting, risk and audit. This new breed of appointees would be well-positioned to contextualize compliance (and the associated cultural change) in the wider picture of the organization.” In other words, compliance executive leadership is not just for lawyers and specialists – it’s for multidisciplinary executives who are as fluent with brand value and enterprise risk as they are with the P&L and operations.
The second trend we note is increased use of AI/ML. The transportation sector is a leading example, in part because it is heavily regulated. Shipping companies, notably UPS, now place dozens of monitors on their vehicles for compliance with internal and regulatory rules – and then apply AI to monitor data to optimize delivery routes and driver behaviors in ways that squeeze out fuel costs and improve customer satisfaction. Fleet operators are further served by solutions from the likes of Keep Truckin, Samsara, and Geotab, which help improve driver safety and increase the precision of preventive maintenance.
The third trend is the evolving consumer privacy landscape. Ironically, more robust data protection and security regulations such as GDPR can actually serve to enhance business value by increasing the trust between companies and their customers. In its January 2018 report, “How GDPR is an Opportunity to Create Business Value”, Gartner notes that “handled effectively, there is great potential to obtain consent to increase data access, use, and sharing rights — aligned with goals of a wider organizational data and analytics strategy. This can help drive competitive advantage, while also helping to achieve compliance in other countries and regions.”
Examples of Leveraging Risk & Compliance Data to Drive Business Value
These are examples of companies that are helping advance the use of risk and compliance data for improving everything from customer experiences to supply chain performance to more effective emergency response:
- Avetta’s customers use Avetta to certify compliance quality of its suppliers (green flag, yellow flag, red flag) and then mine the data to identify which suppliers are best trained and best equipped for certain on-site jobs.
- Higher education institutions have long collected data to achieve and maintain external accreditation. Watermark Insights helps universities and colleges not only collect, digitize, and report on that data to demonstrate effectiveness, but also to use it to inform curricular changes and improve student outcomes.
- AxiomSL’s financial services clients utilize its data integrity and control platform and its risk calculation and reporting solutions to satisfy regulatory requirements across the globe systematically. With trusted data, banks are now also able to identify opportunities to fine-tune capital/credit risk and deliver compelling business insights across the enterprise.
- Global Trade Management solutions from the likes of Descartes and Amber Road (now a part of E2OPEN) have long been used to satisfy mandatory export compliance obligations (e.g. restricted party screenings) and to remain abreast of regional duty programs and tariffs. But by marrying these regulatory datasets with companies’ more “traditional” supply chain data (such as bill of materials and transportation fees), clients are now able to more accurately forecast true landed costs (the total price of the shipment including customs, duties, taxes, tariffs, etc.), all the while minimizing risks and delays.
- Rave Mobile Safety enables schools to automate collection of and access to critical facility information (e.g., floor plans, alarm information), which they need to remain compliant with fire department ordinances – and it also provide 911 dispatchers and first responders better real-time capabilities when emergencies arise.
- Information governance and eDiscovery vendor Nuix is well known for its deep technical capabilities in high speed processing and analytics around vast data sets, typically in the context of litigation and investigations. But enterprise clients are also able to leverage the platform to create “data lakes”, making data more accessible for re-use in future investigations, litigations and data management programs, helping reduce costs.
- Biopharma companies rely on software from ETQ for much more than compliance with FDA requirements; they also leverage the data to mitigate and prevent high-risk events, scale operations more effectively, and streamline their go-to-market activities.
There are many other examples of organizations across industries utilizing technology from GRC vendors to not only achieve their risk and compliance objectives, but also advance their strategic objectives. The trend is still very much in its early days, but it provides an exciting avenue for continued growth in the sector. As an experienced technology focused growth equity firm, TCV is committed to investing in the category innovators in the GRC space and has invested in such companies as Avalara, AxiomSL, Avetta, LegalZoom, Rave Mobile Safety, RiskMetrics Group, and Watermark Insights.