Two of the most common catchphrases in corporate compliance these days are “data governance” and “anti-bribery.” So today, let’s talk about how those concepts connect — how large organizations need strong data governance if you want to have an effective anti-bribery program.
First, we need to be clear about what data governance does. It manages how information flows through your organization; how data is created, described, stored, retrieved, and ultimately destroyed.
So yes, data governance is partly a process of moving bits and bytes around your company’s IT systems. But successful data governance is much more about policies, that dictate how your other business processes create information about what those processes do.
Why is that important at all, and why is it important specifically for anti-bribery programs? For a few reasons.
At their simplest, anti-bribery programs exist to help your company avoid an enforcement action. To avoid an enforcement action, you need to present evidence. To present evidence, you need to have evidence. Therefore your processes need to generate evidence you can manage.
That’s what effective data governance does for anti-bribery programs. It generates the evidence you need to prove that yes, you trained the employees dutifully; or that you performed sufficient due diligence on the third party; or that you assessed the effectiveness of your program and made improvements; or whatever.
Can you do all those tasks without strong data governance? Sure, although the chores of collecting evidence will be time-consuming and costly. And that brings us to another point that’s important but not readily apparent: strong data governance is necessary to automate your anti-bribery compliance program.
Automating compliance processes (say, third-party due diligence checks) is a worthy goal, but “automation” really means IT systems acting on data without close human oversight. Those systems can’t process data unless it exists in certain states: labels to describe data have been properly defined; values for data have been properly entered; and so forth.
For example, say you want to warn all high-risk sales agents that they need more anti-bribery training. That compliance process can be automated, but only when all sales agents are identified the same way, with risk ratings assigned in a uniform manner. Then your training program can read “John Doe risk = high” and automatically send Mr. Doe a link for more training.
That seamless process only works with strong data governance.
Can you have strong data governance policies without strong anti-bribery policies, or vice-versa? Theoretically yes, but over the long run you create more work for your compliance program, because one policy will be out of step with the other.
That is, if you have clear policies for how to process data about third parties, but the compliance program never actually collects that data in the first place, who cares about proper data formatting? Or if you collect data about third parties but store it various formats across numerous spreadsheets, you’ll have more work to do when regulators ask to see it.
The most astute path for a compliance officer is to think about anti-bribery policies and procedures in terms of data governance. “How can I build anti-bribery processes and policies that prevent corruption in an individual transaction; and that give me the right information to study our anti-bribery efforts in aggregate?”
That’s the question you want to answer. Answering is not necessarily easy — but hey, ethics and compliance is supposed to be challenging.