Microsoft’s Alan Gibson on the Power of Compliance Data

Valerie Charles

Data is the most sought after and powerful commodity of recent times. It has become more valuable than oil, big data has become its own industry, and we are now living in a data economy. Compliance data is no different, when leveraged correctly it has the potential to identify and prioritize risks, help allocate resources to prioritize risks,  and allow companies to make better (more accurately informed) decisions.

A few months ago, I had the pleasure of hosting a group of compliance professionals in San Francisco at one of our Compliance Heroes events.

Our Compliance Heroes series, which is composed of virtual and in-person events, is really to spotlight cutting edge compliance programs and inspiring leaders in the industry. It’s a great way to create community and focus on the most important factor of any compliance program—the people.

As most of you know, I’m Valerie Charles. I am the Chief Strategy Officer of GAN Integrity, I am a reformed compliance lawyer, I served as outside counsel, and then I was in-house for a while before pivoting to technology.

At this event, we were excited to have Alan Gibson in the hot seat, or as we like to call it the “innovation spotlight”. As an Assistant General Counsel on Microsoft’s Compliance & Ethics team, Alan manages part of Microsoft’s global compliance program which is known to be one of the best operationalized modern programs in the world. During his 16 years at Microsoft, he has served in a variety of legal, compliance, and business roles including providing legal advice to sales, marketing, and product teams; while also working in business development, product development, and commercial operations teams. Alan is especially well known for being a thought leader and change agent in applying digital solutions to modernize how companies manage compliance risks and measure program effectiveness (e.g., data analytics, machine learning, artificial intelligence, robotic process automation, and blockchain).

Microsoft’s Alan Gibson on the Power of Compliance Data

At GAN, we think technology is becoming more critical than ever before to the compliance function and believe that in short order (three to five years) the landscape’s going to look very different. Knowing this shift is on the horizon, we were thrilled to sit down with Alan and learn more about the importance of compliance data in Microsoft’s compliance program.

Alan Gibson on Microsoft’s Compliance Program

Valerie Charles (VC): Can you tell us a little more about the program at Microsoft, your general vision and goals, and how you think it differs from the mainstream way of doing things?

Alan Gibson (AG): Our compliance analytics program started about four years ago and it was interesting that the genesis of it was really the fact that we had a new CEO that said, “We are a data-driven culture.” In parallel, our compliance team was asked to write a strategy memo to our Audit Committee about what Compliance 3.0 was going to look like. And as the compliance team, we’re like, “Oh shoot, we didn’t even know we were on Compliance 2.0, let alone 3.0.” And when we wrote what we thought Compliance 3.0 was going to look like, and it worked its way up and we got feedback that we needed to talk about how we leverage our strength in big data. We wrote that we wanted to “use big data to identify and predict compliance trends, and enhance monitoring and oversight—to identify a big data platform and define predictive models to identify compliance red flags and emerging areas of compliance risk”.

It went into the memo that went to Satya Nadella, our CEO, and our audit committee and received positive feedback. Apparently, based on my experience in writing an intentionally ambiguous paragraph about using big data, I became the compliance analytics person because obviously I knew more than anybody else, and from there my legal and compliance career headed into a new direction.

So when we started on this journey, one of the first steps we took was to bring together a bunch of like-minded people from across the company to align our efforts to create an early warning monitoring system using data to identify compliance risks.

VC: How do you operationalize your compliance program? How do you actually make it ingrained in a business process instead of imposed upon the business?

AG: For us, we faced the same challenge that a lot of compliance programs do of operationalizing it and building it in business processes—we didn’t want to just be appended to the business. Look, like a lot of multi-nationals, we’ve faced the challenges of ensuring that we manage an effective compliance program and the risks associated with relying on a channel partner business model. Our recent need to respond to the DOJ and SEC was definitely enough to open the conversation with the business group and accelerate or enhance work that was already underway or being discussed.

So we partnered with business people to do an assessment about who should actually own the risk of what we call “sales deal execution.” At the end of the day, a specific business unit knew that they were going to own it. However, they wanted us to collectively to go through the assessment process and then work with different stakeholders to evaluate different options.  This was an opportunity for all of us to identify the dependencies and hold each other accountable.  When we reviewed the assessment with the stakeholders, the specific business unit said, “We own the controls. We own ensuring that we only process good deals or do business with good, trustworthy partners. But compliance needs to define or identify who those parties or those transactions are.” “We, the business units, own the risk, but compliance, you tell us who those risky deals or partners are.” Of course, the only way we could do it at scale was by using analytics.

Then we created the ability to risk score our sales contracts and our channel partners on a scale of zero to 100, and above a certain risk threshold or score we kick it out to a compliance function embedded in the business, and they execute the controls and that’s how they end up owning the risk.

Alan Gibson on the Power of Compliance Data

VC: I think there’s a big distinction between the programs that are operationalized and the programs that are not, how did you take this into consideration when building your process?

AG: So what we’ve done with analytics is build them into our business process to allow us to proactively risk score contracts as they work their way through our sales pipeline. So, a deal goes into our CRM and we start to risk score right away to identify which ones require a compliance oversight. At that point, if a contract is identified as “high risk,” in real-time it gets routed to a compliance professional embedded in the business. A key factor for operational success is that the process is built into the tools that they’re used to using.

You can also supplement this sales contract risk score with a whole bunch of other internal data, based on our historical relationship with a partner and what we know about their geography and business environment, and combine it together to come up with a channel partner risk score. So then, when people are approving the contract, we can tell them that a channel partner is risky, why we think they’re risky, and provide all of the data that supports it. Then the sales team must demonstrate how they will mitigate the risk to the satisfaction of the compliance team.

VC: As you went through this journey, how did you get to the point where you were getting actionable insights that could make a difference in the business versus just having a bunch of data?

AG: The simplest way to describe our “play: is that we identify the specific risk scenario we want to go after. I’ll stick with our sales contract example. We wanted to identify which contracts created the most corruption risk for the company. So we went through our investigations, internal audit findings, partner audit findings, and talked to subject matter experts to identify what we call the “themes and schemes” that indicate the presence of the risk And if those are the themes and schemes, what signals would identify their presence…then what data would create that signal?

We identified all of the data that could be valuable for us to form that signal. Once we had that, we created V1 of an algorithm and we applied it to a historical data set to test it so that we didn’t impact the business before knowing whether it identified risk. So even if you created a false positive, the only expense of that was our time going, huh, did the algorithm work or not? So, we used historical data as our training dataset. Once we were comfortable that it was providing accurate results, we would let it loose on ones that were near real-time and then real-time as we got more and more comfortable with the contracts it was flagging.

The advice I would give my peers is just to train your algorithm on historical data. Because the pushback that you get from the business, if we’re doing sales contract, for example, is that you’re going to hurt business. It won’t be uncommon to hear, “We’re all about compliance but just don’t kill our deal velocity.”

VC: How did you handle false positives and ensure the algorithm was accurate?

AG: We were very methodical in our approach.  We were super careful not to create a long list of contracts for review that would overwhelm the business.  We had to build a case to request additional resources. We didn’t want false positives to create a need to additional resources.  People ask about false positives all of the time and they need to understand that we’re measuring risk–the point of our algorithms isn’t to go, “That deal is corrupt” or, “They’re paying a bribe in it”. It’s, “Deal A creates more risk than Deal B, so we should look at Deal A.” So, it’s all relative.  We’re trying to take a prioritized, risk-based approach to manage and reduce our compliance risk.

When people talk to me about the accuracy of the algorithm, we risk score these contracts and channel partners on a scale of zero to 100 and we don’t really care whether it scores 90 or 88. They’re both risky. What I want to make sure is that when we score a deal 90, that it’s riskier than the deal we score 60, and vice versa.

VC: I think risk rating third parties is the most common example. What other use cases exist? Where else are you using this sort of algorithms and data analytics?

AG: I’ll start with where we’re focused now and where I think it’s going to go. For us, the way that we looked at our corruption risk is that our risk becomes an issue when we enter into a bad deal. Which is why we decided to focus on deals, initially. Almost every bad deal involves a partner so let’s go after partners.

As we build it out and we see what’s available from the data, we think about all the different touchpoints that they have with our company and employees. I see us bringing in let’s say travel, gift, and hospitality data. Anything having to do with travel, any benefit that we’re providing to a third party because my guess is an employee that is non-compliant, is more likely to be doing something improper with a partner. If it’s a high-risk partner, there’s probably an employee that’s creating risk for the company also—so if we could start to tie all of that relationship data together, it’d be incredibly powerful.

Alan Gibson on Technical Skills

VC: We think part of the problem is that the compliance industry developed technology in such a process-focused way which created silos. The GAN mission is to get the data out of those silos because we can’t do any of the powerful analytics until we get all the data together.

AG: I agree. I see a world, five years from now, where we’re getting our data from a third party hotline provider, and I can see a spike in a geography at the same time, I can measure an increasing amount of Azure consumption in the public sector that would go, huh, there’s lots of smoke here and there’s lots of smoke here, but right now we don’t make that correlation. This way we can go, “Something’s going on in that region”. We are not there yet, but that’s the future.

VC: What is your advice for compliance officers who, today, have less technical skills than the future of the industry will require them to have to be successful?

Alan Gibson: It’s funny when people ask me about it, I usually say: if you’re not the person that’s super passionate about data analytics, someone on your team most likely is. And if they’re not, it’s a stretch project for somebody in your organization. Especially the people who are graduating now. I mean the number of people that are interested in data analytics is awesome.

My team is lucky in the sense that we can plug into Microsoft’s large machine learning and data science community. We’re also lucky that we can have our algorithms get peer-reviewed. When the legal and compliance departments data scientists go out and present internally on what they’re doing for compliance and to fight corruption, it generates a lot of interest.

Data scientists with a range of experience levels come up to us afterward and say, “Oh my gosh, you’re solving real-world problems instead of these academic exercises that we’re often tasked with. Can I do this as a part-time job, or can I help your team out as a side project? How can I help? Are there jobs?” And so, we have access to resources and there is real passion about it, especially with the generation that’s just coming out of college. They want to solve real-world problems. I encourage my peers to look in their teams but also more broadly across their company—you may be surprised by what you find.

Learn More About Other Compliance Programs

First and foremost, I want to give Alan a huge thanks for letting me pick his brain on all things compliance data. Microsoft’s program is one of the most cutting-edge in terms of how they leverage data analytics to drive compliance insights, and it was a pleasure learning more about their process.

To read more interviews in our CCO Conversations series, please check out Uber’s Yaara Alon-Redl On Diversity by Design or Edward Hanover on Building FIFA’s First Compliance Program.

Due to COVID-19, our Compliance Heroes events have gone virtual! Stay up to date on the latest in compliance and connect with like-minded peers from the comfort of your home. We have a handful of exciting speakers coming up. I interviewed Peter Loftspring, Senior Vice President, Compliance Manager at Black & Veatch, on why compliance officers should embrace third-party complexities, so be sure to watch the on-demand recording!

 

guide to third party risk rating

Get our newsletter for the latest compliance insights