‘Profit & Loss-of-One’

Fraud examination thought leaders are working to innovate anti-fraud processes. In this column, editor Vincent M. Walden, CFE, CPA, in conjunction with other professionals, will report original concepts that help you do your job better. EY Fraud Investigation & Dispute Services (FIDS) and GE executives contributed to this column.* — ed

Fraud examiners and compliance professionals have a great responsibility to develop effective training and communication programs that engage the hearts and minds of business leaders and employees and prevent and deter fraud. However, they face many challenges including a constantly shrinking share of employees’ time plus technology that makes it difficult to: 1) isolate target audiences, 2) deliver messages that are tailored for individual roles and risk profiles and 3) assess the effectiveness of training or delivery of communication. Recently, GE and EY Fraud Investigation & Dispute Services (FIDS) professionals collaborated to address these perennial challenges with a new strategy they’re calling the “P&L-of-One” (Profit & Loss-of-One).

Compliance professionals’ ultimate objective is a world in which employees receive only trainings and communications that are relevant to their roles, at exactly the right time (before they encounter compliance issues that require their attention) and in the right amount.

These compliance professionals work with fraud examiners to keep employees from crossing the line and committing fraud. All work together at that nexus of fraud prevention and compliance. However, their aspirations are constrained by the reality of addressing the compliance needs of thousands of employees — each with a different role and risk profile. Compliance teams usually resort to massive online curriculums, which they hope will lead to trained workforces.

GE’s internal research into adult learning revealed that the traditional approach to training doesn’t usually lead to knowledge retention — in fact, just the opposite. It’s a reality that frustrates employees and compliance gatekeepers and results in training fatigue. It can come with a hefty price tag and has the potential to tarnish the reputation of the compliance function internally.

But what if there are better ways? Recently, EY’s Global FIDS professionals helped GE improve compliance by using forensic data analytics to provide behavioral insights to their compliance program.

‘Digital twins’ in the compliance office

Digital twins are digital replicas of physical assets that organizations can use for multiple purposes such as the maintenance of power generation equipment, jet engines and heavy machinery. In the context of a growing interconnected world, Gartner Research describes “digital twins” as dynamic software models of physical things or systems.¹ Gartner predicts that in the next three to five years, digital twins will represent billions of things. Such twins are created by using physical data of how the components of the object operate as well as data provided by sensors in the physical world. Organizations can use digital twins to analyze and simulate real-world conditions, respond to changes, improve operations and predict failures before they happen.

Gartner suggests that virtually every connected device eventually could have a digital twin running in simulation so that breakdowns or malfunctions could be predicted in advance — before they occur in the physical world.

While Gartner describes the digital twin concept with interconnected “things,” EY is helping GE’s compliance team by applying the concept of compliance training and communication. “Effective compliance programs are based on employee trust and respect,” says Al Rosa, chief compliance director, senior executive counsel at GE. “The spirit here is to provide continuous, timely and highly relevant communications to GE employees when they need them and in a format that’s suitable for them based on their individual digital footprints. The goal is to have employees view compliance management as a proactive coach, business enabler and risk manager.”

While it’s important to have clear, easy-to-understand policies and formalized trainings for compliance topics, GE found that trainings designed for the mass audience and delivered in high volume can be limited in their effectiveness. “To keep compliance top of mind, it is better to give employees access to information in the field — not just in the classroom,” says David Handler, GE Aviation’s chief compliance officer. “One of the best ways to promote these objectives is to ensure that employees see that the compliance function is working hard to deliver trainings and communications that are engaging. There is no better way to lose an employee’s commitment to the culture of integrity you are trying to promote than to assign training that amounts to a check-the-box exercise.”

How it works

Based on a historical review of compliance issues at GE, the working group developed analytics models to better understand key risk areas. The working group further refined the analytics model by combining the risk analysis with known future events based on data in various systems, such as the corporate travel website. Using this approach, GE and EY developed a pilot — the P&L-of-One — that seeks to predict the business compliance risks GE employees will encounter and when the risks will occur. (See the “Overview of digital-twin compliance model and pilot strategy” figure below.)

Overview of digital-twin compliance model and pilot strategy

The pilot treats each GE employee as a unique entity with distinctive traits, discernible from their job profile and the data about them contained in GE’s systems. The analytics results will ultimately be used to send relevant, just-in-time communications to that GE employee before they encounter a specific compliance risk. The pilot’s objective is to enable better decision-making and reduce compliance risk across the organization.

The pilot focused on business courtesies such as gifts, acknowledgements or other respects shown to valued business contacts. These courtesies, when excessive or anomalous, can be indicators of improper payment risks. For example, GE used historic travel and entertainment expenses (T&E), training history, information on business sales opportunities and other factors to develop risk models for each employee in the pilot. These risk models form a risk profile in an employee’s digital twin.

Information from customer relationship management (CRM) and sales tools — combined with data showing future activities for the employee, such as travel reservations — enable the P&L-of-One to predict a potential risk. The system also draws from historic transaction data and applies a series of decision trees to interpret an employee’s risk level and their specific information or training needs in any given situation. GE compliance professionals can make better, more timely or automated decisions that push tailor-made communications to employees.

Timely and relevant communications

GE’s research emphasized the importance of message delivery in training effectiveness. GE gained insight into employee preferences when it surveyed hundreds of its salespersons operating in a high-risk region to understand how they want messages delivered to them. Employees also will be able to rate the effectiveness of the communications.

GE will use employee feedback to continuously improve message delivery and content. For example, if a GE Aviation salesperson with a moderate historic business courtesy risk profile is traveling to a high-corruption-risk country for the first time to meet with a new customer that’s 75 percent government-owned, the computerized system will send a message specific to that employee, customer and country that summarizes and links to the relevant GE bribery and corruption policies. The message will be brief and to the point and might include a link to the company’s business courtesy approval process workflow. The system sends the message in a timely manner — that is, before the date of the employee’s departure to the high-risk country — in the employee’s preferred communication method (either email, text message or via the GE compliance phone app, among other options).

Giving employees customized, timely and easily consumable information increases possibilities for reduced risk and greater compliance awareness as compared with overly broad compliance training programs traditionally delivered via web or in-person.

Just-in-time training designed with behavioral insights

The P&L-of-One is designed to assist employees in their decision-making and ultimately support them in a more timely and relevant fashion. The P&L-of-One messaging is designed around EY’s three-pronged approach, nicknamed AIR — automated, intriguing and relevant. The three elements are key components in driving ethical behavior and in making it easier for employees to adhere to compliance standards.

Automated seeks to drive efficiency, provide transparency and facilitate compliance for repeatable processes.

When the P&L-of-One system identifies a situation that has higher-than-normal risk to the organization, the system sends timely communications to the employee to raise immediate awareness to support ethical decision-making. To inspire employee action, the organization develops messaging in a way that’s the most appropriate for the employee, including format, delivery method and mechanisms.

Intriguing communications incorporate “gamification” concepts to increase employee engagement. Gamification is the application of typical elements of game playing such as point scoring, competition with others and rules of play. For example, in the P&L-of-One system, the integrity score builds credibility based on behavior patterns, risk triggers and actions an employee takes. Organizations can track these employee scores to encourage competition or peer benchmarking. Brief and highly visual communications — through emails, text messages, video clips and other mediums — containing links to helpful information and policy reminders, help promote employee action. Managers can use this information to recognize employees with higher scores.

Relevant employee messages — customized with a person’s risk profile, job function and activities — is the final component. The P&L-of-One considers these elements when it chooses the correct level of escalation.

Let’s again assume an employee is traveling to a high-risk country. If the employee is actively responding to notifications and taking appropriate actions (such as watching a recommended video link or clicking on a compliance certification), the system could modify communications to be more constructive and helpful in nature, such as sending a proactive email with helpful links that address local business customs and company policy.

However, if the employee chooses to ignore communications and not take appropriate actions the communications will be more directive in nature, such as requiring training courses, with possible notifications to management if the employee continues to not comply. The approach is also designed to allow the employees to select the mode of communication they prefer (e.g., text, email), which further strengthens the tailored compliance experience.

“The most striking argument for the P&L-of-One approach is the integration of data analytics and digital twin concepts combined with the human element of compliance monitoring and communications,” says Chris Costa, the EY Global FIDS chief operating officer who coordinated his firm’s involvement in the pilot. “By building feedback loops into the system, companies will be able to track what type of communication and delivery seems to be the most effective over time and what content needs to be revised to improve its relevancy. In the long run, this enables companies to continuously improve their compliance program based on machine learning principles.”

What this could mean for the future of compliance management

The P&L-of-One pilot could be a significant step in demonstrating how a company’s digital transformation initiative can benefit the compliance function. There are many more ways to operationalize this concept of using data analytics to enhance compliance training and communication. For example, next to just-in-time training and communication, real-time data and behavioral analytics can be powerful tools in other risk control areas such as anti-fraud and anti-corruption.

Forensic data analytics and continuous compliance monitoring technologies are leading the digital transformation of compliance and ethics and are making their way into the compliance and ethics, internal audit and general counsel’s offices of global Fortune 500 companies.

The compliance vision of the future seeks to further move compliance towards a more proactive, advocacy role, which helps organizations by providing needed communications, trainings and responses in an automated, intriguing and relevant fashion. This is the compliance vision of the future and what the authors call the P&L-of-One.

¹ Top 10 Strategic Technology Trends for 2017: A Gartner Trend Insight Report, Gartner, March 21, 2011, ID: G00319572, ©2017 Gartner, Inc.

Vincent M. Walden, CFE, CPA, is a partner with EY. His email address is: Vincent.Walden@ey.com.

*EY team contributors: Chris Costa, Chris.Costa@ey.com; Tony Jordan, Tony.Jordan@ey.com; Stefan Heissner, Stefan.Heissner@de.ey.com; Katharina Weghmann, Katharina.Weghmann@de.ey.com; Jared D Crafton, Jared.Crafton@ey.com; Andreas Pyrcek, Andreas.Pyrcek@de.ey.com; Vincent Walden, Vincent.Walden@ey.com. GE team contributors: Alfred “Al” Rosa (GE, Corporate), Alfred.Rosa@ge.com; David Handler (GE Aviation), David_Handler@ge.com; Laura Beglane (GE Corporate), Laura.Beglane@ge.com.