The Art Of Repurposing Technology To Satisfy Risk Management And Compliance Objectives

Monday, June 1, 2009 - 01:00

Under the theme of doing more with less, we are hearing stories about how in today's economic climate consumers are looking to save money and time by repurposing household items. Consumers are finding new and alternative lives for products that seemingly no longer have any utility rather than discarding them. For example, we hear stories of converting old blue jeans into purses and children's clothes. Even First Lady Michelle Obama has gotten into the act by starting a garden in the White House lawn and using food scraps as compost.

All of this repurposing and reutilization news got me thinking about how corporate risk and compliance departments could leverage impending or ongoing enterprise technology initiatives for their own department's objectives. As such, this article will explore how certain enterprise technology projects can be expanded and given alternative lives beyond the initially intended purpose. In particular, two general areas of technology that were once thought of as "nice-to-haves" can now be thought of as "must-haves" when using them for risk, compliance and legal purposes.

Enterprise Search

The first general area of technology is enterprise search, where many enterprise's knowledge or records management teams have implemented or are in the process of evaluating enterprise search applications to help their employees find the right information quickly. In fact, some enterprise search applications have utility far beyond this. There is no doubt that effective search tools have a larger context, such as in the areas of eDiscovery and regulatory compliance.

Since compliance and risk management present some of the same challenges as knowledge management - namely the automated organization, categorization, security and precise accessibility of information - the same technology utilized for better enterprise search can be leveraged to help enterprises conduct risk assessments and comply with document retention policies and compliance. Such "search-powered compliance" is powered by sophisticated but easy-to-use conceptual search technology that can automate the categorization, identification, retrieval and disposition of electronically stored information (ESI). Furthermore, such technology can also be used to identify, preserve and collect relevant ESI pursuant to a regulatory investigation, internal investigation or lawsuit, while also automatically providing deep analysis into such information - another use of features originally developed for knowledge management purposes.

Enterprises are faced not only with collecting potentially relevant ESI but also with identifying potential risks contained in that ESI at a very early stage in the process. Conceptual search technology is the means by which risk and compliance professionals can gain a better understanding of the "legal context" of the ESI. For example, conceptual search tools can be employed to better organize sets of ESI in a fashion that will facilitate more efficient review for early risk assessments. Often risk and compliance professionals charge into the data set on a custodian-by-custodian basis. However, the reality is that the review may be better served by being issue focused. In this regard, enterprises can benefit from search tools that have the ability to understand and categorize concepts and phrases in addition to standard keyword, Boolean and fuzzy search features. Simply, the right search tools enable risk and compliance professionals to find a particular needle in a haystack even when they do not know what the needle looks like.

For example, advanced conceptual search tools perform statistical analyses of word co-occurrences in documents and identify repeatable contexts, topics or concepts in which a certain group of words occurs. It does not require any manual input in the form of lexicons, thesauri, or topic annotations, but is completely automatic in performing "unsupervised learning" (to use the technical term). The identification of concepts or topics serves two major purposes: on the one hand, it reveals the potential ambiguity of words by detecting multiple contexts in which they are used. For example, "jaguar" may refer to the animal, the automobile brand, and any number of clubs, products, and businesses. "Java" might refer to the Indonesian island, the programming language or coffee. Such ambiguities, also called polysemies, are automatically identified by these conceptual search tools whenever they are present in the source documents. On the other hand, these search tools also learn about synonyms and semantically related words, i.e., words that are likely to occur in a common context. For example, a document containing the term "car" is likely to contain synonyms such as "automobile," "auto," "vehicle," as well as semantically related words such as "sedan," "driving," "highway" and "motor."

As one can imagine, using conceptual search tools that have the capabilities mentioned in the preceding paragraph to underpin an enterprise's eDiscovery and compliance programs is extremely powerful. Namely, risk and compliance professionals will be able to quickly identify areas of risk and non-compliance through an analysis of concepts, phrases and false positives and negatives. A risk or compliance professional limited to keyword searching will likely miss relevant data and/or be mired in a sea of clearly non-responsive documents that contain a search term. As an example, a compliance officer conducting a review of trading activity will typically have the word "trade" as a keyword. However, the result is that every email discussing fantasy football involving a trade is returned as a positive hit. Clearly, the fantasy football emails are irrelevant to the trading review, but nonetheless become part of the data to be reviewed when only keywords are used.

Risk and compliance professionals do not have the luxury of time to manually sift through false positives that are irrelevant or to conduct a review of every document to find false negatives. Instead, the review conducted by risk and compliance professionals is akin to a hummingbird jumping from one issue to another. Thus, quick and accurate recognition of concepts, phrases and conversations patterns is a must.

At the end of the day, enterprises investing in enterprise search will find an increase in the likelihood of business case approval and investment return if the search tools not only meet information access objectives, but also risk, legal and compliance objectives. Caution is given, however, in that all search tools are not the same. Enterprises are encouraged to test how certain search technology handles their enterprise's data in a pilot project environment to fully examine the technology's capabilities.

Email Management

The second enterprise technology that has the potential to be repurposed for risk and compliance purposes is email management. Some enterprises have or are in the process of integrating email management tools to improve collaboration and efficiency. However, if the business case can also be made that email management tools address risk mitigation and compliance challenges, then approval is more likely.

As many of us know by now, email is typically where potential risks lie and where investigators head first. This, combined with the exponential growth in volume of enterprise email, presents quite a challenge. Effective email management tools that are used for collaboration can also be used to monitor email for risk assessment and compliance purposes.

For example, a company may have an independent compliance monitor appointed for an extended period of time as part of entering into a deferred prosecution agreement related to Foreign Corrupt Practices Act (FCPA) matters. One of the compliance monitor's primary duties will be to review and assess the company's internal controls and compliance program. Among those internal controls will be the effectiveness of the company's email monitoring program to detect corrupt payments to obtain or retain business. An email management system that not only automatically captures and categorizes email, but also permits conceptual searching across the email repository is a powerful tool to monitor and detect illegal activity. A company can enhance its monitoring program beyond typical keyword searches because, as we know, participants involved in illegal activities do not typically use terms like "bribe," "facilitating payment" and the like. Instead, risk and compliance professionals could use the conceptual search functionality in an email management system to detect what may have been once undetectable. In particular, using an advanced search tool that can learn about synonyms and semantically related words, i.e., "drop," "bag," "cash" and other words that are likely to occur in a common context, will increase the likelihood of early illegal activity detection.

Another advantage to using an email management system for risk assessment and compliance is the fact that the system not only provides a record of all the emails that have been filed, but it also provides a complete view of all correspondence for a business unit, office, and team.In addition, the email can not only be accessed through the email management system, but also through an enterprise document management system or collaboration portal such as Microsoft SharePoint. The result is a holistic solution to some of the compliance challenges presented by email.

True Test

In the end, the true test of any technology is its ability to endure within an enterprise by being flexible and scalable. Enterprises are encouraged to work with their technology providers to explore whether the enterprise search and email management offerings not only meet the initiative's prime objectives but also whether the same technology has applications into other areas. In addition to asking themselves whether a certain software will solve the problems of today, in this economic climate enterprises must ask themselves whether that software is sustainable and scalable enough to solve the problems of tomorrow.

Jason Robman is Director of Legal Solutions and Corporate Counsel at Recommind Inc., the leader in search-powered information risk management (IRM) software, which is headquartered in San Francisco, CA. Jason helps Recommind's enterprise customers effectively manage their regulatory and eDiscovery risk, while also handling corporate counsel duties for the company. A member of the California Bar, Jason is active in the Sedona Conference and is also a co-chair of the EDRM Project's Search Working Group.

Please email the author at jason.robman@recommind.com with questions about this article.