Today's corporate environment is lucrative and fast-paced but swamped with ever-evolving regulations and compliance guidelines. Every industry has a spider web of regulatory standards that must be followed – no matter the size of the corporation or its location. Refusal to follow directions routinely results in fines, litigation and negative headlines.
Regulatory compliance refers to all of the efforts a company takes to adhere to the relevant laws, regulations, guidelines and specifications that govern their specific industry. Corporations are responsible for their actions, and neither negligence nor ignorance can be an excuse for regulatory mishaps. That's why many corporations today seek to proactively monitor for problem areas so they can better manage their overall risk.
There seems to be no end to the bewildering assortment of regulations and guidelines that a corporation is subjected to. There may be a multitude of state and local regulations facing a company in addition to the never-ending list of federal regulations, including the Sabarnes-Oxley Act (SOX), Gramm-Leach-Bliley Act (GLBA), the Foreign Corrupt Practices Act (FCPA), the Health Insurance Portability and Accountability Act (HIPAA), and the Federal Information Security Management Act (FISMA).
In addition, there are many governmental bodies that a company may need to address, including the Securities and Exchange Commission (SEC), the Consumer Product Safety Commission (CPSC), the Federal Trade Commission (FTC), the Environmental Protection Agency (EPA), and the Department of Health and Human Services (DHHS).
Lastly, a company also has to juggle the internal concerns that often overlap into regulatory duties. For example, internal investigations that focus on discriminatory issues or corporate officers could quickly spiral into public catastrophes. The key is to utilize a trustworthy method of alerts so that any questionable activity at a corporation is addressed before it becomes too late.
If you're proactively looking for signs of fraud, negligence, or questionable activity then you must be prepared to swim in an ocean of digital data. Most corporations today hoard vast troves of e-mail and digital documents along with colossal database structures. All of that information must be sifted through when searching for the risky needle in a corporation's digital haystack.
We live in an age of big data, which is a fancy way of stating that it's hopeless and impossible for anyone to search through so much information in a manual fashion. Big data requires some kind of sophisticated tool to accurately and effectively uncover the potential risks that lurk in the corporation's bits and bytes.
As reflected in today's high-profile litigation matters, e-mail continues to be the primary source of digital "evidence" that is collected, reviewed and produced. It's no different when we look at today's regulatory compliance landscape.
For whatever reason, individuals regard e-mails as a less formal means of communication and therefore discuss matters in e-mail messages that they would never consider saying in person or over the phone. E-mail, therefore, is one of the first places a corporation should look for indications of internal misconduct and external threats to corporate strength.
The good news is that it's easy to search e-mail. We search e-mail every day by using simple keywords and phrases to find information we need to accomplish our job. This approach is manageable when there are only a few hundred messages, but keyword searching quickly becomes cumbersome and inefficient when we need to search the entire inboxes of several hundred employees.
Even more critical, using keywords to search e-mail messages may miss some of the most critical and revealing information needed for risk management. Individuals will attempt to conceal suspicious conversations by using code words and obscure references. If you don't know the right code words, then you won't find the important information.
If a manual approach to regulatory compliance is inadequate then it makes sense that an automated, proactive solution is the answer.
Technology can be used proactively to search e-mail and alert the corporation to any "triggers" it finds that may indicate risky, questionable or suspicious messages. The goal of a proactive compliance tool is to identify questionable digital communications before they become a serious and potentially expensive problem for the company.
Such tools can do well to borrow from technology-assisted review approaches that are already being utilized in electronic discovery to search through big data collections.
In litigation, manual document reviews are performed by individuals who must look through each e-mail message to determine whether it is relevant and responsive to the litigation matter. These individuals may also need to decide whether the message is privileged or confidential, among other concerns.
By using technology-assisted review tools (such as clustering or predictive coding), the vast majority of this manual work can be avoided. In typical predictive coding exercises, a "subject matter expert" identifies a set of highly relevant e-mail messages and documents (i.e., the "hot" documents), which are fed into a technology-assisted review tool. The tool analyzes the files and then seeks out similar documents from the much larger corpus of digital data. The subject matter expert can then review the presumably relevant documents found by the tool and make adjustments so that subsequent results are even more accurate.
Lastly, the documents found by the tool can be "predictively" coded as being responsive to a litigation matter before being produced to the opposing party. Technology-assisted review tools have become a boon for large document review projects because they are more efficient and much more accurate than manually reviewing each document.
The same approach used for predictively coding documents in litigation matters can be applied to proactive regulatory compliance in corporations.
Subject matter experts (such as general counsel) can identify highly relevant e-mail messages that they have encountered containing risky language or discussion of suspicious topics. These e-mail messages can be fed into a tool that can seek out similar messages from across the corporate infrastructure. These tools look for keywords, but they also analyze conversation patterns and discussion topics.
These tools even employ "behavior informatics," which is a fusion of information sciences (such as statistics, mathematics, data mining and pattern recognition) and behavioral sciences (such as psychology, criminology and sociology). This unique fusion provides insight into current human thought processes and can even predict future behavior based on past patterns of human interactions.
These same tools can deconstruct a sentence into the relevant grammatical pieces and visually represent how individuals are discussing certain words and concepts in context. The visual diagrams can be shown on a timeline so that the subject matter experts can easily identify the most relevant messages and identify patterns in how individuals are communicating with each other.
Once a suspicious message is found, it can be proactively flagged for content and delivered to the appropriate corporate executive for further review. If the message turns out to be irrelevant or immaterial, the tool can be tweaked accordingly for more accurate searches. Most importantly, if the message does contain suspicious content, the situation can be addressed immediately before the risk looms any larger.
This approach to compliance monitoring works well for managing risks on the regulatory front, but can also be used for a variety of other scenarios in the corporate environment. For example, corporate mergers and acquisitions (M&A) require companies to sift through a tremendous amount of digital information when performing their due diligence. "Behavior informatics" can reveal patterns in such areas as research and development, or intellectual property, that are typically hidden inside big data.
A few vendors can offer the level of technical sophistication required to successfully analyze big data for proactive compliance aspects. UBIC has developed a suite of solutions to address the compliance needs of corporations that wish to proactively monitor their digital data for effective risk management.
Big data will continue to grow bigger and regulations will continue to grow more perplexing – so now is the time for corporations to proactively manage their risk profile in order to avoid the negative implications of regulatory violations.
Sasha L. Hefler is senior director of strategic communications for UBIC Inc. She is responsible for brand awareness and executing a strategic vision in the United States by guiding UBIC North America in e-discovery and the artificial intelligence business. Hefler has been working in the e-discovery industry for more than eight years and enjoys various segments of building companies globally within the legal vertical. Brett Burney is principal of Burney Consultants LLC and focuses the bulk of his time on bridging the chasm between the legal and technology frontiers of electronic discovery. Prior to establishing Burney Consultants LLC, he spent more than five years at the law firm of Thompson Hine LLP where he worked with litigation teams in building document databases, counseling on electronic discovery issues, and supporting them at trial.