But the best these tools can do is help compliance lawyers make more informed decisions. For instance, a tool to track gifts may tell you that an operating unit took an official from a state-owned company to dinner and spent an amount exceeding the limit set by the company policy. The tool will never tell you, however, whether the dinner was improper entertainment because it cannot reveal the intent of the employee in organizing the dinner or what was discussed there.
Another problem with technology, as Silver points out, is that computers are so literal-minded that they are unable to recognize patterns when subjected to even the slightest degree of manipulationeven changing a few letters can throw them off. Not so with humans, who can "rapidly parse through any distortions in the data in order to identify abstract qualities." Silver concludes in his chapter on baseball statistical analysis that even sporting organizations that are leaders in statistical analysis, such as the Oakland Athletics, rely heavily on scouts to analyze the human factor.
A technology tool cannot promote a culture of integrity, or show employees how good ethics makes the business stronger. That comes from people who believe in the organization and understand how to use risk data to promote the compliance program and its messaging.
The new FCPA guidance notes that taking a risk-based approach is particularly critical with respect to due diligence procedures for assessing third-party relationships. Using empirical data to evaluate third-party risk may be even more challenging depending upon the reliability of the data obtained from the third party to assess risk and, for initial due diligence purposes, the lack of historical data about the third party. Risk-based systems address this lack of historical data with more stringent due diligence based on the risk of the third party. A sales agent who works on commission in a country with historically high levels of corruption should receive more scrutiny than a visa agent who will be paid according to a publicly available fee schedule in a country with historically lower levels of corruption.
The longer a company operates in a particular environment with different third parties, the better it should get at evaluating the risks of entering into those relationships. The sample set will get larger and the risk analysis better.
The Justice Department and SEC guidance makes clear that companies have to assess risk and adopt a "risk-based" approach. Eventually, this may mean that companies spend less on compliance as their programs get more efficient at addressing risk. Risk models will change as compliance programs become more efficient and gather more empirical data. The success of a risk-based model, however, will ultimately depend not on technology tools, but on the compliance lawyer's ability to successfully analyze risk data and sort the signals from the noise. That lawyer must be adaptive, creative, and look beyond the data to see organizational and industry trends and risks. By helping us understand the limits of technology and how to use data, Nate Silver can make us all better compliance lawyers.
Ryan McConnell is a partner at Baker & McKenzie in Houston and a former federal prosecutor. He teaches international corporate compliance and criminal procedure at the University of Houston Law Center. Dianne Ralston is deputy general counsel at Schlumberger Ltd., where she focuses on mergers and acquisitions. Charlotte Simon is an associate at Baker & McKenzie in Houston and former law clerk to U.S. District Judge Keith Ellison in Houston. She also teaches international compliance at the University of Houston Law Center.