By Nari Ansari and Gal Peleg
Compliance seems to divide enterprises into three categories: those that primarily publicize it as proof of “good governance,” those that actually push the boundaries far enough to bring consequences, and everyone else with their heads down, trying to address whatever regulatory standards govern their industry and the seemingly ever-changing nature of those standards.
fourth group is emerging, charting their own course. These enterprises are
turning compliance to their advantage by mining compliance data for digital
gold: insights that increase efficiency and competitive advantage. Like the
governance crowd, they have automated many compliance functions with emerging software
solutions. They are looking at the resulting data with fresh eyes and using it
to improve their businesses.
people think of compliance in terms of rules and regulations imposed by lawmakers
and other governing bodies, for good reason: there is a proliferation not just
of new regulations but of whole new regulatory frameworks such as Dodd-Frank
and GDPR. Even long-time frameworks such as SOX, HIPAA, and FCPA continue to
evolve. Yet at the same time, many enterprises are setting rules of their own
to address an increasingly complex environment that includes global supply
chains, cybercrime, trade wars, Brexit, and other evolving risks.
end, it doesn’t matter where the rules come from: compliance, and the
documentation that comes along with it, is essential for managing risks and
maintaining brand reputation. The roster of damaged brands from just the past
few years illustrates what can happen when risk and compliance management break
recently, enterprises managed compliance risks with home-grown, often siloed and
disparate initiatives that focused on people and processes. The components
included manual record-keeping, time-consuming audits, constant training,
ever-lengthier supplier questionnaires, C-level compliance positions, and
board-level reporting. The reams of information gathered and presented were
considered useful mainly for answering a simple question: Are we compliant or
Then a new
question arose: Can we at least automate and digitize risk and compliance data,
like we have done with so many other processes? The answer to that question is
clear: We can, thanks to a growing community of companies providing governance,
risk, and compliance (GRC) technology solutions that automate the process of
collecting, aggregating, analyzing, and presenting relevant data while reducing
their costs to the organization.
that just as homegrown compliance structures created the opportunity for
digitization, a critical mass of companies are now positioned for a new
opportunity that may eclipse the earlier one. Data that was once viewed merely as fuel for the compliance machine
can now be considered a strategic output in its own right, with value to the
business beyond compliance.
it’s a bank mining Know Your Customer data to pitch targeted travel insurance
to its customers or a CPG manufacturer analyzing complaint data from the Consumer
Financial Protection Bureau to improve its manufacturing methods, we see an
opportunity for companies to extract incremental, “offensive” business insight
from large risk, compliance, and regulatory data sets.
opportunity represents a convergence of what may seem unrelated factors. But
let’s remember that in a globalized, highly competitive economy there are few
trends that arise in isolation.
trend we note is a dramatic change in the people sitting in the chief
compliance officer (CCO) chair. Russell Reynolds
the career backgrounds of 72 CCOs in banking, insurance and asset
management and reported that “gone are the days of principally legal and
compliance executives nabbing the top job in the compliance function.” So who’s
getting the job instead? According to the report, it’s “broader-focused appointees
from consulting, risk and audit. This new breed of appointees would be
well-positioned to contextualize compliance (and the associated cultural
change) in the wider picture of the organization.” In other words, compliance executive leadership is not just for
lawyers and specialists – it’s for multidisciplinary executives who are as
fluent with brand value and enterprise risk as they are with the P&L and
The second trend we note is increased use of AI/ML.
The transportation sector is a leading example, in part because it is heavily
regulated. Shipping companies, notably UPS, now place dozens of monitors on
their vehicles for compliance with internal and regulatory rules – and then
apply AI to the monitor data to optimize delivery routes and driver behaviors
in ways that squeeze out fuel costs and improve customer satisfaction. Fleet
operators are further served by solutions from the likes of Keep Truckin,
Samsara, and Geotab, which help improve driver safety and increase the
precision of preventive maintenance.
The third trend is the evolving
consumer privacy landscape. Ironically, more robust data protection and
security regulations such as GDPR can actually serve to enhance business value
by increasing the trust between companies and their customers. In its January
2018 report, “How
GDPR is an Opportunity to Create Business Value”,
Gartner notes that “handled effectively, there is great potential to obtain
consent to increase data access, use, and sharing rights — aligned with goals
of a wider organizational data and analytics strategy. This can help drive
competitive advantage, while also helping to achieve compliance in other
countries and regions.”
Examples of Leveraging Risk &
Compliance Data to Drive Business Value
examples of companies that are helping advance the use of risk and compliance
data for improving everything from customer experiences to supply chain
performance to more effective emergency response:
customers use Avetta to certify compliance quality of its suppliers (green
flag, yellow flag, red flag) and then mine the data to identify which suppliers
are best trained and best equipped for certain on-site jobs.
- Higher education institutions have long collected
data to achieve and maintain external accreditation. Watermark Insights helps universities and colleges not only
collect, digitize, and report on that data to demonstrate effectiveness, but
also to use it to inform curricular changes and improve student outcomes.
- AxiomSL’s financial services clients utilize its data integrity and control platform and
its risk calculation and reporting solutions to satisfy regulatory requirements
across the globe systematically. With
trusted data, banks are now also able
to identify opportunities to fine-tune capital/credit risk and deliver
compelling business insights across the enterprise.
Trade Management solutions from the likes of Descartes and Amber Road (now a part of E2OPEN) have long been used to satisfy mandatory export
compliance obligations (e.g. restricted party screenings) and to remain abreast
of regional duty programs and tariffs. But by marrying these regulatory
datasets with companies’ more “traditional” supply chain data (such as bill of
materials and transportation fees), clients are now able to more accurately forecast
true landed costs (the total price of
the shipment including customs, duties, taxes, tariffs, etc.), all the while
minimizing risks and delays.
- Rave Mobile Safety enables schools to automate collection of and access to critical facility
information (e.g., floor plans, alarm information), which they need to remain
compliant with fire department ordinances – and it also provide 911 dispatchers
and first responders better real-time capabilities when emergencies arise.
governance and eDiscovery vendor Nuix is well known for its deep
technical capabilities in high speed processing and analytics around vast data
sets, typically in the context of litigation and investigations. But enterprise clients are also able to
leverage the platform to create “data lakes”, making data more accessible for
re-use in future investigations, litigations and data management programs,
helping reduce costs.
- Biopharma companies rely on software
from ETQ for much more than compliance with FDA requirements; they also
leverage the data to mitigate and prevent high-risk events, scale operations
more effectively, and streamline their go-to-market activities.
There are many other examples of organizations across
industries utilizing technology from GRC vendors to not only achieve their risk
and compliance objectives, but also advance their strategic objectives. The trend is still very much in its early
days, but it provides an exciting avenue for continued growth in the
sector. As an experienced technology
focused growth equity firm, TCV is committed to investing in the category
innovators in the GRC space and has invested in such companies as Avalara,
AxiomSL, Avetta, LegalZoom, Rave Mobile Safety, RiskMetrics Group, and
The statements, views, and
opinions expressed are those of the speakers and do not necessarily reflect
those of TCMI, Inc. or its affiliates (“TCV”). TCV has not verified the accuracy
of any statements by the speakers and disclaims any responsibility therefor.
This interview is not an offer to sell or the solicitation of an offer to
purchase an interest in any private fund managed or sponsored by TCV or any of
the securities of any company discussed. The TCV portfolio companies
identified, if any, are not necessarily representative of all TCV investments
and no assumption should be made that the investments identified were or will
be profitable. For a complete list of TCV investments, please visit www.tcv.com/all-companies. For additional important disclaimers, please see “Informational