Big data, smaller riskBy Dmitri Hubbard
Anti-bribery crackdowns, the rise of patent litigation, greater transparency into Asian banking practices, more stringent privacy regulations, and the proliferation of new data sources – organisations doing business in Hong Kong are increasingly taking steps to proactively detecting and managing their risk using data analytics approaches.
Background: Shortcomings of traditional risk management approaches and emerging focus on unstructured electronically stored information
While in the past, traditional approaches to enterprise risk management (ERM) were effective in improving aspects of compliance, most have concluded that software tools are no longer sufficient in uncovering all of the latent threats in an organisation's data.
This is because these internal tools were developed to examine structured transactional data, not unstructured data found within increasingly common forms of communication, such as e-mail, "bring your own device" (BYOD) mobile tools, chat, and social media. These communication platforms permit employees to share information whether advertently or inadvertently, including falsehoods, disparagements, and trade secrets that are undetected by traditional ERM approaches.
There have been recent calls for corporations and their law firms to incorporate unstructured data sources generated by new technologies into their litigation and compliance strategies. For example, Practice Direction for the Commercial List, which became effective 1 September 2014, requires the mandatory application of eDiscovery to cases involving at least 10,000 documents.
The Practice Direction specifically notes that the expectation is that documents will be in the form of electronically stored information, including e-mails, instant messaging, and voice logs. This was preceded by the first, and virtually only, discovery case in Hong Kong, re ChinaCast Education Corp., which acknowledged the practice direction which came into effect just two weeks later.
Why legal departments are increasingly involved in managing risk
Legal departments generally define their fundamental purpose shielding the organisation from risk. Typically, legal departments got involved only after problems arose. As corporate risks evolve from new technology, increased regulatory activity, and globalisation, counsel are working cross-functionally to ensure that the organisation takes a holistic approach to risk.
Instead of relying on stopgaps, such as training and policies for using new technology, they are mining their data assets to identify emerging risks, such as threats to data privacy and network security. Legal departments are also taking additional steps to educate employees on the rising complexity of regulations, particularly as businesses expand internationally.
Legal departments are in the best position to identify compliance risks – whether they stem from legislation such as Asian patent and licensing laws, the Foreign Corrupt Practices Act, or Asian data protection laws – and are evaluating the intersection of these laws and resolve any conflicts to ensure that business operations do not exacerbate legal exposure.
The role of big data analytics in detecting risk
Analytical tools, used under the guidance of legal counsel, are used to detect and pinpoint emerging risks to data privacy, network security, and other company assets resident in unstructured data. These tools can draw deep linkage between unconnected events, trends within email or chat conversations, and co-incidences of time and subject across a wide variety of data sources. They can also be customised to mine data as regulations change or new ones take effect.
Below are some examples of advanced analytical tools legal teams are starting to adopt to mine their data for issues, whether on a reactive or proactive basis. Legal teams often use one or many of these approaches with eDiscovery technology, which processes, de-duplicates, and isolates high-risk data that will not be allowed to be transferred once Section 33 of Hong Kong's Personal Data Ordinance governing cross-border data transfers becomes effective.
• Technology-assisted review – Incorporating automated review into document review workflow allows for the rapid identification and promotion of documents likely to be responsive so they can be flagged earlier.
• Relationship analysis – This technology allows users to create visual patterns among e-mail and social media correspondence to quickly identify the who, what, and when of complex communications.
• Concept analysis – This tool allows users to search and visually cluster documents by concepts for one or more sources based on multiple criteria, and prioritise data for review early on.
Continuous monitoring technology also is used by legal departments to mine data for indicia of fraud, for example, in monitoring by telecommunications equipment (including mobile devices), company e-mail services, Internet browsing, video recording, and the like. (The PCPD's "Privacy Guidelines: Monitoring and Personal Data Privacy at Work," aids employers in understanding steps they can take to assess the appropriateness of employee monitoring.)
As counsel increasingly realise its potential for mining the organisation's data resources using advanced analytics, they are, in turn, transforming their roles and spearheading an innovative, proactive approach to unearthing a corporation's risks.