arthead -

Bayer's compliance automation pays off

Bayer global head of compliance and data privacy Thomas Pfennig discusses LPC Express, an automation project for law, patents and compliance across the massive enterprise.

Considering how laws vary among nations, it would seem impossible for a company with nearly 100,000 employees in 83 countries to automate compliance tasks. Common ones in the case of Bayer AG, a multinational life sciences company based in Leverkusen, Germany, include vetting partners for conflicts of interest, data privacy services, fair market value approvals required for interactions with healthcare professionals, gift approvals and charitable donations.

Bayer took on that task using the low-code ServiceNow App Engine as its governance automation platform. We discussed this ongoing project that started in 2019 -- and continues, as Bayer discovers more processes to automate -- with Thomas Pfennig, Bayer global head of compliance and data privacy. He oversees LPC Express, what Bayer calls its program to digitize its manual law, patents and compliance workflows.

Describe the biggest compliance use cases you're solving with this project.

Pfennig: Overall, we currently have 24 use cases on the platform, which we call 'standardizeable, transactional recurring services.'

For example, in pharma, if you engage with healthcare professionals such as key opinion leaders, you are subject to certain laws that dictate you pay a certain amount of money for the services that you receive -- but within clearly defined parameters. In the past, this was a manual activity at Bayer. People looked at lists, people defined categories, people assessed what actual services were rendered, and then applied a number. Now we have fair market value assessments on the platform, and it's 86% automated. So essentially, there are not many human interactions in this space anymore.

We also have automated conflict-of-interest checks. If we engage with external partners, are they passing muster in accordance with our compliance criteria?

There's a lot of stuff that we did in the past with dedicated personnel and, oftentimes, highly qualified lawyers who felt that the activities didn't always match their qualifications. So we have been moving these transactional activities onto the platform en masse.

So these are all internal processes.

Pfennig: Exactly. This is all built into the approval workflows on the platform. People type in their respective scenario, fill in their expected answers to our questions and receive an answer. It has helped us gain speed, predictability, data and make sure that we apply qualifications of our people according to the needs and demands that the services require.

How complicated is it to navigate the variance of law between 80-plus countries?

Pfennig: Compliance -- let's just take that as an example -- can sometimes be a bit exception-driven. It's not always black and white. I did the fair market value approvals when I was in the United States for half a year, and it drove me nuts. These repetitive activities did not add to my job satisfaction.

You have some flexibilities here and there when you digitize. Our use cases [so far], it's zero or one, go or no go. So you're really helping your clients to have a much more predictable outcome. You have a much more consistent service rendering, because you're essentially getting rid of these exceptions, and you're gaining speed.

Where are you in the rollout of the App Engine?

We started in 2019. Some people may severely underestimate the challenges and complexity of shifting a traditional function like compliance into a digital environment like our LPC Express. We are still in the final stages. It is a project where we are continuously learning.

We also achieved a different mindset in terms of user satisfaction. You run user acceptance tests before you release a new use case on your portal. The minimum viable app process requires us to do it, and this is an iterative process. It also is a continuous improvement mindset. We measured the service satisfaction levels of our clients, we measure the speed, how quickly we are offering services, and we know how many manual activities are still in the processes. So it gives us a whole range of new data, but also a mindset that is novel to our function -- and it was novel to me, I have to confess -- but it's fun, because you're really not operating in the dark. You're shedding a lot of light onto your activities.

When you talk about streamlining and harmonizing processes, it requires a lot of effort.
Thomas PfennigGlobal head of compliance and data privacy, Bayer

Compliance officers are understandably wary of technology to automate compliance, because it introduces potential for errors. How did you get them on board?

Pfennig: I talk to a lot of [industry peers], and I think generally, the sentiment is, 'Let's try it, maybe not at the scope of [Bayer], but there is potential.' When you talk about streamlining and harmonizing processes, it requires a lot of effort.

For example, we collect the thresholds for gift-giving. We have to blend all the different codes into fair market value approval. So you have country deviations built into the system, where the algorithm sees there's a request coming from a place and it applies the respective standard.

There is a lot of collaboration with our local country's colleagues to feed the system with the data to build your use case and your approval processes around it. But once you're done, you're done. And of course, when the code changes, you adjust accordingly. But the upfront investment, while certainly quite significant, is a one-time effort.

How much training do frontline workers need to use this?

Pfennig: The aspiration is for end users to log in to this Boolean search environment and hammer in a question. The algorithm finds out what category you are inquiring about. Maybe you're lucky and your question has already been answered.

This is the beauty of having released the system. Your keywords will be matched with what's already on the platform and you will be offered answers that were given in similar circumstances, which may be sufficient.

If there is more complexity, you have access to an agent, a trained data privacy expert for example, where you can communicate and be a bit more refined in your respective question. It's quick, it's fast. We do not need to offer training to use the platform.

Thomas Pfennig, Bayer
Thomas Pfennig, shown here with an augmented reality headset, has led Bayer's compliance automation efforts.

How do you maintain data access controls and privacy as employees dive into the data lake and all this content?

Pfennig: This platform is embedded into the Bayer enterprise IT infrastructure, so it is governed by those systems. We have single sign-on user technology, so we see who is on the platform. We see what requests are placed, how often, how repetitive, how detailed, et cetera, they may be. We also maintain our compliance investigation data on the platform, which is obviously proprietary, sensitive data. We have guardrails around the security of the data on the platform as well, so it stays within the company's control.

You looked at two other cloud vendors for this project. Talk about that buying decision process.

Pfennig: I can't reveal those names; we have NDAs. But I would say one is a well-known company. The other was more in its infancy -- very enthusiastic and passionate, but too immature at that point. So we wanted to have somebody with a proven track record when it comes to ticketing systems, and [we liked ServiceNow's] editability, configuration options and also the collaboration options. We have a fantastic opportunity in the back office; most agents who are running the system can learn from each other to work together, not repeat the same thing over and over, and to morph and mature jointly.

What advice would you have for your peers now who are also evaluating large compliance automation projects?

Pfennig: The first question you ask yourself is, 'Is it worth it?'

Then, 'Do I have the critical mass [to complete the project]?' because I want to be fair.

We have a well-structured, cross-functional project team. We have a dedicated budget. We have an infrastructure with 35 regions and hundreds of legal and compliance professionals, rendering thousands of services every day, where automation really makes sense. Since the inception of the LPC Express platform, we are approaching about 100,000 requests solved on the platform. These would be 100,000 person-to-person interactions in the past. So you have to have this critical mass, you have to have a budget.

You have to have an organization -- and this is a big hurdle -- where this type of entrepreneurship and change is actually supported. I would most likely run against a wall digitalizing compliance data privacy in a more traditional environment, because it is a huge change. You're not having this 'white glove, kind of travel agency' type of service. You're dealing with machine logic, you're dealing with technology, to a large degree. You cannot exercise the 25-year personal relationship with your compliance colleague to get the expected outcome. It is most likely, on the surface, uncomfortable.

If you overcome these hurdles and say, 'I still want to make my system more efficient, more effective, and save money,' I recommend you start small. I might take fair market value, I might pick one data privacy use case, I might take one gift approval or donation use case ... and then go slowly to the next one and see how the organization is adapting and adjusting to this.

We have gone at a high speed and a large scope. That is something that worked at Bayer, but it was an enterprise-wide structural change where everybody kind of contributed to this new chapter -- I didn't have to convince people. This is most likely a big uphill battle at other companies that are not as aspirational and dedicated as we were.

This Q&A was edited for clarity and brevity.

Don Fluckinger covers enterprise content management, CRM, marketing automation, e-commerce, customer service and enabling technologies for TechTarget Editorial.

Dig Deeper on Digital transformation

Cloud Computing
Mobile Computing
Data Center
and ESG