A Memo to CEOs: Is Your Compliance Function As Effective As It Should Be?
Compliance as an organized profession is relatively young, but it is maturing rapidly due to rising stakeholder expectations and unfolding market needs. Clearly, the fallout of the financial downturn, and the resulting enforcement actions, has accelerated efforts by organizations everywhere to strengthen the compliance function. As shareholders, customers, and other stakeholders respond with a flight to integrity, the potential for reputation loss resulting from compliance lapses has not been lost on boards of directors, CEOs and other top executives.
The results of In Focus: 2015 Compliance Trends Survey, now in its fifth year, clearly demonstrate that progress has been made as global organizations strengthen their compliance functions and improve their compliance risk management practices. The survey, a joint effort between Deloitte and Compliance Week, solicited responses from 364 compliance executives across more than a dozen industries. Findings for 2015 show definite improvements over previous years on a variety of measures, but also indicate that compliance discipline has a way to go before it reaches its full potential.
Getting the Reporting Structure Right
Over the course of the last five years, there has been a significant increase in support for the corporate compliance function. Fifty-nine percent of survey respondents said they now have standalone Chief Compliance Officers (CCOs)—up from 50 percent in 2014 and 37 percent in 2013. A similar number (57 percent) say the CCO reports to either the CEO or the board, rising from 43 percent last year. Perhaps the most striking change is the number of organizations that are allowing the CCO a say in strategic decision-making. One half of top compliance executives sit on their company’s executive management committee, up from 37 percent last year. This is not surprising as more and more companies recognize the heightened risks of focusing on emerging markets, as well as those associated with strategic mergers and acquisitions.
The growing prominence of CCOs and the expanding compliance responsibilities they are charged with is significant and clearly reflects the attention compliance deserves. Yet, there is still a visible percentage of CCOs who do not report at the executive or board level. Absent the appropriate level of authority, including unfiltered access to the board, the CCO may be far less effective. If a CCO has little influence on strategic decision making, it is worth asking why—is it because the organization doesn’t consider compliance an important component of strategy, or is it because the individual in the senior-most compliance position is not suitable for a strategic-level role? In short, where the CCO reports is a statement about how the organization values compliance. It is essential for boards and CEOs to provide appropriate authority to CCOs and other risk managers.
Although the survey indicates growing visibility for the compliance function, there are questions raised in the survey regarding the adequacy of resources. The events of the financial downturn had an immediate, devastating, and long-term effect on many companies’ revenue and expenses. Since then, austerity has reigned worldwide. At a time when risks are increasing, this is a dangerous recipe. The survey indicates that, with the exception of the financial services sector, most organizations continue to maintain relatively small compliance teams. As in previous years, roughly half of respondents say they have fewer than five employees devoted to compliance, and roughly 40 percent say their total budget is $1 million or less. Not surprisingly, organizations with $5 billion or more in annual revenue have larger budgets, with 34 percent reporting budgets of between $1 million and $10 million. It may be time for executive leadership to revisit compliance budgets in light of the growing complexity of the environment.
Facing up to Third-Party Risk
Asked what risks they find most worrisome, compliance executives give the same answer they did in 2014: risks associated with third-party relationships are the ones that keep them up at night. This concern is not unwarranted: more and more companies are tapping into global supply chains as they seek to drive revenue growth in emerging markets. Yet for most organizations, the approach to managing third-party risk is inconsistent. Forty-two percent of respondents indicated that they always audit third parties’ compliance with policies or regulations; 38 percent always conduct extensive background checks; and 32 percent stipulate training or certification.
Still, those activities are really the bare minimum. Given the enormous changes in the regulatory environment over the past several years, third-party risk has the potential to blindside companies if they fail to conduct the proper due diligence on vendors, suppliers, and other entities with which they maintain business relationships. Assessing third-party risk, and prioritizing those risks, may allow CCOs to allocate and target scarce resources towards monitoring agents and third parties. Nevertheless, additional resources may be required to audit and more effectively monitor those risks.
Investing in IT
Extraordinary developments in technology and emerging opportunities from “big data” provide new and innovative possibilities for CCOs. In an age of austerity, managing risk via technology seems to offer alluring new possibilities.
For compliance professionals, the ideal technology-based tool is one that uses predictive analytics to forecast future risks before they cascade into a full-blown catastrophe, or one that assists with regulatory change management. Few tools today can perform those functions without major customization. While new governance, risk, and compliance (GRC) tools and increased access to data may hold the promise of taking compliance to the next level, surveyed compliance executives say we aren’t there yet. In fact, most express rather low confidence in their IT systems’ ability to adequately support the compliance function. Only 32 percent of respondents were confident or very confident in their IT systems, down from 41 percent in 2014. What’s more, most say they primarily depend on desktop software or tools that have been developed in-house, regardless of the size of the company or the organization.
Compliance officers’ lack of confidence in IT systems may be reflective of an overall underinvestment in GRC technology. In addition, the heavy reliance on desktop tools may be due to the relatively small size of compliance departments, which forces staff to depend on other departments or business units to supply the data they need. In essence, compliance functions are still spending too much time collecting data, leaving them with little time to analyze and trend that data in ways that can add value to the business.
Yet implementing more robust technology solutions for compliance and ethics can yield improvements in business processes, reduce redundant and manually intensive controls, and improve decision-making. In other words, investing in automated GRC monitoring technology can help shift headcount from repetitive low-value activities to those that are significantly more value-adding.
The survey results certainly give us reason to believe that the compliance function is becoming more firmly embedded in today’s organizations. CCOs are gaining both more authority and a seat at the executive table, where they can influence both policy and strategic decision-making. But in order to develop truly robust and effective compliance and ethics programs, CCOs need to be given sufficient support from the CEO and the board. This includes appropriate staffing, budgets, investments in GRC technology and, especially, the authority to protect the enterprise. Committing resources to corporate compliance doesn’t mean an automatic bite out of a company’s bottom line. In fact, given the appropriate support, CCOs have the capacity to build trust and reputational capital, as well as brand and customer loyalty. Compliance, when properly performed, is an asset—a reflection of a strong corporate culture, which has always been what great brands and great companies are built upon.