Are you normal?
After all, that's what most compliance officers want to know. Are you training employees as much as your peers? Are you striking the same balance between good behavior and aggressive pursuit of profit as your competitors? Do you have the same bosses, staffers and salary as your law school buddy who now does compliance at that other company across town? Can you give as many boxes of paper to regulators as the next company they're investigating?
We at Compliance Week know you wonder about these things, because you call us up asking for benchmarking data on the subjects all the time. And PwC knows you wonder about these things too, since the world's largest audit firm tends to get to know its clients' needs. So six months ago we decided to do something about it.
We launched the Compliance Week-PwC State of Compliance report.
The report is an ambitious joint effort to get a truly comprehensive sense of how compliance departments work in modern Corporate America. We polled scores of compliance officers at all manner of businesses (large and small, public and private, across many industries) to find out how they go about the job of corporate compliance. We don't presume here to christen the information “best practice”—but it does illuminate the realm of current practice, which is often just as useful to know. The answers here capture comprehensive data about how companies run their compliance functions, so you can benchmark your operations against emerging norms.
The State of Compliance survey asked the most senior compliance executives at more than 100 companies four basic questions: What is your role and authority in the organization? How does the company structure its compliance effort, from you down throughout the enterprise? What risks do you worry about? How many, and what types of, resources does the company provide to let the compliance program do its job?
In full, the survey posed 28 specific questions under those four broad categories outlined above. The summary report I've provided here captures only the most compelling findings of the study; those who seek the full data analysis are invited to visit the State of Compliance report's companion Website, www.pwc.com/us/compliancebenchmark2011. There, you can take the full survey and receive a full analysis of your data and related benchmarks at no charge. I encourage you to do so.
Meanwhile, me dwell on some of the most interesting findings here and now.
Without question, a critical element to the compliance department's success is the perceived stature of the chief compliance officer, and his or her influence among other top leadership. Corporate integrity agreements with government regulators routinely include language that the CCO cannot be, nor report to, the general counsel; the top compliance executive should report directly to the board. Still, a solid plurality of survey respondents (43 percent) said they do report to the general counsel; another 32 percent said they report to the CEO. Only 8 percent said they report directly to the audit committee of the board.
More troubling was one ugly statistic from our question, “Do you measure the effectiveness of your compliance program?” Thirty-eight percent of respondents said they do not. Without a clear measure of the compliance department's effectiveness, much else is in jeopardy. For example, the Justice Department and other regulators routinely stress the need for an “effective” compliance program if a company under investigation hopes to receive cooperation credit or other leniency. Good luck getting that credit if you're explaining to prosecutors that you make up your definition of “effective” on the fly.
Likewise, without some way to demonstrate the effectiveness of the compliance function, proving the return on investment in compliance—that is, winning budget resources from the board and CEO—can make that already elusive task even more difficult. (Tellingly, 68 percent of respondents don't attempt to demonstrate the ROI for compliance, either.)
What's more, the metrics that companies do use to gauge effectiveness—hotlines, training data, compliance audits, and employee disclosures were most popular—don't necessarily indicate whether the compliance department is effective, as much as they indicate whether it is busy.
To my thinking, a better picture emerges when you combine those metrics with how frequently you do the measuring. For example, 92 percent of companies cite calls to the employee hotline as a metric of compliance, and 71 percent track such incidents “constantly.” Taken together, those numbers essentially say: “When someone reports an incident to us, we always know how that incident is being treated and when it will be resolved.” That's the sort of statement about compliance departments that regulators and other outside parties want to hear.
Also illuminating was the data about what other corporate departments the compliance function approaches to “borrow” staff—which suggests the types of personnel expertise compliance departments need, but don't have.
A whopping 84 percent said they “always” or “frequently” use resources from the legal department. Presumably this is to protect the company when it may want to exercise attorney-client privilege, but it also harkens back to our point about how many compliance functions report into the legal department; with compliance so dependent on the legal department for help, it's little surprise that the general counsel sits at the top of the organizational chart. And if the mentality of the legal department—whose job foremost is to protect the company from liability—permeates the compliance department, that itself can jeopardize the ideal of a compliance department unafraid to root out misconduct wherever it may be.
As I mentioned before, the survey you can download here is only a basic overview of what the full State of Compliance report provides. Read this summary, certainly, but also visit www.pwc.com/us/compliancebenchmark2011 to take the full survey yourself and get your own data benchmarked against the industry norms we've captured here.
Then, at long last, we can all get a better sense of what “normal” compliance departments actually look like.