Benchmarking study: Compliance programs in retail industry need to grow up

Most compliance programs in the retail industry have considerable room to grow on the maturity spectrum, according to a first-of-its-kind retail ethics and compliance benchmark report.

Deloitte and the Retail Industry Leaders Association (RILA) conducted the “Retail Ethics and Compliance Survey” with the aim of understanding how today’s retail companies are managing uncertainty and compliance risk through their ethics and compliance programs. 

To shed some light on the retail industry specifically, the survey polled RILA members—compliance and legal executives officers from several leading retail companies—on how their compliance programs are designed, implemented, managed, and governed. It also polled RILA members on how they are leveraging people, processes, and advanced technologies to address compliance risk in a modernized way.

The retail industry in every aspect is undergoing a period of significant transformation—from how retailers engage with consumers to how products are delivered and stored to supply chains becoming more globalized, says Kathleen McGuigan, senior vice president and deputy general counsel at RILA. “All of that change creates opportunities, but also additional compliance risk,” she says.

Moreover, what makes the retail industry unique is that it’s not only multi-regulated—subject to a patchwork of international, federal, state, and/or local laws and regulations—but it’s also subject to a wide variety of compliance risk. These include corruption, environmental health and safety, product and food safety, and others that apply to more specialized retail operations, such as consumer finance and retail health and wellness.

All these factors combined—extreme disruption, evolution, and increasing compliance risk—make an integrated approach to compliance in the context of complying with legal and regulatory requirements imperative, the report states, and yet most survey respondents indicated that their program is still at a “foundational” level of maturity. What it means is that their programs meet core requirements and expectations; that their basic operating model identifies roles and responsibilities; and that they have in place methodologies to assess, prioritize, and mitigate compliance risks.

“That’s not a particularly strong posture,” Lane says. This shows that retail companies need to continue to look at their compliance programs and seek out methods to improve and mature their programs, he says.

Just a few retail companies indicated that their programs are at a “modernized” state, meaning their programs operate in synergy with business units; make use of advanced analytics; and articulate their value through a measurable return on investment. Just one retail company identified itself as being at a “value-creating” state, which the survey defined as having an “advanced level of sophistication with optimized oversight and execution processes and close alignment with overall business strategy, with program value articulated through measurable return on investment.”

“It’s an exciting time to be a chief compliance officer in a retail organization. If you want to be proactive and not reactive, watch the healthcare and financial services industries, learn from them, and implement programs that are form-fit for retail.”
Martha Sarra, Chief Ethics & Compliance Officer, Kroger

Staff size is another factor related to compliance program maturity. Most survey respondents said they have fewer than 10 people dedicated to the corporate compliance program. By company size (defined by annual revenue), a handful of respondents in companies with more than $50 billion in annual review indicated that their company has between 100 and 500 employees working full-time on the design, implementation, and/or maintenance of their compliance program. At the other end of the spectrum, 13 total companies with less than $50 billion in annual revenue have fewer than five people doing similar work.

Leadership and structure

According to the survey, few respondents report that their company has a stand-alone chief compliance officer, responsible only for ethics and compliance. In most of these companies, compliance is added to the existing responsibilities of another senior executive. Several respondents said compliance reports to the company’s legal department or general counsel’s office.

As one director of compliance at an unnamed Fortune 500 retailer commented in the survey: “I am very happy that we have compliance within legal. Our key objective is to be partners with the business and bring value to them. We do not throw our weight around in the legal department, but it helps to be able to use our weight for the business when it helps them. It could make sense for compliance to sit elsewhere for other organizations. But when you have the variety of issues we’ve scoped in for compliance, legal is the correct fit at our organization.”

Nearly half of respondents said that their company’s compliance program is viewed as a business partner. “Recognizing compliance and giving compliance a seat at the table in the organization and in decision-making processes is becoming increasingly important,” Martha Sarra, chief ethics and compliance officer at Kroger, commented in the survey. “Having compliance involved up front can help to save time and money later, helping to demonstrate tangible value to the organization.”

STRONG COMPLIANCE?

Do you believe senior management at your company appreciates and embraces strong compliance, or merely accepts it as a fact of corporate life to be endured as efficiently as possible?

McGuigan of RILA says one way that compliance can engage with business-unit partners and elevate the structure and influence of the compliance program is through a compliance committee made up of business-unit heads, including the chief compliance officer. Compliance and legal can also work closely with internal audit, “which often acts as a functional investigator on their behalf,” she says.

As another option, RILA has in place for its members a Compliance Council, comprised of compliance and legal executives that have primary responsibility for oversight of their company’s compliance program.  Headed by a leadership team made up of RILA members, the Compliance Council provides an opportunity for members to benchmark at an executive level on strategic issues related to the implementation, management, and oversight of retail corporate compliance programs.

As just one example, McGuigan says, “Over the last several meetings, we’ve had a variety of members provide case studies on how they’re using technology creatively to either streamline their operations, to strengthen their programs, to integrate with the business, but also how they’re using technology to train employees and get employee engagement.”

Program measurement 

Most respondents said their companies make some attempt to measure compliance program effectiveness and tend to use traditional metrics to achieve this—such as analyzing the results of internal audit findings, self-assessments, or compliance-training completion rates. Advanced compliance metrics, however, include analyzing the results of compliance risk assessments (risk rating and control effectiveness); testing and monitoring activities (by compliance, rather than internal audit); or consideration of the degree to which compliance activities are integrated into business workflows, according to the report.

Few retail companies, however, said they include compliance-related metrics in senior management’s performance evaluation. But as more attention turns to culture, and as more senior executives make the news for behavioral-type concerns, “that number is going to go up,” Lane says. “We’re going to see management being held accountable at a measurement level around ethics and compliance.”

Respondents also highlighted various methods they use to identify and manage compliance risks associated with third parties. This includes auditing their compliance with regulations and agreements; requiring training and certifications; requiring contract language revisions; requiring a copy of the third party’s code of conduct; and requiring a background check.

Some retail companies are even starting to adopt more innovative predictive analytical tools and robotics process automation or other advanced technology tools for select compliance program components, such as for case/incident management; compliance monitoring, testing, and reporting; employee surveys; tracking legislation and regulations; and third-party risk management.

“It’s an exciting time to be a chief compliance officer in a retail organization,” Sarra of Kroger said. “If you want to be proactive and not reactive, watch the healthcare and financial services industries, learn from them, and implement programs that are form-fit for retail.”