First, the good news: Chief compliance officers are increasingly reporting directly to the CEO or the board, wearing fewer hats, and leading the effort to establish standards for ethical business conduct.
Now the bad news: They generally still don't have the staff or budget they need to get the job done, they don't give enough priority to money laundering, privacy, and emerging technology issues, and many still don't measure the effectiveness of the compliance program.
Those are among the major findings of the 2013 Compliance Trends Survey, a new study Compliance Week conducted along with Deloitte of 189 compliance officers at mostly large, global companies. The central questions we asked were: Do compliance executives have the appropriate authority and resources to do their jobs? Are compliance executives addressing the right risks? And do compliance executives use the right metrics to measure progress? As much as we would like to report that the answers are yes, yes, and yes, the results are decidedly mixed.
On the first question, the results were promising. More than half of respondents (51 percent) say they now report directly to the CEO or the board, as the U.S. Sentencing Guidelines advise. Nearly gone are the days when many compliance officers called the general counsel their boss; just 20 percent now say they report directly to the general counsel.
Compliance officers are also less distracted by having to perform other tasks at the company. At only 13 percent of companies, the CCO is also the general counsel, and the same percent also run the audit shop. A full 37 percent of respondents say the CCO is a stand-alone position at the company. Still, too many companies have no designated chief compliance officer running the show.
The survey also indicates that the compliance department is understaffed at many organizations and that it's not well-funded. Indeed, 52 percent of respondents say their full-time staff consists of 5 or fewer individuals, and 47 percent say they get by on an annual budget—including salaries—of less than $1 million.
“Both of those numbers are troubling to me,” says Tom Rollauer, executive director at the Deloitte Center for Regulatory Strategies. “The 47 percent with a budget of less than $1 million tells me that those compliance programs may not be very robust.”
On the risk front, compliance executives are focused on establishing standards for ethical business conduct, whistleblower protections, monitoring the complaints and incidents hotline, and training. The survey results indicate that compliance is doing a better job of following through on these risks. They are not just putting policies in place and providing a hotline number that, in the past, employees have been afraid to use at some companies. They are providing training and conducting lots of monitoring and evaluation on prevention programs.
The top operational issues around monitoring employee compliance with policies (55 percent), monitoring existing third parties (47 percent), and workforce training (44 percent).
Emerging technology continues to be a weak spot, including social media and privacy. “I think many companies are probably more exposed in privacy than they appreciate, says Nicole Stanford, Deloitte & Touche's national practice leader for governance and enterprise compliance. Fewer than half (49 percent) of compliance officers said they didn't have responsibility for privacy issues. Another blind spot: 52 percent of respondents said they had no policy on “bring your own device,” although half of those said their companies provided tech support for employees to use their own mobile devices.
Compliance officers reported progress on measuring the effectiveness of their programs, although too few still don't collect good metrics on them. Nearly a third (31 percent) say they don't measure the effectiveness of their programs at all, down from 38 percent who said they didn't when we asked in 2011.
The top metrics for measuring compliance program effectiveness are: analysis of internal audit findings (74 percent), completion of annual compliance training (68 percent), and volume of calls to a hotline (65 percent.)
Perhaps one of the brightest findings of the survey is that companies are doing much more to get a handle on the risks created by third parties. In fact, 43 of respondents say they are increasing oversight of third parties, including making some changes to who those business partners are.
These are just some of the top-level findings of the survey; for a more in-depth analysis on the latest trends in compliance, including some differences between large and small companies, be sure to read the full survey. (Click on the survey cover above to download your copy.)