“Sexy” isn’t a word that many people would use to describe the job of a chief compliance officer, yet the role is quickly becoming one of the hottest positions within companies today.
As the regulatory and legal environment becomes more complex, compliance officers have more influence than ever before to affect corporate strategy and direction. “Who is the C-suite star of the future? We think it’s the CCO,” says Sally Bernstein, a principal with PwC.
Sounds great, right? One problem: A significant divide still exists between the business and the compliance function. “We often hear business folks say, ‘Compliance folks just don’t understand the business,’ and we hear compliance folks say, ‘I wish I could be more involved in the business,’ ” says Andrea Falcione, managing director in the performance GRC practice at PwC.
Two recent surveys published by PwC underline how pronounced that divide is. According to PwC’s 2015 Global CEO Survey, 78 percent of 1,322 chief executive officers named overregulation as the top threat to growing the business. At the same time, only 35 percent of 1,102 respondents in PwC’s 2015 State of Compliance survey reported that CCOs are involved in helping develop or implement corporate strategy.
Given the level of concern senior executives have about the effect the regulatory environment is having on their business, “this is a surprising disconnect,” the PwC compliance survey stated. “CEOs should be turning to their CCOs for help in guiding that strategy.”
“If you bring people in from the business into compliance in a rotational manner, then your compliance function is going to have a better understanding of the business.”
Andrea Falcione, Managing Director, Performance GRC Practice, PwC
For compliance executives who do participate in developing company strategy, 18 percent of respondents said they assist in the implementation of business strategy once decisions are made, while 15 percent said they address issues that arise after business strategy is implemented. Seventeen percent said they’re not at all involved in developing or implementing business strategy.
Compliance officers could also use some guidance in that area. It’s not that compliance officers don’t want to play a strategic role in the business, Bernstein says, “but they don’t have time, and they’re not really sure how to do it.”
So how, then, can compliance officers move beyond their traditional responsibilities of administering a program that complies with legal and regulatory requirements, toward a more strategic role in the business? “How do you contribute to helping the organization understand how they can manage these issues and still achieve its business objectives?” Bernstein asks.
To help compliance officers answer that question, the PwC report recommends that CCOs increase their strategic value to their organizations in the following ways:
STATE OF COMPLIANCE
The following is an excerpt from the 2015 State of Compliance Survey conducted by PwC.
Be aware of what “compliance” entails across the organization, as well as understand the scope of responsibilities.
The scope of the compliance function can vary significantly from one organization to the next, based on such factors as company size, sector, and culture, but there should be consensus on the definition of scope. Compliance officers and all others in the organization who oversee compliance obligations must not only understand the scope of their own responsibilities but also come to agreement on what compliance entails across the organization—from compliance with legal and regulatory requirements to meeting internal operational and other strategic obligations. Just as chief financial officers know where every dollar is spent but don’t themselves spend every dollar, CCOs should know how their organizations manage all compliance obligations and issues throughout the company, even though they don’t own all of the compliance responsibilities or mitigation activity.
Coming to an understanding of compliance obligations, where those obligations sit in the organization, and how they get tracked and reported is an important step in maturing the compliance program and enabling the compliance function to add more value to the organization. By understanding who manages which compliance obligations within the business, compliance officers can identify opportunities to add value enterprise wide.
In some sectors (e.g. financial services), CCOs may have a deep understanding of business operations; but in other sectors, CCOs may depend on so-called specialists in the business who have responsibilities to determine that the company is in compliance. CCOs should expect clear explanations from the business about how compliance is being managed and should not accept cursory assurances (e.g. “John is handling it”).
Express interest in participating in strategy decisions, and articulate to the CEO the strategic value that compliance can deliver.
Review the strategy plan and develop ideas for handling new or unusual compliance risks or for leveraging them to gain competitive advantage.
Forge close relationships with key business leaders through the company, and offer insights to help the business identify and mitigate risks related to compliance issues.
Define or redefine the scope of compliance across the organization, and build partnerships with compliance owners within the business to ensure that all issues are being managed effectively.
Implement efficiency initiatives to improve the effectiveness of the compliance function and reduce compliance-related costs.
“We don’t expect the compliance officer to set strategy,” Bernstein says. Rather, it’s important for the compliance department to be a partner to the business leaders to help them achieve that strategy “versus historically being the Department of No,” she says.
Compliance officers can also play a more strategic role by expanding their focus to include both current and emerging risks. The rising occurrence and cost of data breaches, for example, have increasingly driven many companies to rethink their approaches to managing cyber-security, which traditionally has been managed in a siloed fashion.
In fact, the plurality of respondents to this year’s State of Compliance survey (47 percent) cited data security as their number one risk. This finding aligned with PwC’s Global CEO Survey, where 61 percent of CEO respondents globally said they are “concerned about cyber-threats,” including lack of data security.
These findings are a shift from the last two years of State of Compliance survey results, when compliance executives cited industry-specific regulations (31 percent), privacy and confidentiality (25 percent), and bribery and corruption (22 percent) as their top three risks.
The report also found room for improvement in the way that risk assessments are managed. “What we’re seeing in this area is a tremendous amount of overlap in terms of the types of assessments that are happening,” Falcione says. For example, companies conduct an average of at least six separate compliance-related risk assessments: privacy assessments, ethics assessments, regulatory compliance assessments, and probably many more, she says.
Conducting too many assessments creates “risk assessment fatigue on the part of the business, because they’re trying to get business done and drive revenue,” Falcione says. Through better collaboration and better coordination of risk assessment activities, “the same people aren’t being asked similar questions, or being asked to do similar things from a risk assessment perspective multiple times within a year,” she says.
Overlaps or gaps in the ways that companies perform testing and monitoring are another area where companies can help the business improve process efficiency and reduce costs. For example, many dashboards today consolidate data, making analysis easier and allowing broader coverage of testing. According to the report, however, only 10 percent and 6 percent of respondents, respectively, said they fully outsource their compliance testing and monitoring.
The plurality (44 percent) fully outsource hotline intake. Other outsourced activities were compliance training (15 percent), compliance auditing (13 percent), and investigations (10 percent).
“What areas of compliance risk management could you potentially outsource to a third party that could help drive efficiency?” Falcione asks. Companies in highly regulated industries such as financial services and life sciences have been more inclined to outsource these activities. Now, companies in less regulated industries are starting to think about that as a strategy, too, she says.
As compliance becomes a more strategic partner to the business, the more important it’s going to be for compliance officers to develop the compliance function within the business. “There are a lot of different ways for them to be focusing on this, and right now they’re not,” Falcione says.
One way to develop the compliance role is by encouraging short-term job rotations from the business into the corporate compliance function, which only 13 percent of respondents said they do. “If you bring people in from the business into compliance in a rotational manner, then your compliance function is going to have a better understanding of the business,” Falcione says.
Compliance officers of tomorrow will also need more skill sets and experiences than traditionally has been required. “Data analysis experience, technology acumen, business operations experience, industry expertise, and other skill sets and backgrounds that could make the function more well-rounded—and better able to contribute to corporate strategy—are still not as well represented as they should be in today’s compliance departments,” the report stated.