A majority of compliance officers now serve a vital role on the senior management team at most large companies and have more authority within their organizations than ever before.
Those are some of the more favorable findings unveiled in this year’s Compliance Trends Report, a joint survey conducted by Compliance Week and Deloitte. Out of 364 ethics, compliance, audit, and risk executives polled, 57 percent said the chief compliance officer in their company reports directly to either the chief executive officer or the board. Another 51 percent said the CCO has a seat on the executive management committee, and 59 percent said the CCO job is a full-time, stand-alone role, compared to 50 percent last year and 37 percent in 2013.
“The numbers have been trending upward in the last three years that we’ve been doing this survey,” says Thomas Rollauer, executive director of Deloitte’s Center for Regulatory Strategies. Taken together, the findings suggest that most CCOs, especially within large companies, are now in a favorable position to participate in high-level discussions on corporate strategy and culture.
Ideally, more CCOs will start to report to the board and audit committee, rather than the general counsel or CEO, says Martin Biegelman, a director of forensic investigations at Deloitte Financial Advisory Services. “It’s a marathon, not a sprint, and we are making progress,” he says.
Not all the findings from the report painted a rosy picture for CCOs, particularly when trying to embed a culture of compliance throughout the enterprise. For example, 44 percent of respondents said their companies do not have designated compliance officers in subsidiary business units or overseas operations.
“Having compliance professionals in local regions is one of the best things global organizations can do,” Biegelman says. At Microsoft, for example—where Biegelman was once director of financial integrity—having compliance personnel overseas who had a deep understanding of the culture, the country, and the language, and who were able to develop strong relationships with people in the region, really helped to bolster the compliance program.
The other benefit is that it helped the compliance department hear of issues early, rather than wait for issues to “bubble up” to the U.S. compliance office, Biegelman says. Furthermore, every country with a regional compliance officer experienced a “huge spike” in internal reports by employees and fostered more questions by employees about the company’s ethics and compliance policies and procedures, he says.
The full range of compliance responsibilities of the centralized compliance function varies from company to company. Still, a few core responsibilities dominate the results year after year. These are compliance training (cited by 76 percent this year); Code of Conduct oversight (74 percent); whistleblower hotlines (70 percent); and regulatory and compliance investigations (68 percent).
“Unfortunately, I often find that the best compliance programs are usually found at companies that have had huge compliance failures and enforcement actions.”
Martin Biegelman, Director of Forensic Investigations, Deloitte Financial Advisory Services
Likewise, the least common areas of responsibility also continue to rank near the bottom. They are regulatory relationship management (cited by 40 percent), records management (36 percent), and communications (35 percent).
Despite the role that culture plays in creating an effective compliance program, cultural assessments, cited by 24 percent of respondents, ranked dead last among CCO responsibilities—a potentially troubling sign. “That’s unfortunate,” Biegelman says. “Understanding the culture is so important.”
As explained in the report, “If the CCO has a weak understanding of the company’s true culture and workforce attitudes, it might jeopardize the effectiveness of more practical program elements such as compliance training or policy management.”
Most companies (82 percent) said they now undertake some sort of enterprise-wide risk assessment, and 62 percent said they conduct such an assessment at least annually, if not more often. Furthermore, CCOs perform these risk assessments in a variety of ways, including as a stand-alone exercise, in conjunction with internal audit’s risk assessment, or as part of a general enterprise-wide risk assessment.
The Compliance Trends Report 2015 asked ethics, compliance, risk, and audit executives asked whether they are addressing the right risks.
The full range of compliance responsibilities of the centralized compliance function varies from company to company. Still, a few core responsibilities dominate, topping the results year after year. Respondents’ most common responsibilities: compliance training (cited by 76 percent); Code of Conduct oversight (74 percent); whistleblower hotlines (70 percent); and regulatory and compliance investigations (68 percent).
What’s more, the least common areas of responsibility for the 2015 report are quite similar to those of 2014: regulatory relationship management (cited by 40 percent), records management (36 percent), communications (35 percent), and culture assessments (24 percent). Still, these are not insignificant percentages, suggesting that most CCOs are busy with many different tasks. But the stable rankings year after year, at both the top and the bottom, also suggest that a consensus has emerged about what the CCO’s most important jobs are.
This is the second year in a row that culture assessment has ranked at the bottom (24 percent). (In 2014 the number was 26 percent.) In these cases, CCOs should consider how someone else in the organization—such as the HR department—fulfills that role, since a keen understanding of corporate culture is crucial to developing effective compliance programs.
“Regulators are focused on organizational cultures contributing to recent ethics and compliance failures, but they haven’t said what a strong compliance culture looks like. That’s a challenge for all organizations,” said Maureen Mohlenkamp, a principal with Deloitte. “Rarely are roles defined that say ‘compliance owns culture’ or ‘HR owns culture,’ because everyone owns it—but in many organizations, nobody owns responsibility for assessing it.” The two logical groups to assess culture are ethics & compliance and HR, she adds, but even then, they may not know how to do so in a way that creates actionable results.
Fifty-five percent of respondents said that the CCO provides “general reports on ethics and culture” to the board and CEO. Nevertheless, if organizations are not assessing culture sufficiently, that can jeopardize the CCO’s other main priorities, such as compliance training education on the Code of Conduct and whistleblower retaliation.
More than 80 percent of respondents said they perform some type of enterprise-wide compliance risk assessment, and 64 percent said that assessment is performed at least annually, if not more frequently. How does that compliance risk assessment get done? Respondents split almost exactly three ways: one-third as a stand-alone process; one-third as part of internal audit’s risk assessment; and one-third as part of a general enterprise risk assessment.
To no surprise, third parties continue to pose the single biggest concern for CCOs when conducting risk assessments. To better manage third-party risks, CCOs employ a range of tactics:
42 percent audit compliance with policies or regulations;
38 percent perform extensive background checks; and
32 percent require training or certification.
One surprising finding is that even though compliance departments have increased authority and more robust risk assessment processes in place, many still struggle to get the necessary level of staffing and budget that they need, Rollauer says. Similar to previous years, roughly half of respondents said they have fewer than five employees devoted to compliance, and roughly 40 percent said their total budget is $1 million or less.
Tight compliance budgets and staffing levels may in part correlate with the finding that 30 percent of respondents said they do not measure the effectiveness of their compliance programs, down from 37 percent in 2011, when the report was first conducted. “You would think more compliance officers would evaluate the effectiveness of their compliance programs, as a demonstrable way to show how they can be even more effective with more resources,” Rollauer says.
Virtually all organizations that measure effectiveness look at a range of metrics, from hotline calls to internal audit findings to analysis of self-assessments. Furthermore, most respondents (58 percent) expressed confidence in the metrics they use to gauge the effectiveness of their compliance programs.
At the same time, however, 59 percent of respondents said they’re only somewhat confident, or not confident at all, that the IT systems the compliance department uses can fulfill the CCO’s reporting responsibilities. This gap—between the confidence CCOs have in their compliance program metrics, and the lack of confidence they have in the ability of their IT systems to gather the data that they need—suggests a possible disconnect between CCOs and IT departments.
Compliance functions require increasing amounts of data to do their jobs effectively. A lot of times, however, compliance generally doesn’t own any of the data it needs, meaning that compliance tends to spend more time gathering data from disparate systems across the company, and less time analyzing it, the report stated.
Survey respondents listed desktop software and internally developed tools as their most common IT systems for a wide range of tasks, including core responsibilities such as compliance monitoring and reporting, or measuring the effectiveness of the compliance department.
Timothy Cercelle, a director with Deloitte & Touche who is a leader in the governance and risk practice for the insurance sector, recommended in the report that compliance officers build “better relationships with the chief information officers and understanding what tools are already available within the walls of the company that could help with compliance efforts.”
So while CCOs are more empowered than ever before, obstacles impeding their ability to weave a strong culture of compliance culture into the global enterprise still persists, as well as shortfalls in internal IT systems and processes.
The good news is that stronger alignment between the compliance department and the senior executive team may propel the CCO role forward with the progression of time.
A lot of companies go through a stage where they recognize that they need to do more, as opposed to less, Rollauer says. The follow-up stage is assessing whether they are operating as efficiently as they can be, he says.
That may require, in part, leveraging other control functions—risk management, internal audit, finance—to ensure operational efforts are not duplicated unnecessarily. “Taking a forward look is the next stage in the evolution of creating the risk-intelligent compliance function,” Rollauer adds.
Compliance programs today continue to function under various levels of maturity. “Unfortunately, I often find that the best compliance programs are usually found at companies that have had huge compliance failures and enforcement actions,” Biegelman says. “You shouldn’t wait for that compliance failure to be able to develop that best-in-class program that pertains to your organization. We still have a way to go, but we are making progress.”