To be the best, it’s wise to learn from the best—and compliance programs are no exception. It is no coincidence that compliance officers who are most confident in the effectiveness of their programs also tend to exhibit practices typical of highly mature programs. But they appear to be the exception, not the norm.
Just 17 percent of 825 risk and compliance executives polled in PwC's State of Compliance study worldwide said they are “very satisfied” with the effectiveness of their compliance programs. In comparison, 45 percent of respondents indicated that they are “somewhat satisfied,” while the remaining 38 percent said they were either neutral or dissatisfied with the current state of their compliance program effectiveness.
Compliance officers have always had to think about regulatory and enforcement risks, but over the past year, “things have changed dramatically,” Andrea Falcione, U.S. leader of ethics and compliance at PwC, said during a Webcast on May 22 discussing the survey results. Global social media campaigns like #MeToo, skyrocketing whistleblower awards, and an increase in the number of investigative journalists using Big Data to spot and report fraud are all factors that fuel the importance of a strong ethical culture and more transparent internal reporting channels.
The goal is for everybody to be “very satisfied” with their compliance program, Falcione said. To delve into this point further, PwC in its report highlighted four ways that leading compliance programs execute risk management activities:
Invest in a tech-enabled infrastructure to support a modern, data-driven compliance function. Leading compliance programs more often use technology tools than do their peers. These include data analysis tools, dashboards, continuous monitoring, data warehousing, data extraction tools, and a GRC (governance, risk, and compliance) solution.
Companies that have implemented these tools cite such benefits as clearer insight into both lines of business and customer behaviors and better ability to efficiently assess potential compliance issues. “We live in a world now where you can’t do any of those things without technology, particularly if you’re part of a large enough organization,” said Linette Hwu, vice president of ethics and compliance for Discovery.
Prior to being acquired by Discovery in March 2018, Scripps Network Interactive last year had implemented a GRC tool. “Now that we’re part of a new organization, we have to figure out what to do with that,” Hwu said, “but one of the things we found hugely helpful about having a GRC tool is that suddenly we had a repository for all the information that we had about our compliance program, so that if there was ever an issue we knew exactly where to get all the data.”
In PwC's 2018 State of Compliance report, PwC offered the following list of key actions that compliance officers should consider today:
Complete a technology needs assessment.
Identify technologies and data skills already available within the company.
Prioritize areas in need of technology assistance.
Consider data needs and sources, which may influence the prioritization of areas to technology enable.
Build a business case for technology investment.
Identify process changes to accompany the technology to make compliance risk management more responsive, comprehensive, and current.
Execute against the technology and skills roadmap to evolve to data-driven, real-time compliance risk management.
Source: PwC State of Compliance report
For other compliance functions interested in investing in similar technologies, Falcione offered this advice: “Think about how technology can assist you in your risk management efforts. In conjunction with that, think about processes that need to be updated or improved upon.”
Traditionally, technology has been more detective in nature—think, data-loss prevention tools, for example, that detect potential data breaches, said Nancy Jardini, chief ethics and compliance officer at Fannie Mae. Many compliance functions today, however, are starting to think outside the box.
“We think a lot about innovation at Fannie Mae,” Jardini said. “One of the things that we’re trying to pilot is using artificial intelligence to crawl through some of the data ... and help us to identify where vulnerabilities may be for things like fraud.”
During the Webinar, compliance officers on the panel also talked about the benefits of using technology to break down organizational silos. If you’re constantly fighting turf wars, you’re never going to come to an agreement on taxonomy, Hwu said. “You’re also never going to achieve the partnerships that you need with the business units to really help you create the compliance program you want to have.”
At Fannie Mae, for example, compliance lives outside of the legal department and outside of the risk organization. “We are an individual organization reporting to the CEO and the board,” Jardini said and, so, silos at an organization like Fannie Mae could especially become “a real barrier to success,” she said, “without actively working on how we work together and collaborate.”
Implementing a GRC tool—working on that as a collective project—is one way to foster collaboration. Fannie Mae, for example, since beginning its GRC journey two years ago has started to consolidate all of its compliance issues within the GRC tool from every department (compliance, legal, ethics, risk, audit, SOX compliance).
Getting a core group of champions who could use technology and agree on a common taxonomy has helped build a business case and has resulted in an integrated set of reporting, Jardini said. “It was a long-term effort with a long workstream of individuals from each of these disciplines working on it,” she said. “It was not easy, but if you don’t do that hard homework upfront, you will not be successful.”
Increase compliance monitoring effectiveness with technology. Leading compliance functions are more likely to use technology to monitor employees’ compliance with corporate policies and procedures. Moreover, they are more likely to use technology to monitor a variety of risks, particularly concerning fraud, gifts and entertainment, privacy, social media, and trade compliance.
Often, other business functions within the company already have in place some sort of GRC tool. Thus, Falcione recommended as a first step conducting a technology-needs assessment. When doing that assessment, she said, think about what kind of data is currently available in other systems—such as financial management systems, travel and expense systems—that compliance and risk can leverage to gain a better understanding of what is going on in the company from a compliance perspective.
Register: CW's Innovation & Compliance Summit
On June 26 at the Harvard Club in Boston, join Compliance Week and Financial Research Associates for the second annual summit designed to educate compliance, audit, and risk professionals on the potential for artificial intelligence to transform the compliance profession. Register now and get 50 percent off
It’s also a good idea, particularly for small compliance functions that can’t always hire the people they want, to “think about what skills you need to leverage,” Hwu said. This could mean leveraging the enterprise risk management group to help mitigate risk, or working with internal audit to establish monitoring processes, for example. “You have to be able to think about it as creatively as possible within the organization that you work in.”
By taking advantage of existing tools and resources, the compliance function can better and more effectively monitor and manage compliance risk. “The more often that you can come together using the same platforms, the better off you are in terms of getting a more holistic understanding of what’s going on in your organization,” Falcione said.
Streamline policy management to increase responsiveness and boost policy and procedure effectiveness. “Policy management seems to be much more streamlined at organizations that are leading in the compliance space,” Falcione said. According to the PwC report, 67 percent of leading compliance functions said they have a single policy management framework, “which is really important from a consistency perspective,” Falcione said.
Additionally, leaders in the compliance space more often than their peers update their codes of conduct to stay current with emerging trends, and 38 percent of them review their codes of conduct on an as-needed basis, “suggesting much greater adaptability than peers that are on two- or five-year cycles,” the PwC report stated. “With the external environment changing at today’s rapid pace, that trend toward more-frequent code-of-conduct review has become increasingly necessary.”
Leaders also stand out from their peers in their use of policy management technology within their compliance departments, according to the PwC report. Compliance officers have said this helps to streamline the development and approval of new policies and enables easy access to policies across the company.
Technology tools in place
Q: Which of the following components of IT infrastructure are in place at your organization to support a modern, data-driven compliance function? (Survey respondent base size: 825)
Lastly, leaders measure policy and procedure effectiveness more comprehensively than their peers do. The most frequently used measures are internal audit assessments or reports, culture or internal survey results, frequency of policy violations, and frequency of corrective actions, the report showed.
Take advantage of information and technology to provide targeted, engaging, and up-to-date compliance training. Leading compliance programs tend to address a wider array of risks in training and update that training more often than their peers. For example, of the 11 risk areas queried by PwC, leading compliance functions more often cover them all within general training and communications, nine of them as part of code-of-conduct training.
In addition, leading compliance functions tend to update their compliance training and communication programs more often than their peers do. They also tend to use multiple sources of information to inform and target their training and think creatively about new ways to digitally engage employees in training activities, notes the report.
Within some companies, technology is changing the way compliance and other senior leaders interact with employees altogether. “One of the things we are excited about in the compliance program that we are merging into is that Discovery uses Workplace by Facebook,” Hwu said. “There is already a compliance group within that platform, and it has a crazy number of followers within the company. We are super excited to leverage that.”