At first glance, the 2013 Compliance Trends Survey—a comprehensive study of modern compliance functions released last week by Deloitte and Compliance Week—confirms a longstanding trend among compliance officers: a perpetual demand for more staff and greater resources.
That's no surprise, and any other department head would likely make the same plea. Scratch below the surface, however, and a more fundamental shift emerges.
Thirty-seven percent of the study's 189 respondents say their top compliance job (no matter what its specific title may be) is a stand-alone position; 52 percent said their full-time compliance staff consists of five or fewer people, and 47 percent said their annual budget for compliance, including salaries, is less than $1 million.
When looking at statistics on the number of full-time staff dedicated to compliance at companies, the first reaction is, “Wow, that seems really low,” says Nicole Sandford, Deloitte's national practice leader for governance services.
But in some cases, the numbers might actually be a portent of good news and evidence that “the compliance program is being pushed out and integrated in a more formalized fashion within the business,” she says. Companies can afford to keep their overall compliance resources fairly lean, provided they “drive the responsibility and accountability for the program into the business units.”
“The goal is to have it integrated into the business with everything you do,” she says.
The question for compliance officers reading the report, then, is whether your company is indeed integrating compliance operations across the enterprise? Or does the compliance department have a low budget because the CEO and board only want to provide a low budget?
“In many, if not most companies, compliance was a bolt-on; it wasn't part of the initial core of the company,” says Jeremy Zucker, co-chair of the law firm Dechert's international trade and government regulation practice. For too many people in senior management, compliance has traditionally been viewed as a necessary irritant, rather than … something that can provide a competitive advantage.”
One way to remedy that situation, Sandford says, is to give compliance officers clear, centralized power and authority. And along those lines, 51 percent of the survey's respondents say they report directly to the CEO or the board, compared to only 20 percent who still report directly to the general counsel.
“Having CEO-level sponsorship, to say that compliance is going to create a competitive advantage, is really powerful,” Sandford says. “The CEO and the board can help translate the value into terms that business unit leaders are going to understand, so you aren't just perceived as ‘the king of no' or where a good idea goes to die.”
To be sure, the harsh enforcement penalties that can come from corporate misconduct—particularly the Foreign Corrupt Practices Act—are a wonderful way to sell boards and CEOs on the notion of a vibrant compliance function. Another useful tool has been the emergence of deferred- and non-prosecution agreements that companies can accept to avoid those penalties, since the terms routinely call for independent, empowered chief compliance officers.
“Don't treat compliance as an afterthought. It deserves to be structured within a company as one of the core functions.”
The lesson, Zucker says: “Don't treat compliance as an afterthought. It deserves to be structured within a company as one of the core functions.”
Still, making compliance one of the company's core functions, and embedding it throughout the whole enterprise, does carry implications for chief compliance officers who want to excel at their jobs. A modern CCO “must have extraordinary communications skills,” says Matteson Ellis, special counsel for the law firm Miller & Chevalier, who blogs about compliance functions often. The ability to connect with groups as diverse as the data team, front-line sales staff, and the highest levels of executive leadership—all at the same time—is critical.
“To succeed, a CCO needs access to and strong lines of communication with individuals and units throughout the company,” he says. “It's the only way to gain the information necessary to prioritize risks and build the trust and rapport essential to implementing compliance strategies.”
Unfortunately, the truth is that such a skill set can be elusive for those who either gravitate toward a compliance role or are drafted into its service.
“Auditors, accountants, and lawyers may not naturally have skills that help them articulate, in a meaningful way to the head of a business unit, why these monitoring activities are important and what the competitive and strategic value is,” Sandford says.
She recalls meeting a CCO who was previously head of the human resources department. There was a “stark contrast” in how this person approached the job, compared to someone with a legal background. While the latter may scare away employees, the former is in direct contact with employees. “A different type of compliance culture gets set by somebody like that,” Sandford says.
As the CCO position becomes more elevated and independent, the role should become more appealing to a greater array of business talents who once balked at the idea of being “buried three layers down in the organization.”
The following charts from the Compliance Trends Survey 2013 show how respondents view the chief compliance officer role.
CHART 1: At your business, the designated chief compliance officer (CCO) …
CHART 2: To whom does the designated CCO directly report?
Source: Compliance Trends Survey 2013.
As a more ingrained, enterprise-wide compliance model becomes more common, the shift creates new challenges, Sandford says. Foremost among them, for a chief compliance officer, is ensuring that best practices permeate throughout the entire organization.
“You need formal mechanisms for doing that, otherwise you'll have compliance issues that are growing in other units and no idea that is happening,” she says.
The survey also shows that considerably more can be done when monitoring existing third-party relationships and vetting new arrangements. Only 24 percent of respondents said they “onboard” new vendors. Just 47 percent review existing third-party partners, and only 39 percent have a formal audit process in place for them.
Also, anti-money laundering and privacy issues appeared far down the priority lists of even larger companies. Only 40 and 49 percent of CCOs said they had responsibility for each, respectively.
While the evolving compliance function is more data-driven, many CCOs also find transforming that data into actionable information a difficult task. Doing so can be costly in terms of staff and technology; understanding what the data says can require a broader view that goes beyond in-house capabilities.
“You need access to real-time trends because it isn't useful to find out three months later that there was data showing you there was a compliance issue brewing in a particular unit or part of the world,” Sandford says. “What's the worst nightmare of any compliance officer? To find out that there is data sitting around indicating a problem and nobody is doing anything about it. That's the kiss of death.”