Nobody ever said the life of a chief compliance officer would be easy. The job is evolving so rapidly that many are struggling to keep pace with an ever-expanding list of demands.   

As the regulatory and enforcement landscape becomes more complex, the biggest challenge currently facing compliance officers is how to play a more strategic role and help identify and mitigate the increasing number of risks their companies face, Sally Bernstein, a principal in PwC’s advisory practice, says. “We hear from chief compliance officers that they want to be more engaged with the business, and we hear from the business they want to be more engaged with chief compliance officers,” she says.

To achieve that, however, compliance officers must first improve the way they’ve traditionally engaged with boards and senior management, Bernstein explains. For example, the most common metrics compliance officers report to their boards include training completion rates and hotline statistics, information that “doesn’t really tell you much about whether you’re doing a good job of managing risks.”

Nor does this sort of information convey whether the compliance program is actually helping the company achieve strategic objectives. “It doesn’t feel relevant to business leaders or boards when they’re just getting the recitation of facts of what went on in the compliance program, as opposed to rolling up their sleeves and tying the business strategy to what that means from a risk perspective,” Andrea Falcione, managing director of PwC, says.

For example, any strategic initiative—such as moving into a new geographic market, acquiring a new company, or developing a new product—comes with compliance risks, Bernstein says. Being on the front end of these initiatives allows compliance officers “to become an enabler of that strategy,” she says, as opposed to coming in on the back end and having to then advise the company to modify or pull back on certain moves and decisions.

Compliance officers also have an opportunity to play a more strategic role by expanding their universe of risk areas beyond what they typically focus on. “Historically, chief compliance officers have been very focused on those areas that they own,” Bernstein says.

According to the findings of PwC’s recently released 2014 “State of Compliance” survey, the top three risks identified by 1,056 compliance executives were the same as those cited in last year’s survey: industry-specific regulations (31 percent), privacy and confidentiality (25 percent), and bribery and corruption (22 percent).

Few respondents ranked business-related risks—such as supplier compliance (7 percent), money laundering (9 percent), and social media (3 percent)—among their top concerns. Expanding focus to include current and emerging risks to their companies is another way that compliance officers can play a more strategic role and gain greater attention from their boards and senior management, a report accompanying the survey says.

It doesn’t feel relevant to business leaders or boards when they’re just getting the recitation of facts of what went on in the compliance program.
Andrea Falcione, Managing Director, PwC

Compliance committees can be important when it comes to better integrating with the business, but there’s plenty of room for improvement. According to PwC’s survey, 36 percent of respondents said they have no formal compliance committee. Among the 64 percent that do, the most common departments represented are compliance, legal, and internal audit.

“Certain business support functions—such as procurement, supply chain, sales and marketing—are of a higher risk profile than compliance, legal, and internal audit,” Falcione says.  “Engaging them in the process will help to identify where there may be gaps and risks in those areas.”

People Power

PwC also found that the majority of companies don’t have a standalone compliance role. According to the report, 54 percent of respondents said that the individual with the most responsibility for compliance in the company wears multiple hats. Often, this person is also general counsel, raising the concern that when compliance is an add-on responsibility, it may not receive sufficient attention. “When you have more than one responsibility, your efforts necessarily become diluted,” Falcione says.

In less regulated industries—such as retail, technology, and manufacturing—69 percent of individuals with compliance responsibility take on multiple roles, the PwC survey found. By comparison, heavily regulated industries—such as pharmaceuticals, life sciences, and utilities—are twice as likely to have a standalone compliance role. “That is not surprising, considering that heavily regulated industries tend to be higher on the compliance maturity curve,” the survey says.

CCO PREPARATION

Below PwC shows the top 4 things CCOs can do now to help enhance their profile within the business.
Build the future vision: Does the organization have a clear view of what it wants the role of the CCO to be, particularly as it relates to the business? Learning from other “chief” roles and how they have evolved, CCOs can look beyond their doorstep and become the broad-based compliance voice for the organization.
Build a network and skill sets beyond support functions: To date, CCOs have typically relied on legal, HR and audit, yet CCOs and their teams should strive to better engage with the business at all levels. Having a variety of skill sets, such as analytics and operations, on the corporate compliance team will enable deeper engagement and improved performance.
Link to the strategy: Better business skills can help enhance understanding of organizational strategy and associated compliance risks—and will enable compliance to more effectively support the achievement of corporate goals.
Create relevant reporting: Evolving compliance reporting can help drive relevance with the board, senior leaders and business partners.
Source: PwC.

“Since I wear multiple hats, it’s sometimes challenging to spend as much time on compliance-related activities as I would like,” says one respondent quoted in the study. “Our compliance challenges are important, but not always urgent, which means that they get back-burnered on a regular basis.”

Chief compliance officers who wear multiple hats are more likely to report to the chief executive officer compared to compliance officers in a standalone role. This may signal that, at many companies, the position is not to be viewed as sufficiently strategic to warrant admission to the C-suite, PwC says.

Not surprisingly, larger companies are more likely than smaller ones to have a compliance officer. Eighty-eight percent of respondents from companies with annual revenues of $25 billion or more have a compliance officer, compared to 58 percent of companies with less than $1 billion in revenues. Regardless of size or sector, Falcione encourages companies to establish a standalone compliance role. “As regulations are becoming more complex, it’s going to be necessary for companies to keep up,” she says. 

Compliance Budgets

The good news is that corporate compliance budgets are on the rise. Almost half of all respondents (45 percent) said their compliance budgets increased, while only 6 percent suffered cuts.

Budgets varied by sector. While 42 percent of those in heavily regulated industries have budgets of at least $1 million, only 19 percent of those in less regulated industries have budgets that substantial; 17 percent have no separate budgets for compliance.

Some good news in the survey: staffing levels are on the rise. Almost half of respondents reported increases over the last year; only 5 percent experienced a decline. As with budgets, staff size varied by sector. Fifty-three percent of those in heavily regulated industries had more than five people focused on compliance, whereas 59 percent of those in less regulated companies had five or fewer.

As corporate compliance departments continue to evolve, Falcione recommends that they diversify by including employees with, for example, industry expertise or a specialty in data analytics. Having a cross-functional team, she says, “is going to be critical in terms of keeping up with business-related risks and the changing regulatory landscape.”