The link between compliance and business strategy plays an integral role in fostering a culture of ethics and compliance, and yet a significant divide still exists between the two, according to a new study published by PwC.
Business strategy, as defined by PwC’s proprietary ethics and compliance framework, refers to “the approach and tenor the organization takes to align risk and compliance with its business strategy and to manage associated risks,” which includes tone-at-the-top, risk assessments, and oversight.
“Each of those have strategic elements for the organization and for the compliance people themselves,” says Seth Cohen, a director in PwC’s risk management and compliance solutions practice and co-author of the study.
According to PwC’s 2016 State of Compliance study, alignment between business strategy and compliance is essential because without it, “it is difficult to efficiently integrate compliance into business processes and to assess the effectiveness of compliance efforts against strategic objectives.”
Take tone-at-the-top as an example. “If the senior leadership is only talking the talk and not walking the walk, as well, then your compliance program is only going to be a paper program,” Cohen says. “You’re not going to have the support you need up and down the line.”
Although 98 percent of more than 800 ethics, compliance, audit, and legal executives surveyed in the PwC report said their senior leaders are committed to ethics and compliance, the report also indicated that more work needs to be done when it comes to actually showing that commitment. Fifty-five percent, for example, said that senior leadership either provides only ad hoc oversight of the compliance and ethics program or delegates most oversight activities.
Common ways that senior leaders participate in their compliance and ethics programs are through formal communications to both management and employees, cited by 82 percent of respondents. The vast majority use e-mail for such communications, with town hall meetings and business unit meetings receiving significantly lower response rates.
Furthermore, just over half of respondents said their senior executives formally communicate at least quarterly on compliance and ethics-related topics. Although these formal communications are necessary, embedding compliance and ethics into day-to-day operations requires frequent reinforcement. This appears to be an area of opportunity for companies; only 26 percent of senior executives speak of compliance and ethics as part of everyday business communications, according to PwC’s study. “There can be better and more effective ways of communicating the message to employees, and it can be done more often,” Cohen says.
“If the senior leadership is only talking the talk and not walking the walk, as well, then your compliance program is only going to be a paper program.”
Seth Cohen, Director, Risk Management & Compliance Solutions Practice, PwC
Participation in strategic planning is an important element of ethics and compliance, which means playing a more essential role in setting strategy or being more involved in strategic activities, “which means, in part, being able to assess and anticipate risks,” says Cohen.
Only 36 percent of respondents, however, indicated they are “inherently integrated” or “play a key role” in their organizations’ strategic planning, which PwC noted is not measurably different from its 2015 results, when 35 percent of respondents indicated they were involved in annual business strategy development.
The good news is that the compliance and ethics functions is increasingly getting more visibility with their boards: 63 percent of respondents indicated their boards receive reports on their organizations’ compliance and ethics performance on at least a quarterly basis, and 67 percent said senior leadership receives similar reports on at least a quarterly basis.
Compliance and ethics professionals can elevate their status as strategic thinkers and trusted advisers by providing more strategic elements in their board reports and at board meetings, the PwC report recommends.
A large majority (77 percent) of respondents have an enterprise risk management (ERM) process at their organizations. Of those respondents, 88 percent said the ERM process covers compliance and ethics-related risks. Still, more than a majority (54 percent) said they conduct at least some additional compliance and ethics-specific risk assessment activities in order to fully address their organizations’ compliance and ethics risks.
“We are not advocating that companies shouldn’t necessarily be doing a separate risk assessment, but we are advocating that there could, and should, sometimes be better coordination,” Andrea Falcione, PwC’s compliance and ethics solutions leader, said during a webcast discussing the results.
“We know our clients are trying to chip away at getting better alignment, better detail, and granularity within ERM process so they don’t have to duplicate efforts and go back out to the business,” Cohen says. Risk owners are a critical element of the risk management process. In the PwC survey, respondents were asked to identify who “owns” 17 different compliance and ethics-related risks at their organizations, to which respondents indicated the legal or compliance and ethics departments “owned” eleven of those risks most frequently. Those risks include insider trading, antitrust, fraud, bribery and corruption, conflicts of interest, data privacy, and more.
Ideally, compliance should be supporting risk mitigation activities, not owning them. “It’s the business who should be owning the risk,” Cohen says.
Some companies have started to adopt this idea of “risk incubation,” the idea of incubating a risk in the compliance function until it’s developed enough to be transitioned to the business units.
Take privacy risk as an example. “Some companies aren’t ready to have a full-on separate privacy function,” Cohen says. In that case, compliance would incubate that risk for a while and work with whoever will eventually own it down the road when data privacy measures have been more fully developed.
Lastly, the PwC report analyzed oversight responsibilities, the way the business is structured: How is the business managing risk? Who is responsible for the management of those risks? Who does that person report to? Who is responsible for gathering regulatory intelligence?
“What we generally see is that leading organizations try to generally define who is responsible and accountable for ethics and compliance generally,” Falcione said. “We are looking for a reporting structure that supports oversight and responsibilities and regular sharing of information.”
According to PwC’s study, most companies (72 percent) have dedicated business unit or business area compliance officers. When asked what these compliance officers are responsible for, 89 percent of respondents selected “compliance monitoring” more than any other area of responsibility.
This response cut across virtually all industries represented in the study. “Those results perhaps demonstrate that companies actually are not only increasing their emphasis on compliance with the law, but also trying to really roll up their sleeves, address risk tolerance, and real-time monitoring on a more formal basis,” Falcione said.
“What that shows is that business unit people are much more integrated these days into the business and into the business operations,” Cohen says. “They’re getting a lot more runway from both the central compliance function and also the business leadership to keep tabs on what’s happening in the business.” Board-level ethics and compliance committees appear to be a new and evolving trend. Sixty-five percent of respondents said their audit committee oversees most compliance and ethics programs, while 20 percent said they have a separate, stand-alone compliance and ethics committee to provide oversight of the compliance and ethics program.
“That development may be due to the increased scope of companies’ compliance and ethics risks,” Falcione said. That’s especially the case for high-risk industries, such as pharmaceutical, life sciences, asset management, and healthcare, she said.
Having the audit committee as the lone oversight body means that compliance often doesn’t get the amount of face time that it needs, Cohen says. “Having a specialized committee may provide the board members on that committee with more time and more opportunity to ask questions, to dive into details, and really provide more true oversight around compliance and ethics activities,” he says.
With the support of senior management, compliance playing a more robust role in business strategy, and business unit compliance leaders playing a more collaborative role in owning business risks, chief compliance and ethics officers can enhance the value that compliance provides to the company, helping to better manage risks associated with its strategic objectives.