Earlier this year Compliance Week and Deloitte launched our 2015 Compliance Trends survey, a comprehensive look at how chief compliance officers at large organizations run their program. We’re collating the results now and will unveil our findings in a few more weeks at the Compliance Week 2015 conference.
For now, however, let me whet your appetite with a few interesting morsels. Consider these three statistics plucked from the 364 compliance leaders we polled:
Roughly half of you have a compliance department of 5 people or fewer, and annual budgets (including salaries) of $1 million or less.
59 percent are either “somewhat confident” or “not confident at all” that their IT systems can fulfill the data collection and reporting requirements they have.
For almost all the major tasks a compliance program does (tracking regulation, measuring effectiveness, monitoring third parties, and more), standard-issue desktop software is the primary IT used.
Put those three factoids together, and the picture you see is this: a chief compliance officer who still has precious few resources at his or her own disposal, instead relying on the help of other enterprise leaders to fulfill the mission of the compliance program. Which means lots of data delivered to you, at different times and in different formats, rather than data pulled together by you according to your needs. And then you have cobble all that data together, which means lots of Excel spreadsheets, Word documents, and PowerPoint decks—and that leaves you sitting in your office, somewhat confident or not confident at all that your IT is giving you the insights you need.
Or as one Deloitte partner phrased it: compliance officers are still so busy running around collecting data, they have too little time to analyze data.
I often wonder about the best way out of this situation for CCOs. Plenty of times, for example, I hear supporters of big business software platforms say those products can meet a CCO’s collection and reporting needs if you only configure them correctly. To a certain extent I see that point, but configuring an ERP software system to perfection falls on the successful scale somewhere between curing cancer and chasing unicorns. Even if you do configure your ERP software correctly, sooner or later a major change will come along like the new accounting standard for revenue recognition, and then you have the long wait before your Oracle or SAP systems fully digest it.
The other obvious idea, then, is to use dedicated GRC software from any of a multitude of vendors. According to the Compliance Trends data—and this is a pattern we’ve seen for several years now—most CCOs still don’t use that software for most tasks. GRC tools are the norm for a few specific tasks, such as whistleblower hotlines or case management, but that’s where adoption ends. For everything else, the workhorses are still desktop software or some home-grown solution.
I can’t say I fault CCOs for following that path. I talk to a lot of you, and in private conversations I hear many stories about GRC software vendors—some with products that are great, others with products that are, ahem, less than great. Integrating them into your ERP systems can be an enormous challenge, especially for smaller or mid-market companies that don’t have the right IT expertise to manage the integration. Switching GRC vendors is no easy task either, so rather than risk that costly transition sometime in the future, why not just soldier bravely forward in a world of spreadsheets or whatever internal tool your IT department cooked up? That logic is hard to refute.
Clearly some of the most important responsibilities for a compliance officer today, such as whistleblower hotlines and case management, are in better shape because they do use GRC software dedicated to the tasks. But those are tactical tools to solve specific problems the CCO has. When we talk about IT to help compliance officers create better outcomes for the business—that’s a strategic challenge, requiring some very sophisticated technology to rise to the occasion.
Right now, it seems, too many compliance departments still struggle on that point. I’m not sure whether that’s because they haven’t found the proper IT strategy to provide that added value to the company, or because the company hasn’t quite given the CCO a seat at the strategic table yet with resources (including IT) to make that added value a reality. Or, if revenue growth is slow at your company, the money might simply not be there to achieve the IT system you want. Regardless, if you feel a bit hamstrung with your IT capability these days—you’re not alone.
Look for much more from the Compliance Trends 2015 report first at Compliance Week 2015 conference in May (What are you waiting for? Register!) and then online and in our print magazine later this spring.