Compliance professionals still “own” too many risks that business units could manage more effectively. Gartner’s Brian Lee discusses one solution: moving ownership of compliance risks closer to their sources.
It’s a time of enormous change for organizations of every type. Gartner’s 2018 survey of CEOs shows that CEOs, who have been focused on growth for years, are now prioritizing firm plans to deliver it — plans that involve IT-related transformation and new corporate structures and cultures.
Over half the CEOs say their organizations are actively engaged in strategic digital transformation efforts. This development has greatly expanded the list of responsibilities (which often require technical expertise) for compliance professionals at a time when there is a notable talent shortage in key areas.
In this context, most compliance functions simply will not have the resources to act as policy enforcers or to identify and manage all the regulations and risks involved in the new digital direction of their organization. Ensuring high levels of compliance in an organization now requires building the right culture and equipping each business unit with the tools and confidence to manage some of its own risks directly.
Clarify Risk Management Roles and Responsibilities
The process of empowering the wider business to take greater ownership of risks begins with establishing a clear understanding of roles and responsibilities. In a 2018 survey of almost 5,000 employees, however, Gartner found a lack of consensus about risk management responsibilities (see Table 1).
| Identification of Compliance Risks | Assessment of Compliance Risks | Mitigation of Compliance Risks | |
| Front-Line Employees | 22% | 6% | 6% |
| Managers | 18% | 29% | 21% |
| Compliance Program | 17% | 26% | 25% |
| Audit Program | 5% | 8% | 10% |
| Other Assurance Functions | 4% | 5% | 7% |
| C-Suite | 3% | 4% | 5% |
| Organization as a Whole | 21% | 11% | 14% |
| Other/Don’t Know/Not Sure/None | 12% | 12% | 13% |
Number of respondents = 4,930
Due to rounding, percentages do not add up to 100% precisely
Source: Gartner 2018 Employee Risk Ownership Assessment Survey
Table 1. Function or Group Primarily Responsible for Risk Management Activities
This survey not only reflects varied approaches to managing risk in different organizations, but also broad uncertainty about who should own and manage compliance risk on a day-to-day basis. To enable the process of shifting more risk responsibility to the wider business, compliance leaders should begin by developing frameworks that identify the individual roles that should be responsible for managing key compliance risks and mitigation efforts and tailoring them to each business unit. Often it is advisable to create a linear chain of responsibility to ensure end-to-end risk mitigation and accountability with fewer stakeholders.
A critical roadblock here is that very few employees are likely to fully embrace owning and mitigating risks that they do not feel prepared to handle. So, going no further than simply clarifying risk ownership, front-line employees tend to revert to a reporting role and push responsibility on to their managers or to compliance staff. And so the original problem recurs – namely that the compliance function is fundamentally under-resourced to directly manage every risk in the business effectively.
Provide Tools and Resources to Enable Ownership
To empower the wider business to own and mitigate business risk, compliance leaders must address the fact that fewer than half the employees surveyed for Gartner’s 2018 employee risk ownership assessment felt they could act on their own to reduce compliance risks without seriously disrupting their work. Moreover, more than half (57 percent) say they cannot easily obtain tools and resources to address compliance risks in their day-to-day work.
Many compliance organizations already provide such tools, but the survey data suggests they are not having the desired effect. This could be for several reasons. They could be too general to be relevant in specific business unit contexts. They may be overly complex and legalistic, which deters use by those without legal expertise. Most likely, though, they are simply prescribing actions for the business to take as opposed to helping the business make decisions about the risks themselves.
To help ensure the compliance team’s efforts are exerting a wide influence on the business, it helps to think in terms of democratizing resources. This means placing the compliance team’s tools, reports and data in the hands of employees to enable them to undertake more complex and nonstandard decision-making. It also involves teaching employees how to manage risks on their own, rather than relying on the compliance team to provide every answer. This means setting up or improving self-service resources and, crucially, making them simpler and more relevant to employees’ day-to-day decisions.
In conclusion, compliance leaders must move away from the role of policy enforcer and instead become more attuned to coordinating business processes to ensure compliance. Rather than continue simply as a function that owns and manages all risks and regulations, the business goal here is to transform the compliance function so that it works in partnership with the business to enable new business strategies. Business units should feel that compliance support for their decisions is “baked into” their everyday processes in ways they understand and can act on.
Brian Lee is an experienced lawyer and Managing Vice President at 
