Compliance risks from third parties a major concern while mitigation efforts fall short
NEW YORK, May 20, 2014 – A new survey of compliance professionals released today by Deloitte and Compliance Week indicates that although investment in compliance budgets and staffing has increased slightly in the past year, it has failed to keep pace with the growing compliance risks posed by third parties and industry regulation. A majority of respondents also believe they are not viewed as business partners throughout the whole enterprise, and their authority is undermined as a result.
The report, “In Focus: Compliance Trends Survey 2014,” generated from a survey of more than 200 compliance executives across corporate America and overseas, focuses on the authority and resources of compliance executives and reveals some positive trends, as well as several areas in need of improvement. Positive progress is being made, with more companies establishing a standalone chief compliance officer position; one-half (50 percent) of respondents report having a standalone chief compliance officer, up from 39 percent in 2013. Additionally, by a three-to-one margin, respondents also report increases in compliance budgets from the previous year.
However, 40 percent of respondents say their compliance budgets are $1 million or less (including salaries), while 45 percent have staff of five or fewer employees. These findings are especially challenging in an environment of increasing regulatory scrutiny and growing fears of compliance risks from joint ventures and third-party suppliers, agents, distributors and other vendors. Equally concerning, if not more so, is the relative influence of compliance officers across the entire enterprise. Nearly half of those who say they hold the top compliance job at their company do not have a seat on the executive management team and just 58 percent say they are perceived as business partners across the enterprise only “in certain aspects.”
“Compliance is becoming more complex and reputational risks due to inadequate oversight carry greater consequences than ever before,” said Thomas Rollauer, Executive Director at Deloitte & Touche LLP’s Center for Regulatory Strategies. “In many companies, the chief compliance officer still lacks the authority and influence to secure the necessary resources, budget and staffing to effectively address today’s compliance challenges. A cultural shift is needed at the top, from leadership in the C-suite, to stop viewing compliance merely as a pure cost that does not drive top-line growth, and instead, as an investment in critical infrastructure that protects the value of the entire enterprise.”
A Passive Approach to Ensuring Compliance of Third Parties
One of the more problematic findings of the survey is the impact of limited compliance staffing levels and budgets on compliance officers’ approach to third-party oversight. Too few compliance staff and too little money make it difficult for compliance professionals to provide the necessary oversight of third-party relationships across the enterprise. As a result, many compliance measures are passive, such as ensuring third parties have a copy of a company’s code of conduct or requiring anti-corruption language in contracts, rather than more vigorous measures like conducting thorough background checks or audits of third-party compliance.
Less than one-quarter (17 percent) of respondents say they “rarely or never” conduct background checks on third parties; only 48 percent “sometimes do.” Moreover, 42 percent say they “rarely or never” provide third parties with compliance training, while 43 percent say they “sometimes” audit third-party compliance.
Despite the inconsistent and often limited oversight of third parties, there is no indication that companies are bringing more of the functions and services third parties provide back in-house. Only 5 percent of respondents believe that “reassessing” third-party relationships will lead to bringing more of those activities back into the corporation. Rather, a majority of respondents said they would step up monitoring and due diligence of third parties.
“There is little doubt that most companies are exposed to compliance risks as a result of their third-party relationships,” said Nicole Sandford, National Practice Leader of Governance and Enterprise Compliance at Deloitte & Touche LLP. “Brand value built over years can disappear in an instant. To guard against this, companies may need to invest in more robust measures to protect their reputation and take an active approach to assessing all their third-party relationships. More money, more staff – and most importantly – recognition of the importance of third-party compliance by leadership are needed to effectively mitigate these risks.”
The survey also revealed four core responsibilities of compliance professionals across companies of all sizes. The widespread agreement among respondents, with over 80 percent citing each of these responsibilities, suggests an emerging consensus in the profession about what compliance departments should oversee on a daily basis. Core responsibilities include:
- Compliance with regulation
- Compliance training
- Code of conduct
- Complaints and whistleblower hotlines
Other “regulation-specific” responsibilities, such as ensuring compliance with the Foreign Corrupt Practices Act and anti-money laundering rules, were cited by fewer respondents compared with 2013, down four points from 62 percent and two points from 40 percent, respectively. The study concludes that such a segmented view of compliance by compliance professionals is likely a pragmatic response to lean budgets and small staff, though it poses considerable risks. If a compliance error is made in an area not directly monitored by the compliance staff, they will likely still be held accountable by their Boards, company executives and regulators. To mitigate this risk, compliance officers must find a way to have an active oversight presence in areas of compliance risk not directly under their control.
About In Focus: Compliance Trends Survey 2014
The “In Focus: Compliance Trends Survey 2014” report is a joint report between Deloitte and Compliance Week and offers a sense of the scope and complexity of the modern corporate compliance function. The survey was drafted by senior Compliance Week editors and Deloitte professionals and administered to an audience of senior-level corporate compliance, audit, risk and ethics officers at primarily U.S. companies earlier this year.
More than 200 senior-level executives, working in ethics, compliance, audit, risk management, or corporate governance, participated in the survey. The survey also went to a wide range of industries. Of the qualified responses, the single largest industry groups represented was financial services at 25 percent. Next was life sciences and health care at 19 percent, consumer products at 13 percent, energy at 11 percent and a dozen other sectors in total. This was a self-reported survey from Compliance Week’s audience of ethics and compliance professionals, and Deloitte and Compliance Week did not attempt to verify or audit the data reported by survey takers.
About Compliance Week
Compliance Week, published by Haymarket Media Inc., is an information service on corporate governance, risk and compliance that features a weekly electronic newsletter, a monthly print magazine, proprietary databases, industry-leading events and a variety of interactive features and forums. It reaches more than 26,000 financial, legal, audit, risk and compliance executives and is based in Boston, Mass.
About the Deloitte Center for Regulatory Strategies
The Deloitte Center for Regulatory Strategies provides valuable insight to help organizations in the financial services, health care, life sciences and energy industries keep abreast of emerging regulatory and compliance requirements, regulatory implementation leading practices and other regulatory trends. Home to a team of experienced executives, former regulators and Deloitte professionals with extensive experience solving complex regulatory issues, the Center exists to bring relevant information and specialized perspectives to our clients through a range of media including thought leadership, research, forums, webcasts and events. www.deloitte.com/us/centerregulatorystrategies
About Deloitte’s Enterprise Compliance Services (ECS) Practice
The ECS professionals within Deloitte & Touche LLP work closely with chief compliance and ethics officers to assess, design and implement effective and efficient enterprise-wide compliance programs. Cutting across multiple business units, these programs are built from the top down and help organizations use their people, processes and information technology to address the rapidly changing compliance landscape. The managed regulatory compliance practice within ECS executes critical regulatory compliance activities on behalf of our clients, extending the company’s resources and offering a cost-effective alternative to traditional, in-house compliance models.
As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please seewww.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.