Deloitte and Compliance Week survey reports third-party assessment remains greatest risk followed by lack of GRC capability in IT systems
NEW YORK, May 19, 2015 — The latest findings released today from the anticipated Deloitte and Compliance Week survey demonstrate a tidal shift with modern corporate compliance functions gaining more authority and stronger organizational support for compliance programs. Fifty nine percent of respondents reported that the Chief Compliance Officer (CCO) job is now a stand-alone position, up from 37 percent in 2013, with 57 percent now reporting directly to either the CEO or the Board.
In its fifth year, the “In focus: Compliance Trends Survey 2015” measured the responses of more than 360 compliance professionals from around the world representing more than a dozen industries including financial services, health care and consumer and industrial products. While the survey data shows a clear trend toward a more empowered CCO with a higher position in the organization, concerns and challenges related to broader recognition of the value of compliance appear to persist. In addition, many companies’ existing technology solutions continue to fall short of compliance needs.
“In the five years since we began the survey, we’ve seen a significant rise in the establishment of compliance officers and departments as critical functions across organizations worldwide,” said Matt Kelly, editor and publisher, Compliance Week. “That growth strengthens the findings of this survey and hopefully sheds the collective spotlight on the ethics, compliance and risk issues organizations are facing today.”
CCO Authority Across the Enterprise
According to this year’s survey, challenges remain in embedding compliance culture throughout the entire organization and its extended enterprise. Results are mixed on whether the enhanced authority and positioning of the CCO has also enhanced the perceived value and level of support of the program throughout the entire organization. As with prior surveys, a minority of respondents – only 32 percent in the 2015 study – feel that the compliance program is recognized for driving business value throughout the company. With small staffs continuing to be the norm, support of the compliance program within the business is critical to the CCO as he or she tries to help build a strong, transparent, risk-intelligent enterprise.
On a related point, only 43 percent of respondents said their corporations have designated compliance officers in subsidiaries, business units or geographic markets. And within that group who do, only 49 percent of those business unit compliance officers report to the global CCO; 40 percent report to local senior managers. One question to contemplate as CCOs digest this report, then, is whether their entire compliance “function” has proper ability and authority to carry out its mission, regardless of the CCO’s particular reporting relationship.
Assessing Risk and Program Effectiveness
Thirty percent of respondents still say they do not measure the effectiveness of their compliance programs. Tom Rollauer, executive director, Deloitte Center for Regulatory Strategies, Deloitte & Touche LLP, emphasizes the importance of the risk assessment process. “For me, the risk assessment is at the center of the effort to manage compliance risk. If you have a robust enterprise-wide risk assessment process, your priorities will evolve out of that. CCOs should be setting compliance monitoring and testing priorities based upon these risk assessments.”
A potentially concerning trend, one which is carried over from the 2014 and prior surveys, relates to the oversight of third-party relationships across the extended enterprise. Third parties’ compliance risks continue to be the single biggest worry for surveyed compliance professionals, and proactive management of risks within the third-party population appear to remain inconsistent. Forty-two percent of respondents indicated that they always audit compliance with policies or regulations; 38 percent always perform extensive background checks; and 32 percent always require training or certification.
Big Problem with Big Data
Compliance teams are keenly interested in advanced predictive analytics that can aid in predicting future risks before they erupt into a catastrophe, or to assist with regulatory change management. Few tools now can perform those functions without a major customization effort. “While big data and GRC tools may hold the key to effective risk assessment and control monitoring, many organizations are still waiting for the promise to be fulfilled. New applications and increasing access to data are coming, and that will take compliance to the next level with predictive analytics,” said Nicole Sandford, national practice leader, enterprise compliance, Deloitte & Touche LLP.
Only 32 percent of survey respondents report feeling confident or very confident in their IT systems, down from 41 percent in 2014. The report suggesting lack of confidence in IT systems may trace back to the relatively small size of compliance departments, which forces them to depend on other departments or business units in the enterprise to supply the data CCOs need. “In essence, compliance functions are still spending a disproportionate amount of time collecting data, versus time spent adding strategic value to the business through analyzing and trending the data collected,” added Sandford.
Deloitte’s market-leading Risk Advisory practice helps organizations build value by taking a strategic risk approach to managing financial, technology and business risks. This approach helps clients focus on their areas of increased risk, bridge silos to effectively manage risk across organizational boundaries and seek not only risk mitigation, but also pursue intelligent risk taking as a means to value creation.
Deloitte’s governance, regulatory and risk strategies (GR&RS) professionals provide consultative services to assist organizations and their Boards in their efforts to create and protect value and enhance effective management of their strategic, regulatory, financial, operational and compliance risks on a sustained basis. As part of Deloitte’s Risk Advisory practice, GR&RS helps our clients develop sustainable governance, compliance and risk management programs by helping organizations identify, remediate, monitor and manage their enterprise risks in addition to coordinating the utilization of people, process and technology to improve effectiveness and help manage costs.
About the Deloitte Center for Regulatory Strategies
The Deloitte Center for Regulatory Strategies (the Center) provides valuable insight to help organizations in the financial services, health care, life sciences and energy industries keep abreast of emerging regulatory and compliance requirements, regulatory implementation leading practices and other regulatory trends. Home to a team of experienced executives, former regulators and Deloitte professionals with extensive experience helping clients solve complex regulatory issues, the Center exists to bring relevant information and specialized perspectives to our clients through a range of media including thought leadership, research, forums, webcasts and events.
About Compliance Week
Compliance Week, published by Wilmington plc, is an information service on corporate governance, risk and compliance that features weekly electronic newsletters, a monthly print magazine, proprietary databases, industry-leading events and a variety of interactive features and forums. www.ComplianceWeek.com
As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.