The good news for compliance programs is that many are finally getting the added resources they need to get the job done. The challenge, however, is how to best leverage staff and technology to keep pace with the regulatory onslaught they face and the increasingly complex, specialized issues they must handle.
Those insights were among the findings of the second annual “State of Compliance: 2012” survey, a joint effort between PwC and Compliance Week, that was released on June 4 at the Compliance Week 2012 annual conference in Washington, D.C.
Sally Bernstein, a principal in PwC's advisory practice, says the findings are timely given the increased demands on compliance officers as they evaluate or oversee nearly every risk or regulatory issue companies face, including anti-trust, anti-corruption, ethics, import-export, supply chain, social media, and codes of conduct.
“There is increased pressure on boards around risk management and it means increased pressure on compliance officers from those boards,” Bernstein says. “Compliance is clearly an area where they are managing a huge spectrum of risk, and the survey talks very specifically to the fact that the risks they are covering is expanding.”
Increasingly, companies are willing to invest in compliance, the survey finds. In the 2011 survey, nearly one-third of respondents had budgets of less than $1 million. This year, that group dropped to 20 percent and the percentage reporting budgets of $3 million to $10 million jumped from 14 percent to 21 percent. Spending is “moving in the right direction,” says Bobby Kipp, a partner in PwC's Assurance practice.
A portion of that increased budget is going into technology, the survey finds, but the results also indicate a “highly fragmented approach” to IT. Companies still perform the solid majority of their GRC-related tasks using desktop IT tools, usually Microsoft Office applications. Only in “a handful of specific circumstances"—such as handling financial data, delivering ethics training, tracking employee surveys, and case management—did a majority of respondents say they use software from GRC vendors.
Another red flag: Even corporate departments that typically cooperate in GRC-related tasks are still more likely to use their own IT tools than to share one common system. For example, 47 percent said their internal audit department uses its own tool, while only 20 percent of respondents said they share a common system with other functions. In legal departments, only 12 percent had a collaborative system in place.
The ad hoc approach to IT systems “increases the risk of ‘silos' of data that might be duplicative, incompatible, or simply unknown to the compliance department,” the report says. The advent of cloud computing, ubiquity of social media, and widespread use of employee-owned mobile devices all mean that “the odds start to soar that the compliance department doesn't have visibility into all the data that might suggest risk,” the report states.
“Technology tools can help to manage the wide diversity of information that exists and is labeled as compliance information,” Kipp says. “But there is also a lot of other information in an organization that might not even be thought about as compliance related, but is relevant. If you think about something like shrink, or absenteeism, or supply chain performance, they might not initially fall under the compliance department, but they can start to help create a picture that helps it manage better.”
More People Power
The survey also found that staffing levels are increasing, with nearly 80 percent of respondents reporting that their compliance departments grew at least modestly in the last year. Just 4 percent of respondents said their compliance department consisted of only one person, down from 12 percent who said compliance was a one-man show in 2011. A quarter of respondents reported that their compliance department staff increased by more than 10 percent.
“[Compliance departments] are trying to bring on more people," Bernstein says. "But do they really need more people, or do they really need to set their objectives for what they want to achieve from those people a little bit more clearly?”
“Building and sustaining a culture of integrity and compliance is critical. It is the culture that then drives the compliant and ethical behavior you want at the end of the day.”
—Bobby Kipp,
Partner, Assurance Practice,
PwC
More companies are formalizing their compliance programs, too. Most companies (71 percent) now have an in-house compliance committee, up from 57 percent last year. Less admirable, 8 percent of responding companies still have no designated chief compliance officer.
How compliance committees are structured may require some rethinking, according to the report. Only 45 percent of compliance committees include representation from the business units. Although a majority of companies say these units have direct responsibility for compliance, with support and oversight from the compliance department, it was expected that this number would be higher.
Only 33 percent of respondents said sales and marketing representatives serve on their committee, even though gifts offered to customers have been at the core of longstanding debates and regulated in some industries. More than 80 percent said they are responsible for ethical sourcing and supply-chain compliance, yet only 21 percent of committees included representatives from the supply-chain department.
Oversight of compliance is changing as well, according to the survey. Fewer compliance officers report to the general counsel on a daily basis (35 percent in 2012, compared to 41 percent last year), although the number reporting on a daily basis to the CEO held steady at 32 percent. On a formal basis, 32 percent of respondents report to the audit committee, almost as many as who report to the general counsel (33 percent) and much more than those reporting to the CEO (20 percent). This falls in line with the U.S. Sentencing Guidelines' revisions from 2010, which favor an independent compliance function that preferably reports to the audit committee and board, the report says.
STATE OF COMPLIANCE 2012
Below are two charts from the joint 2012 State of Compliance study from Compliance Week and PwC.
The first chart below polled respondents on stakeholders' intended increase or decrease in demand for effective compliance.
The chart below asked respondents to rate their satisfaction with their ethics & compliance programs.
Sources: Compliance Week; PwC.
“One of the drivers in the federal sentencing guidelines, and one of the hot topics, has been who is the compliance officer reporting to,” Bernstein says. “I think access to the audit committee, or access to the board, is the key,” she added. “That there is the ability to bypass executive management and go to the board if there is some issue that requires that is a positive thing we found to be happening.”
Measuring the effectiveness of a compliance program, and being able to prove and defend success (to regulators, auditors, and business partners), can be as elusive a task as it is a critical one. In 2011, 38 percent of respondents said they did not measure the effectiveness of their programs at all. It was deemed “a startling figure.”
This year, there proved to be somewhat of a disconnect between the metrics compliance officers rated as important, and “the ideals commonly cited as proof of a strong compliance program.” Only 35 percent of respondents labeled surveys of workforce culture as very important, even though the U.S. Sentencing Guidelines clearly favor a “culture of compliance.” “Building and sustaining a culture of integrity and compliance is critical,” Kipp says. “It is the culture that then drives the compliant and ethical behavior you want at the end of the day.”
“We would say that you can measure aspects that are important and give you an indication that you are building a culture where employees will behave in the way you want them to,” says Kipp. “You want them to know and understand the rules. You want them to get guidance when they have questions. You ultimately want them to follow the rules, do what is right, and speak up when they have concerns. You can ask questions that help give you indications of whether their culture is going to do that.”
While the results presented at Compliance Week 2012 were drawn as of April 2012, the survey will remain open until Dec. 31. Companies that participate (by visiting www.pwc.com/us/compliancebenchmark2012) receive a complimentary, benchmark report.
No comments yet