Compliance officers continue to be stretched thin with the resources they have to do their jobs effectively—no surprise there—but they might take comfort in knowing that how much they spend on compliance programs isn't nearly as important as how they spend it.
That conclusion stems from two compliance benchmarking reports released last month, both of which found that compliance budgets have steadily increased in 2012, keeping pace with the breadth, level, and complexity of today's risks. The studies also found that the more deeply embedded the compliance function is in the business, the more effective it is.
“The least effective programs don't have the sponsorship of senior management,” says Wayne Brody of ethics and compliance advisory firm LRN, which conducted one of those reports. Nor do such programs tend to provide information that can help senior executives make smarter decisions, or capture data on effectiveness of the compliance program.
And according to PwC's 2013 State of Compliance survey, 73 percent of 800 executives polled among U.S. and U.K. companies reported that their compliance budgets either stayed the same (37 percent) or increased (36 percent) over the past year. Still, 13 percent of executives said they have no established compliance budgets, and 28 percent have budgets of $500,000 or less.
The LRN report found similar results. Of 180 global companies polled, nearly half said they don't expect any change in their 2013 budgets from 2012—but the group expecting budget increases (38 percent) was more than twice as large as the group expecting budget cuts (16 percent).
Excluding staff and benefits, the largest share of ethics and compliance budgets went to spending on education and communications (27 percent), followed by administrative costs (13 percent), and spending on consultants (12 percent), according to the LRN study.
Budgets aside, in both studies an overwhelming number of compliance executives said they still aren't getting the resources they need to do their jobs well. In the LRN study, for example, respondents cited inadequate resources (45 percent); integration into the firm's process and culture (35 percent); and lack of formal processes (35 percent) as the three biggest challenges in conducting risk assessments.
As LRN sees it, ethics and compliance programs that generate the highest return on investment tend to follow a values-based approach that includes the following core elements:
• The orientation and purpose of the program, as well as the code of conduct;
• The formal evaluation of ethical behavior;
• The use of blended learning;
• Theme-based campaigns that repeat and reinforce the company's core ethics and compliance message;
• Measuring organizational impact; and
• More spending on education and less on consultants.
Reporting Structures
Both studies assessed the reporting structures for compliance teams. According to the PwC study, compliance officers reported on a formal basis to three groups: chief executives (27 percent), general counsels (25 percent), and boards (23 percent). “We're a bit surprised that there isn't more formal reporting to the board,” says Bobby Kipp, a partner in PwC's assurance practice.
“The least effective programs don't have the sponsorship of senior management.”
—Wayne Brody,
LRN
Still, compliance officers in U.S companies have seen a steady shift in formal reporting over the last three years away from the legal function (37 percent in 2011 to only 28 percent today), and more toward CEOs. That trend suggests that the compliance function is rising in stature within companies and that CEOs are playing a more hands-on role in compliance oversight, Kipp says.
In the LRN report, the number of ethics and compliance executives reporting to the general counsel continues to fall (46 percent), while those who report to the board have more than doubled in the last two years. Such a reporting structure falls in line with the 2010 revisions made to the U.S. Sentencing Guidelines, which favor an independent compliance function that reports to the board.
The PwC study also looked at how companies formalize their compliance programs. Most companies (60 percent) now have a compliance committee, similar to 2012 results. And in the United States, highly regulated industries are much more likely to have a compliance committee, including healthcare (87 percent), pharmaceutical and life sciences (72 percent), and financial services (64 percent).
That said, British and American businesses do seem to take different approaches to compliance committees, Kipp says. At U.S. companies, the committees largely oversee policy procedures and plans, and thus tend to meet only once a quarter. In Britain, the committees are much more hands-on—a collection of compliance risk owners—who collaborate and coordinate their efforts. Therefore they tend to meet more often, usually monthly.
INTERNAL AND EXTERNAL DEMAND
In the chart below, PwC asked respondents to the state of compliance survey how much will the following stakeholders increase or decrease their demand for evidence of effective compliance in the next three years:
Source: PwC.
And who sits on the compliance committee? Most companies say they have all the usual suspects: legal (77 percent), compliance (76 percent), and internal audit (61 percent). The least represented groups include operations and business units.
“This continues to raise concerns that compliance committees may not be optimally equipped to fully understand and assess the full range of compliance risks that the company might be exposed to,” the PwC study said.
Effective Metrics
Another common challenged faced by compliance departments: Most don't have the metrics they need to measure compliance program effectiveness, Brody says. Most companies use metrics that are quantifiable, yes, but those benchmarks don't necessarily indicate the effectiveness of the compliance program, he says.
According to the PwC study, for example, the most common metrics compliance programs use to measure effectiveness include such indicators as compliance audits (71 percent); training data and risk assessments (65 percent each); risk assessments; hotline data (56 percent); as well as employee disclosures and culture surveys.
The problem is that such benchmarks are all “really lagging indicators,” Brody says. Companies don't use enough forward-looking indicators that focus “which behaviors drive which outcomes, mainly because metrics to assess culture are difficult to develop, he says.
Kipp agrees. “Just because you measure how many people took your training, that doesn't tell you they learned anything.”
“Everyone agrees that behavior drives outcomes, but culture can't be measured,” Brody adds. “Historically, business unit leaders aren't comfortable investing in something they can't measure. That's been the fundamental obstacle, thus far.”
Technology as a Tool
Even though many companies harness IT to help with compliance activities, opportunities exist to be more “effective and efficient,” Kipp says. “We still are not seeing technology being used as much as it could be.”
EVOLUTION OF COMPLIANCE TRENDS
Below, PwC reveals trends in the evolution of compliance as noted by the state of compliance survey results.
Rising profile of compliance on the executive/C-suite/board agenda
Increasing demand for evidence of program effectiveness, especially from regulators and boards
Continuing challenge to communicate value to stakeholders
Increasing investment in compliance programs at “less-regulated” industries
Continuing evolution in formality and function of compliance governance structures
Growing use of effectiveness measures with opportunity for more monitoring
Rising use of technology, with opportunities to leverage evolving technology more efficiently
Source: PwC.
Technology is still creating “a lot of frustration and challenges” for compliance officers, says Sally Bernstein, a principal in PwC's advisory practice. Most companies still perform the solid majority of their GRC-related tasks using desktop IT tools, usually Microsoft Office applications or home-grown solutions. That increases the risk of silos of data that could be duplicative, incompatible, or simply unknown to the compliance department.
Many companies are using IT for the same metrics they are measuring, including training, documentation management, and employee surveys. “They rely on these technologies to assist with these metrics,” Bernstein says. “As the trend toward auditing and monitoring specific risks accelerates, we believe technology will have to play a critical role.”
Rather than merely investing in more controls, ethics and compliance leaders are better off developing training that imparts the importance of ethical decision making and raises risk awareness of unethical behaviors, Brody says.
A values-based approach to the core elements of an ethics and compliance program generates the highest return on investment, he says. “When we help employees make decisions based on the company's values, we'll get compliance as an outcome. We'll get performance as an outcome.”
No comments yet