Compliance officers are not doing a good job at managing cyber-security risks and plenty of gaps remain in anti-corruption compliance programs, says a recent survey conducted by Compliance Week and Kroll Advisory Solutions.
Released last month at Compliance Week 2014 in Washington, D.C., the report examined the role of compliance executives in addressing bribery and corruption risks, including cyber-security risks; the nature of those risks; and what measures companies are taking to mitigate them.
According to the report, 75 percent of 187 ethics, compliance, and audit executives polled said compliance officers have no involvement in overseeing cyber-security at all. Of that number, 44 percent said compliance officers have responsibility for data privacy laws and breach disclosure, but not cyber-security.
“Nobody is suggesting that, as a chief compliance officer, you need to be a cyber whizz,” Alan Brill, senior managing director for Kroll, said during a panel at Compliance Week 2014. Most IT people, however, don't think of cyber-security in terms of risk factors, so it's up to compliance officers to forge partnerships with IT, legal, and internal audit to make the cyber elements of compliance an everyday part of the compliance function, he said.
Corruption Risks
Aside from emerging cyber-security risks, compliance departments continue to struggle with bribery and corruption. More than half of respondents (51 percent) said they expect such risks to increase over the next couple of years.
Lonnie Keene, managing director at Kroll, said a number of factors account for this sentiment. Many companies, for example, noted that they are expanding into new and unfamiliar markets, while others are increasing the number of third-party relationships. Additionally, anti-bribery laws are becoming more stringent, including in the various jurisdictions where companies are expanding globally.
“The cloud is becoming important. My guess is that over the next few years over 90 percent of companies will be using cloud-based services for compliance.”
—Alan Brill,
Senior Managing Director,
Kroll
For a second year in a row, large companies ($5 billion or more in annual revenue) said they worry more than smaller companies ($1 billion or less in annual revenue) about bribery and corruption risks increasing over the next couple of years (57 percent to 46 percent). Additionally, U.S. companies worry more than overseas companies (57 percent to 37 percent).
For the first time this year, the report asked respondents what types of misconduct qualify as “corruption” that the chief compliance officer is responsible for policing. Aside from bribery, respondents cited bid-rigging (65 percent), money-laundering (63 percent), and price-fixing (60 percent) as other prevalent corruption risks.
One “emerging major concern” for companies, Keene said, is conflict minerals, which 24 percent of respondents cited as a new corruption risk. “For a lot of us, this is a challenge to figure out how to comply with and what our obligations are,” he said.
Third-Party Risk
Third-party risk continues to vex compliance officers, and may even be worsening. The percentage of respondents who said they don't train their third parties on anti-corruption risks went up from 47 percent in 2013 to 58 percent this year, despite respondents having an average of 3,868 third parties.
Kroll Managing Director Lonnie Keene said it's often difficult for companies to “get a handle on” third-party relationships.
“This was a really surprising response,” said Keene. “Training is absolutely critical. How are your third parties going to know what to do, and what not to do, if they're not trained?”
The problem, in part, is that large, global companies often don't know the full extent of their third-party relationships. “It's very difficult to get a handle on that,” Keene said. Knowing your third parties is important, he said, so you can rank them by the level of risk each poses, and take a proactive approach to your anti-corruption compliance program.
For those who do train third parties, 20 percent said they do it annually; 14 percent said they do it every two years; and 7 percent said they conduct training every three to five years.
Respondents further cited numerous reasons for not doing business with a third party. These reasons included one or more of the following: rumors of paying bribes, even without actual proof (77 percent); history of litigation (64 percent); and politically exposed individuals working at the third parties (60 percent).
What the government is looking for is training that is targeted to your audience, including training in the local language, and targeted to the company's specific risks, Keene said. Companies should also include a variety of educational elements—such as both Web-based and in-person training, questionnaires, and the distribution of printed materials for employees to read.
Due Diligence
The report also found that companies excel at due diligence at the start of a third-party relationship, but expressed less confidence when it comes to monitoring and auditing them on an ongoing basis. Only 57 percent rated their vetting procedures as effective.
The numbers slipped downward from there. Just 43 percent rated their monitoring procedures as effective; 33 percent said the same about third-party auditing; and only 30 percent expressed confidence in third-party training on anti-corruption.
Companies need to exercise audit rights with regard to their third-party relationships in order to better determine the effectiveness of the anti-corruption program, and where improvements may need to be made, Keene said. “In order to know whether your program is effective, you have to monitor your program,” he said.
CCO CYBER-SECURITY DUTIES
Kroll asked respondents to its 2014 anti-bribery survey, “What is the chief compliance officer's responsibility for data privacy laws and cyber-security?”
Source: Kroll.
Keene added that anti-corruption sanctions in an increasing number of jurisdictions around the world—such as Ukraine and Russia—puts even greater emphasis on the importance of monitoring for emerging changes in government sanction programs, and appropriately adjusting your program for the risk. “My sense is that, other than the financial industry, not many companies are doing this,” he said.
The report also found that 49 percent of respondents said they automate part of their anti-corruption systems, while 51 percent do not. Not surprisingly, larger companies were more likely to use automation (63 percent) than smaller companies (31 percent).
Automating the company's anti-corruption compliance program doesn't necessarily mean having to go out and buy some expensive and complex online tool, said Brill. Rather, it's about figuring out how to make the tools that companies already have work together to have overall visibility of the company's anti-corruption compliance program.
One emerging theme companies increasingly will have to consider is whether to move compliance to the cloud for easier access on a global scale and for cost-efficiency reasons. “The cloud is becoming important,” Brill said. “My guess is that over the next few years over 90 percent of companies will be using cloud-based services for compliance.”
No comments yet