Chief compliance officers apparently still have lots of work ahead to turn their compliance efforts into strong, mature programs that can handle the broad range of risks corporations face.
That’s according to the findings of a joint study conducted by Compliance Week and Paisley, which polled 386 compliance, legal, and audit executives on the subject. The survey quizzed executives about how mature their compliance functions are, what processes they use to manage specific risks, and more.
Overall, a plurality of respondents (44 percent) described their compliance function as “organized but reactive”—that is, compliance exists as its own function and has visibility throughout the company, but it still mostly reacts to problems as they occur rather than prevents them in the first place. Another 20.2 percent described the worst-case scenario of “siloed and inconsistent,” where compliance is largely isolated from the company’s daily operations.
Rost
Mike Rost, Paisley’s vice president for marketing, says those numbers are probably indicative of how little time companies have to plan a coherent compliance strategy, rather than a willful decision to make compliance a secondary priority. “What we’ve seen is that many organizations find themselves, at best, in a reactive mode and are seeking to take it to the next level and looking for ways to go about doing that,” he says.
Another telling sign on the state of corporate compliance programs: 82 percent of respondents said their compliance function is less than five years old. Eleven percent said their function was 6 to 10 years old, and only 6.2 percent reported a compliance program more than 10 years old.
Often times, Rost says, compliance professionals know where they want to take their compliance programs, but aren’t sure how much time they’ll need to get there nor all the steps involved. But, he adds, “there is this pursuit of that more mature state.”
“When compliance becomes a core component of your overall business operations … it forces you down the path of maturity much faster than those that are just preventing civil or criminal penalties.”
—Mike Rost,
VP for Marketing,
Paisley
Slightly more than one-third of respondents ranked their compliance functions at the higher end of the scale. Thirty-two percent described their function as “actively managed and proactive,” and a slim 3.1 percent answered “fully integrated and embedded”—where all compliance efforts are coordinated, orchestrated, and managed in unison, offering complete visibility across the global enterprise.
Program vs. Process
Interestingly, while many companies reported an immature compliance program overall, a significant number did say they had strong programs to address specific types of threats.
For the Foreign Corrupt Practices Act, for example—a risk that has become one of the top priorities for compliance officers in the last five years—only 9.6 percent described their compliance efforts as “siloed and inconsistent,” and 17 percent gave the highest answer, “fully integrated.” (Respondents were asked to describe their programs on numerous specific risks, using the same scale as they did to describe their compliance program overall.)
Examples such as FCPA aren’t surprising, Rost says, since stringent enforcement and regulatory climates have forced companies to pay more attention to it. “When compliance becomes a core component of your overall business operations … it forces you down the path of maturity much faster than those that are just preventing civil or criminal penalties,” he says.
Zealous enforcement of the FCPA (which prohibits bribery of foreign government officials to win business) has forced multi-national companies to understand that compliance with it is a core requirement of doing business overseas, Rost says. That reality, in turn, has driven them to embed FCPA compliance into daily operations
Not surprisingly, the problems that most companies worry about most often—the FCPA, securities law, insider trading, and employment—all had much higher levels of maturity. Lagging areas included anti-trust (27.2 percent reporting “siloed and inconsistent” compliance), money laundering (26.4 percent), and import-export law (26.4 percent).
Those weak spots could serve as a roadmap for where compliance departments should turn their attention next. Already the Justice Department has stepped up anti-trust enforcement, for example, and many legal experts say import-export law is likely to be next. Companies not in highly regulated industries could be particularly vulnerable, since compliance efforts there typically struggle to win support from top management until something bad happens.
THE DATA
Below are some of the main findings of the Compliance Week-Paisley survey examining the current state of corporate compliance programs.
Functional Maturity: I would describe our compliance program as...
Historical Maturity: In terms of age, our compliance program is...
CW/Paisley Compliance Maturity Survey (Nov. 10, 2009)
Compliance officers looking to beef up their efforts should try to leverage the experience of peers or the enforcement actions taken against them, Rost says. He cited the $2.3 billion judgment against drug maker Pfizer in September for illegal prescription drug marketing as an example.
“Where we see a lot of activity now is when people see bad things happening to other people,” he says. “[I]t just takes a couple of those to get the board’s attention, which then drives a lot more activity.”
The survey also polled companies about the specific processes they had in place to enforce compliance with various policies: Does a policy exist? Is the policy documented? Is it widely distributed? Do employees certify their awareness of it, and do auditors confirm that?
Those results painted a mottled picture. Predictably, for example, the program with the highest percentage of audited policies was FCPA (21.8 percent)—but 12.4 percent of companies also said they had no FCPA policy at all. Overall, the topics with the highest number of companies admitting no policy at all were money laundering (35.5 percent), enterprise risk management (29.5 percent) and customs import/export laws (29.3 percent).
On average, 24.3 percent of respondents said their policies were drafted, distributed, and certified by employees. The specific programs ranking highest on employee certification were insider trading (46.6 percent), privacy (29.5 percent), and anti-trust (28 percent).
Tools and Technology
The survey also gauged what technology companies use to monitor tasks such as documentation, communication, sign-off, workflow, reporting, and even risk assessments.
Again to little surprise, the most common IT tools were simple Microsoft applications such as Word (37.9 percent) or some other Microsoft tool (21.3 percent). Another 17.2 percent used software purchased from a compliance software vendor, and 10.8 percent used an internally developed tool. An alarming 12.8 percent said they used no technology at all.
On a somewhat troublesome note, 77.3 percent did not respond when asked what tools they used for a variety of additional specific functions, such as controls documentation, compliance management, risk assessments, ERM, GRC management, and business intelligence. The findings imply that no tools were used at all for those functions.
The lack of software tools reflects a business process that is “somewhat organized but still reactive,” Rost says. Typically, a company begins to use more structured productivity tools as its compliance function evolves.
“At some point you need to look at more of a purpose-filled solution rather than just an ad hoc approach to getting it done,” Rost says. Technology plays an important role in providing the infrastructure around the data that drives the business process.
When you look at the evolution of financial reporting, the evolution of planning and budgeting, or the evolution of recruiting employees, Rost says, technology has played a “significant role in the maturation of all those processes and the optimization of all those processes. The same could hold true for compliance.”
No comments yet