Survey: Corporate risk management programs evolving, but too slowly

“Effective compliance in today’s complex environment requires appropriately-sized teams of dedicated individuals to mitigate the risk of running afoul of regulations,” said Nicole Sandford, national practice leader, governance and enterprise compliance, Deloitte & Touche LLP. “While progress is undoubtedly being made by compliance departments, these results indicate that compliance executives still face difficult choices deciding what they need to prioritize with limited resources.”

Structure and Budgetary Challenges

According to U.S. Sentencing Guidelines and consensus from multiple federal agencies, companies should ideally operate an independent compliance function that is led by a full-time chief compliance executive reporting to the CEO and the board of directors. However, the report reveals only 37 percent of U.S. companies that participated in the survey have an independent chief compliance executive, and only 51 percent of those executives report directly to the CEO or the board.

The report also shows 52 percent of respondents say their full-time compliance staff consists of five or fewer people, and 47 percent say their annual budget for compliance, including salaries, is less than $1 million. This is despite the fact that the median size of the companies in the survey sample is $1 billion to $5 billion in annual revenue, with 5,000 to 10,000 employees.

“These numbers are troubling. They indicate that the compliance function continues to be under-resourced in both people and money — at a time when the importance of the role is growing rapidly,” said Tom Rollauer, executive director, Deloitte Center for Regulatory Strategies, Deloitte & Touche LLP. “For some companies, success depends on how effectively compliance officers can raise awareness and promote a ‘culture of compliance’ while also embedding compliance controls into day-to-day business processes across the enterprise.”

Difficulty of Measuring Compliance Success Remains

Nearly one-third of companies surveyed (31 percent) do not measure the effectiveness of their compliance program. Of the 63 percent who measure program effectiveness, many of the metrics used are rudimentary. Many companies are tracking metrics like the volume of calls to the compliance hotline (65 percent), completion rates for compliance training (68 percent), and results of internal audits (74 percent), but few are employing methods to understand future risks and uncover particularly sensitive risk areas.

The report also revealed that more than 40 percent of companies do not use employee ethics surveys, which can inform future decisions and gauge program efficacy in a cost-effective manner.

“Measuring the success of compliance functions can be more difficult than measuring other traditional business drivers. That is a large part of the reason why many companies tend not to analyze, or tend to under-analyze the performance of their compliance functions,” continued Sandford. “However, there are numerous simple and cost-effective techniques companies can employ to increase the efficacy of their compliance work and then capture its value. Conducting employee ethics surveys, for example, can be used to measure compliance program effectiveness and can provide candid results.”

“Compliance departments need to figure out the right forward-looking metrics. Many companies are still at a stage where they are analyzing data reactively and giving inadequate thought to how they can gather data that would give them insight into future risks. Once they start doing this effectively, they can spot trouble areas quickly and address them proactively,” Rollauer added.

Addressing the Right Risks

In the current regulatory environment, many compliance officials are primarily focused on establishing standards for ethical business conduct, whistleblower protection, managing the complaints and incidents hotline, and anti-bribery compliance. However, the report revealed that there are several high-priority risks that are receiving less attention from many companies. In particular, anti-money laundering and privacy are low on the priority lists for compliance officers at larger companies, with only 40 and 49 percent of respondents, respectively, reporting they had responsibility for each.

“I think many companies are probably more exposed in privacy than they appreciate,” Sandford said. “There are so many ways to get in trouble there, such as the bad publicity of breaching customers’ personal data or the economic costs of data theft.”

The report also shows that although companies are aware that emerging technologies pose new risks, not all are prepared to meet the challenge. In total, 43 percent of respondents said that while they have a company policy on proper use of social media, they don’t monitor employees to see whether the policy is followed. Another 22 percent said they have no policy on social media usage at all.

“Attention to technology, particularly social media, needs to improve across the board,” said Sandford. “Companies can’t stop employees from airing gripes about their jobs or bosses, but they can monitor ‘company chatter’ in a meaningful way to identify potential problems in corporate culture or specific business units. Looking at these patterns over time can be extremely useful in identifying critical internal issues, as well is in preventing public reputational damage.”