What are the most common areas of responsibility for compliance officers?
According to a recent Compliance Week benchmarking survey, conducted jointly with Deloitte & Touche LLP, they are: establishing standards for ethical business conduct, whistleblower protection, the ethics hotline, and anti-bribery compliance.
A majority (62%) outsource their ethics hotline operations to firms like Ethical Advocate. A smaller percent also outsource training (32%) and investigations (18%).
1. Do compliance officers have appropriate authority and resources?
According to the survey, a majority of companies run compliance with relatively tight budgets and staffing. The median size of survey respondents was $1 billion to $5 billion in annual revenue, and 5,000 to 10,000 employees. Yet 52 percent said their full-time compliance staff consists of five or fewer people, and 47 percent said their annual budget for compliance—including salaries—is less than $1 million, which presumably includes travel expenses for local site audits and reviews.
Nicole Sandford, Deloitte’s national practice leader for governance and enterprise compliance stresses that if compliance officers must work with small dedicated staffs, they “absolutely must build alliances with other parts of the enterprise, such as Legal, HR, or internal audit.”
2. Are compliance officers addressing the right risks?
Not surprisingly, the top responsibilities vary somewhat for compliance officers in small companies as compared to large companies, although responsibility for the whistleblower hotline comes in at number 2 on both lists.
For small company compliance officers, top responsibilities are slightly more tactical. In order, the top five are: complaints, the whistleblower hotline, testing and monitoring, FCPA compliance, and audit & regulatory findings.
Large company compliance officers seem to have a slightly more strategic role; their top five responsibilities, in order, are: establishing standards of conduct, the whistleblower hotline, FCPA compliance, issue escalation & resolution, and complaints.
These are very important areas, but there are some gaps – money laundering, privacy, emerging technologies (social media, personal electronic devices, cloud computing, etc.), and awareness of regulatory compliance risks.
Sandford expressed particular surprise that anti-money laundering and privacy issues appeared so far down the priority list. “I think many companies are probably more exposed to privacy than they appreciate,” she said. On emerging technologies she believes that attention to technology, particularly social media, needs to improve as well.
Finally, outside of some firms in highly regulated fields, most companies appear not to be proactively staying on top of the changing regulatory environment and regulatory compliance risks.
3. Are they using the right metrics?
It is difficult to identify and analyze appropriate and useful metrics, particularly for a function intended to prevent ethics and compliance lapses. How do you identify and measure the reasons for a behavior that does not occur, for instance?
According to the summary report, of the 63 percent who do try to measure program effectiveness, many of the metrics they use are rudimentary and possibly inadequate: volume of calls to the ethics hotline, completion rates for compliance training, and results of internal audits. These are useful metrics to review past results, but how many of them help understand future risks? What are some additional and currently less widely used metrics?
The survey report states that companies and departments should review results from internal audits, regulatory examinations, and business control self-assessments, as well as ethics and customer complaints, to identify potential patterns of compliance concern. They should also conduct annual employee ethics surveys, “ideally using an outside party”, to get candid results that can be studied over time and to spot trouble areas.
The 2013 Compliance Trends survey report concludes that compliance officers are making slow but steady progress toward the ideal of a strong, independent compliance function.
Ethical Advocate works with organizational compliance officers on ethics hotline implementation and management, training, and related ethics and compliance issues.
Deloitte Development LLC. In Focus: Compliance Trends Survey 2013, August 2013.