CCOs give mixed reports on governance and tech

Companies have made progress in developing compliance programs – including getting boards involved – but could do more in areas such as monitoring and technology, according to a new survey of chief compliance officers (CCOs) by KPMG.

The report’s authors say many companies are making significant progress in their ‘compliance journeys’, particularly in developing the foundations of their compliance programs such as governance and culture, policies and procedures and communication and training.

One indication of this is effective reporting by compliance to the board. For example, 94 percent of companies say their board and/or delegated board committee reviews and approves the compliance program, and 93 percent say the board and/or committee is adequately informed of compliance risks and how the organization is mitigating them.

Eighty-two percent of CCO respondents say they participate in enterprise-wide governance committees and interpret and provide guidance on KPIs related to compliance. With regard to fostering a compliance-focused culture, 94 percent of companies report that compliance requirements are included in their policies and procedures and also separately in their code of conduct, which is accessible to all employees.

Eighty-seven percent of CCOs agree that employees understand the culture and expectations for good conduct and ethical behavior, and 68 percent believe their employees also see good culture and conduct as a competitive advantage. But 36 percent of respondents disagree or do not know whether line-of-business management takes ownership of the organization’s compliance culture and agenda.

Although many companies have an active board, established board committees and an involved and engaged CCO, ‘the mandates could be more robust to incorporate and address changes in the regulatory environment that impact the organizations,’ the authors write.

According to the survey, 22 percent of CCOs report that they do not know or do not have a board or delegated committee process in place to review the compliance management program when there are changes in the regulatory environment based on a strategic assessment of enterprise-wide initiatives. Although the Trump administration is pushing an anti-regulatory agenda, industry professionals expect there to be continued rule changes in a variety of fields, and revisions to or deletions of existing rules, which firms must also assess and keep track of.

Communication and training is another area of strength for many companies, with most CCOs reporting that they have implemented comprehensive compliance training programs for all employees, including training on internal policies and procedures, and that new employees receive compliance training appropriate to their roles and responsibilities, according to the reports’ authors.

But training of third parties remains an area where additional improvements are needed, with many companies not having a formal annual training program for their vendors, according to the paper. In addition, the authors say some CCOs could further incorporate communication strategies to share compliance issues, best practices and lessons learned across the organization.

KPMG polled CCOs from 62 major US organizations across the financial services, insurance, energy, healthcare & life sciences, technology, media & telecommunications, consumer markets and industrial manufacturing industries.


TECHNOLOGY
The authors argue that some companies could make more progress in their compliance activities by further integrating processes and controls to detect and respond to potential misconduct. This might include monitoring and testing efforts as well as using technology and data analytics, they say.

Richard Girgenti, principal and leader of forensic advisory services for the Americas at KPMG and one of the authors, says: ‘At a time when [CCOs] are strained for budgets and resources, they can achieve efficiencies as well as improve their organization’s compliance program by leveraging technology, data and analytics to support a wide range of compliance activities including risk assessments, monitoring, testing, training, reporting and document retention.’

Around two thirds (69 percent) of CCOs say their compliance program uses technology to support such activities, while 31 percent say their program does not, or the CCO does not know whether his/her compliance program uses technology.

‘Yet significantly smaller percentages of CCOs report using the power of technology, data and analytics more holistically to assess specific risks and trends or to refine their compliance activities based upon analytic results,’ the authors write. For example, only 47 percent of CCOs report using data and analytics to conduct root cause and trending analyses. Similarly, only 48 percent of CCOs say they use standardized KPIs in the development of their approaches to compliance monitoring and testing.

In addition to data analytics, CCOs should consider how their technology infrastructure supports their compliance activities and program, and whether enhancements are needed, according to the authors. Only 40 percent of respondent CCOs report that their technology infrastructure has been analyzed to confirm that it meets compliance requirements and that any important gaps have been addressed. Thirty-nine percent say their technology infrastructure is ‘proactively adapted’ to align with regulatory changes.

‘Given the broad spectrum of regulatory changes anticipated from the new administration and Congress, as well as differing and changing regulatory requirements across jurisdictions, organizations should continue to focus on investing wisely in areas of their compliance practices and programs that will help them to more effectively and efficiently comply and operate,’ says Amy Matsuo, partner and regulatory risk network leader at KPMG and one of the report authors.


COMPLIANCE CHALLENGES
Respondents were also asked to identify up to three of their top compliance challenges, with the results as follows:

• Enhancing accountability and compliance responsibilities – 55 percent
• Improving data quality for risk-data aggregation and risk reporting – 50 percent
• Transforming the effectiveness and sustainability of compliance – 50 percent
• Strengthening governance and culture – 39 percent
• Managing challenges in surveillance, reporting, data and controls – 32 percent
• Integrating cyber-security and data-privacy compliance – 31 percent
• Reforming compliance reporting – 19 percent
• Managing the complexities of cross-border regulatory change – 16 percent
• Addressing pressures from innovators and new market entrants – 8 percent