KPMG just published a survey of chief compliance officers that’s chock full of numbers and charts telling where CCOs plan to take their compliance programs in 2019. It’s well worth your time to read — although, to my reading, some of the findings don’t quite add up.
The survey polled 220 chief compliance officers at large organizations across a swath of industries, asking about the maturity of their programs and where they want to make “enhancements” in 2019 and beyond.
The good news is that in many ways, CCOs do rate their programs as mature and robust. From one criteria to another — boardroom governance of ethics and compliance, compliance risk assessments, use of data analytics, defined roles and responsibilities, and more — respondents rated their programs 4.0 or higher, on a 1-to-5 scale. If you’re looking to benchmark your program’s own maturity against peers, this is the report for you.
Much more interesting is where CCOs want to turn their attention next. The KPMG survey identified five areas that compliance officers want to enhance, which you can see in the chart at right.
Frankly, I don’t get these numbers. They leave me wondering whether compliance officers are enhancing the things they can, rather than the things they should.
The top two areas for enhancements are investigations and monitoring & testing, each cited by 65 percent of respondents. On one level that makes sense: enhance your monitoring and testing to identify risk events; and enhance your investigations function to chase down those leads and see what’s really happening.
Nobody would say those capabilities are unimportant — but they are reactive, to transactions and events already happening in your enterprise. Enhancing those capabilities is fine, but that still only makes your organization more responsive to risk events already happening.
Corporate boards want capabilities that are more anticipatory, to prevent risks from happening in the first place. Those capabilities would be more along the lines of better data analytics, regulatory change management, and reporting — which all scored only 32 percent among respondents.
Compliance Capability, or Risk Management
I sometimes wonder if investigations and monitoring float to the top because those are lawyerly things to do, and corporate compliance officers are mostly lawyers. Meanwhile, the board is more interested in developing risk-resilient strategies for corporate growth. Well, that’s more of an auditor thing to do: assess risks and the effectiveness of controls to mitigate those risks.
For example, look at the 32 percent of CCOs who say they want to enhance data analytics and reporting. As more corporate operations become a collection of digital business processes — better analytics of, and reporting on, those processes will become the whole ballgame for management. That will be all senior executives do and read, all the time.
So compliance and audit functions should be doubling down on those capabilities, like, right now. What’s more, when I talk to internal audit executives, they are doubling down on data analytics and reporting. Even small audit shops that barely do any analytics or data visualization are trying to double that tiny effort.
Compliance officers tend to know the importance of data analytics too, of course. We just had a post several weeks ago offering three great examples of how compliance officers are using analytics already. So why is that subject scoring a paltry 32 percent?
I wonder whether compliance is perhaps waiting for internal audit to pave the way forward on data analytics and data visualization. That’s not necessarily an unproductive move, especially since compliance functions do have so many investigations and so much monitoring to do. There are practical reasons why 65 percent want to enhance those abilities.
Still, if corporate boards above all want risk assurance, and controls that anticipate risks, so directors and CEOs can adjust strategy rather than clean up a mess — audit teams are well-suited to build systems like that. One could even envision a world where organizations consolidate compliance into audit, in some souped-up “corporate risk and integrity function” or something like that, since from the board’s perspective, ethical misconduct is just one more risk to manage and prevent.
I’m not quite sure what that all means for corporate compliance officers in 2019 and beyond. But anyone planning to spend the next 10 or 15 years of their career in this field may want to contemplate it.