KPMG published a survey last week that delivers news both good and bad for compliance officers. Spending on staff and technology are likely to increase in the next year (yay!) — but compliance functions are also under more pressure, primarily from boards and regulators, to do better (boo!).
The survey polled 240 chief compliance officers at large global companies across six industries, so it’s a good glimpse into current CCO concerns; but I’m still trying to figure out the right way to describe the findings. Like, who doesn’t want larger budgets for more technology and personnel? Then again, increased pressure from boards and regulators means compliance officers will need to be very thoughtful about how they deploy those supposed additional resources. So compliance officers are, as usual, in a difficult spot.
Let’s begin with some of the statistics from the KPMG report:
- 73 percent of respondents said they feel increasing pressure on compliance program performance;
- 63 percent expect an increase in their technology budget;
- 56 percent expect an increase in personnel, with most of that group expecting to boost full-time staff by 1 to 5 percent;
- 43 percent said their biggest challenge will be new regulatory requirements.
If we boiled all those bullet points into a single sentence, it would be something like, “Boards want better compliance performance and regulators are giving us more to do, so we’re getting modestly more resources to meet those new demands.”
Fair enough; that sentence has loomed over compliance professionals for the last 20 years. But dig deeper into KPMG’s findings and several big questions emerge about exactly how compliance officers might try to meet those new demands over the next several years.
Deciphering and Responding to Pressure
We can begin with the finding that 73 percent of CCOs feel more pressure on compliance program performance. KPMG also asked where that pressure is coming from. Figure 1, below, paints an important picture.
Across all industries (the gray bar), 53 percent say boards are driving that increased pressure, and another 49 percent cite regulators. (The colored dots represent specific industries, and we can see that in sectors such as healthcare, industrial manufacturing, and energy, the percentages are even higher.)
After boards and regulators, however, the numbers for other stakeholder groups decline rather sharply. So my question is whether your board is giving you true support for a better compliance program, or just barking at you to do better.
A compliance officer with strong support from the board can get a lot done, because the rest of the enterprise will bring you into their operations and take your needs seriously. A compliance officer without board support is almost destined to fail.
Perhaps another way to look at this is to ask exactly what your board is pressuring the compliance function to deliver. Does the board want to see a true culture of compliance, where wrongdoers are held accountable? Or does it simply want to see no violations catching the eyes of nosy regulators? Because if it’s the latter, that sets more of a “keep quiet and carry on” tone that won’t do you any favors.
We should also spare a thought for pressure from regulators. Yes, regulators want better compliance programs so that companies can better help the regulators to hold wrongdoers accountable. In that case, how might you need to change policies and procedures so that your company can do better at helping to hold individual wrongdoers accountable? (More thorough documentation and approval processes, for example.) That’s another question to ponder.
Putting New IT Spend to Good Use
Let’s go back to those 63 percent of respondents who expect an increase in their compliance technology budget. What are they likely to spend it on? More precisely, what IT capabilities should they strengthen with those additional resources?
Well, 43 percent of survey respondents listed new regulatory requirements as their single biggest challenge right now — yards ahead of other challenges such as data analytics, hiring the best talent, or working well with other parts of the business; none of which even broke 30 percent.
One can see why new regulatory requirements are so vexing. For example, when the Biden Administration adopts a “whole of government” approach to cybersecurity or climate change or some other issue, what that really means is that you might have multiple agencies publishing rules on the same subject. Those rules are likely to be somewhat similar, but not exactly identical, so you have lots of work to do ascertaining which rules are truly novel and which ones are only asking for something you already submit somewhere else. (All that, and we haven’t even mentioned duplicative state or international rules yet.)
In that cacophonous world, your ability to map regulatory requirements to internal controls and business objectives will be critical — and you’ll need to automate that work as much as possible, too. Whatever your technology plans might be, you’ll need to develop that IT capability somehow.
Figure 2, below, shows the automation ambitions that compliance officers have these days, and look! The biggest spread between a compliance task that currently is automated, versus respondents who still want to automate that task sometime soon, is regulatory mapping.
So in theory, by the time KPMG publishes an updated CCO survey in 2025, the portion of compliance officers who’ve automated regulatory mapping will be somewhere near 75 percent. I’ve put a reminder in my calendar to see whether that comes to pass.
Another interesting item: the second largest spread between what is automated and what compliance officers want to automate is manual supervisory tasks. So what will that automation look like? What supervisory workflows would be primed for automation? Approvals, perhaps, if you calibrate your documentation requirements correctly. Or maybe there are management reviews that happen manually now, that could be redesigned for an automated dashboard. (Think about it, and then drop me a line at [email protected] about the supervisory tasks you want to automate.)
I do have one nagging concern about the IT investments compliance teams will supposedly be making. Figure 3, below, shows the specific capabilities that compliance officers want to cultivate. As you can see, the biggest concerns are cybersecurity and data privacy, cited by 59 percent of respondents.
Except, the important controls for privacy and cybersecurity are foremost about access control and identity management; those things are crucial for privacy, anti-money laundering, various types of vendor fraud, and other issues.
Well, wouldn’t those controls be the domain of the CISO, more than the compliance officer? Because access control and identity management are crucial for a host of cybersecurity risks, many of which are far removed from the compliance officer’s concern. So who calls the shots for this investment? Whose budget gets billed for it?
Yet more food for thought, in a report that was already pretty meaty.