A Mixed Picture on Compliance Efforts
Most large companies are doing at least passably well at managing compliance risks around third parties, although the vast majority are also still struggling to develop strong data analytics capability, according to a compliance benchmarking survey from two of the biggest names in the advisory world.
KPMG and law firm White & Case published their in-depth report on Thursday, based on a survey of more than 200 “senior decision-makers” (mostly senior compliance officers, but not entirely) at large companies around the world. The report offers glimpses on compliance risks that range from anti-corruption to cybersecurity to ESG, with lots of statistics on specific steps that respondents are or aren’t taking to address those issues. If you’re trying to understand how your compliance program’s maturity compares to others, it wouldn’t hurt to find a spare hour and give this a read.
Let’s begin with some stats on anti-corruption and third-party risk management:
- 79 percent of respondents said they conduct documented anti-corruption risk assessments (yay!) but only 47 percent conduct these risk assessments every year (boo!).
- Those risk assessments matter because among those CCOs who do perform them, 69 percent said their boards are adequately engaged in discussions about the compliance program’s performance, and 73 percent said the same about the board’s understanding of anti-corruption risks. Among those who don’t perform risk assessments, however, those numbers drop to 32 percent and 36 percent.
- The single biggest anti-corruption risk was use of third parties, cited by 59 percent of respondents. Next in line were pressure to meet sales targets (cited by 36 percent), gifts and entertainment (35 percent), and lack of employee awareness about anti-corruption risk (29 percent).
- Even though use of third parties was the top anti-corruption risk, 60 percent of respondents said they have never been pressured to approve a third party they believed to be an unacceptably high corruption risk.
Moreover, most respondents said they had a fairly robust third-party risk management program in place. For example, solid majorities said they had written policies for how employees should engage with third parties and formal third-party Codes of Conduct. A majority also had strong policies and procedures for performing risk-based third-party due diligence and auditing third-party compliance. Figure 1, below, shows the complete breakdown of how many respondents perform what good practices.
The only issue in Figure 1 that didn’t score a majority was the question of whether you should require third parties to complete your anti-corruption training. I tend to be OK with that, since everyone criss-crossing their training demands on third parties can quickly become an intrusive, unwieldy mess. The best solution I’ve heard is to have your third parties certify those parts of their own anti-corruption training that is essentially the same as yours, and only require them to complete your training when you have special compliance concerns not reflected in their material.
There’s also the question of performing compliance audits on your third parties. Figure 2, below, shows how most respondents approach that tricky subject. Forty percent said they only audit third-party compliance “irregularly, depending on triggering events” — which in theory is OK, except this assumes that you can detect those triggering events when they actually happen. That seems like a big assumption to me.
Of course, to excel at detecting these triggering events, a compliance program really should have strong data analytics capability. This brings us to another big theme in the KPMG/White & Case report.
Data Analytics, Still in Progress
The gloomy statistic is this: only 9 percent of survey respondents said their company has an advanced analytics program, complete with integrated monitoring and automated reporting across systems. Nearly half were still stuck in the “development” phase and another 24 percent lagged even further behind in self-declared “rudimentary” exile. Even among the largest respondents, whose companies have annual revenue at $10 billion or more, not more than 15 percent rated themselves as advanced.
This is not good for several reasons. First, the Justice Department keeps harping on the importance of data analytics for an effective compliance program. You’ll never score high with the department (or any other regulator) when trying to resolve a matter if your compliance program isn’t using data analytics.
More broadly, however, we should understand why data analytics is so important: because data analytics is the fuel that puts your key risk indicators and monitoring processes to work.
That is, you can perform a great risk assessment. Then you can design various monitoring processes that should, in theory, identify when compliance risks drift into some red zone that demands your attention. But without data analytics, that’s all just an engine with no gasoline. You need to pump data through those monitoring processes so that, as the great anti-fraud thinker Jonathan Marks puts it, “data analytics becomes the silent whistleblower.” That’s how you see the outlier event first, before a whistleblower, plaintiff lawyer, regulator, or anyone else.
OK, enough preaching. The report also provided a sense of where you can at least start with data analytics, based on what the self-identified “advanced” respondents say that they do. See Figure 3, below.
The most common tasks for data analytics are those that lend themselves to being “datafiable,” if we can use that word: repetitive, large-volume processes that, with a little bit of IT know-how, can be designed to generate lots of data about how those processes are unfolding. Then you get to the analysis and the program improvement part.
That’s enough for today, but the report has lots more findings and benchmarking data that we haven’t even touched yet. As I said, well worth your time if you have a spare half hour.