Thomson Reuters has published a fascinating new survey of corporate compliance professionals, finding that most companies are bringing more risk management and compliance work in-house — and that a solid majority of compliance officers are confident that their teams can handle the compliance risks they face.
That’s one major conclusion of the 2023 Thomson Reuters Risk & Compliance Survey, released earlier this week. Don’t let the bland name fool you; the report has numerous findings that feel right, although those same findings also raise plenty of other issues compliance officers would need to consider in your own organization.
We can start with this insourcing business. Thomson surveyed 188 senior-level compliance officers across a wide range of industries, and 63 percent of them said that more risk and compliance work has been insourced at their organizations in the past two years; 39 percent said they are insourcing more work every year.
Why? Apparently to cut costs; 79 percent of respondents list that as the top reason to bring more work in-house. Of course, the next question is whether senior management supports that insourcing push by giving compliance adequate resources, and we had a split decision on that: roughly 25 percent said they received either more technology or more staff, while 15 percent said they received no extra support at all.
Thomson also asked about which other parts of the enterprise have employees dedicated to risk and compliance. Leading the pack was legal (cited by 46 percent), followed by operations (40 percent), risk management (39 percent), and data privacy (37 percent). A smattering of other functions trailed further behind.
This finding caught my eye because of all that insourcing discussed above. A compliance function can only do so much; so if management wants to bring even more compliance work in-house, shouldn’t that work naturally spill out to other parts of the enterprise? Aren’t we supposed to be embedding compliance procedures into enterprise-wide operations?
This is the first year Thomson has published this survey, so we don’t have historical data to see whether such “spill out” is really happening. If these numbers go up in future years, then perhaps that’s happening.
Confident Compliance Functions
OK, so companies are insourcing more compliance work. How are compliance teams handling that surge of work?
Quite well, a solid majority of respondents said. Fifty-eight percent of them said they were very confident their teams could manage today’s compliance challenges, even as they’re being asked to do more (see insourcing, above) or to keep costs down (see corporate life, everywhere and all the time).
That’s great news, but even more interesting is why compliance officers were so confident. The top reasons were “having a team of knowledgeable personnel equipped with the resources they need,” cited by 42 percent; and “having a strong company culture with equally strong management support,” cited by 30 percent. All other reasons — good technology, prior experience, support from third parties, and so forth — were all in the single digits.
One more dollop of statistics, and then we’ll get to what it all means. First, Thomson offered a list of tasks that compliance officers spend their time doing. See Figure 1, below.
A solid one-third of survey respondents, however, said they spend most of their time performing only one or two of the above tasks — “which supports the perception across our survey that roles are becoming more specialized,” Thomson wrote.
That’s the statement that makes me wonder. If compliance functions are being asked to do more, and knowledgeable personnel are key to handling that expanded workload, and compliance roles are becoming more specialized — what does all that mean for staffing out compliance functions?
I get the argument that experienced specialists can help a compliance team perform more efficiently, especially if that team is being asked to do more thanks to insourcing. But how does that square with more compliance duties being pushed out to other parts of the enterprise such as legal, operations, and data privacy? How do the folks in the primary compliance group work with compliance-ish people in other functions?
And where are we supposed to find all these specialists, anyway? Should compliance professionals factor that dynamic into their career decisions about where to work and what projects to undertake?
I raise these questions not to answer them; I don’t have any useful answers right now. I raise these questions simply because if insourcing and role specialization are the forces at work on the modern compliance function, these are questions chief compliance officers will need to answer eventually.
A Word on Reporting
The Thomson report also dedicated a section to reporting. That’s a duty most compliance officers have (cited by 62 percent of respondents), but the technology used to complete your reporting obligations is all over the map.
Twenty percent of respondents admitted they still rely solely on spreadsheets. (Shame on you!) Seventy-eight said they rely on spreadsheets at least somewhat, and 45 percent said they use some sort of in-house, custom-built software. Sixty-eight percent of respondents said they use multiple technologies to manage all their reporting.
My concern here is how compliance teams assure that all those technologies play nice in the enterprise IT sandbox. What are your processes to pull together data from multiple systems? Or, conversely, how do you assure that multiple systems can consistently pull data from a single, reliable source? By not settling on a single, robust technology platform, you end up more dependent on potentially complicated or unreliable reporting processes. That worries me.
I even wonder how this dynamic of complicated reporting technology might influence those personnel pressures discussed earlier. More complicated technology processes makes reporting (and everything else) more difficult, so you need more specialized and experienced people to manage them skillfully — and yet, something tells me that very valid point doesn’t go over well with the bean-counters trying to cut costs. So you end up with complicated technology processes managed less skillfully. That worries me too.
Am I barking up the right tree here? Do these Thomson numbers make sense? Let me know what you think at [email protected].