Survey: CCO Resources, Pressures Both Rising
KPMG has published a new survey of chief compliance officers with plenty of findings that the compliance community should find interesting. The good news is that most CCOs expect budgets and headcounts to rise in the coming year; the bad is that CCOs also expect more pressure for better compliance program performance from numerous directions.
KPMG released its report, which polled 765 chief ethics and compliance officers around the world, earlier this month. Anyone looking for benchmarking data to compare your program to others would certainly do well to give the report a read, and its major findings provide lots of food for thought about the future of the profession.
Most notably, 72 percent of respondents said they plan to hire more staff, with most expecting to increase headcount by up to 5 percent. Another 26 percent expect headcount to stay flat, and only a miniscule 2 percent expect staffing cuts this year. Yay!
Moreover, 70 percent also expect their technology budgets to increase in the coming year, with most respondents saying the budget will increase by 5 to 10 percent. (Those shouts of joy you hear in the distance are compliance vendors, momentarily dancing in the streets before getting back to their desks to bombard you with phone calls and emails.)
OK, compliance officers are likely to have more resources at their disposal. How are you likely to put those resources to use? The KPMG report answers that question in a few ways.
Figure 1, below, shows respondents’ plans to strengthen their companies’ compliance culture. Topping the list is expanded ethics and compliance training. Further behind are plans for revamped compensation policies and performance reviews, refreshed ethics communications, and closer ties to business units in the First Line of Defense.
In other words, compliance officers have lots of plans for extending their presence and influence across the whole enterprise, to further strengthen the culture of compliance.
That said, we also have those increased technology budgets. Figure 2, below, shows the specific tasks that compliance officers want to automate in the coming two years.
Figure 2 offers a fascinating glimpse into the evolving technology landscape for compliance officers, and honestly I’m a bit surprised at some of the statistics here.
For example, I would’ve thought that more CCOs were already automating their process to map regulatory demands to business controls, since that seems like a more nuts-and-bolts exercise with plenty of vendors offering such assistance. According to KPMG respondents, however, only 24 percent are doing that and 56 percent expect to do so within the next two years. We could say much the same for regulatory change management; identifying rule changes is a process that lends itself to automation technology.
The larger question here is whether these technology improvements will actually work. If they do, then by 2026 we should see lots of these statistics shift from light blue (planning to adopt) to dark blue (adopting, or already adopted). I’ve set a reminder in my calendar to follow up with KPMG in two years.
Meanwhile, Rising Pressures
The vast majority of CCOs also said they feel more pressure — from regulators, customers, and even the public at large — to demonstrate that their compliance program simply performs better. So whatever new resources your compliance function may be getting, apparently you’re going to need it.
For example, 84 percent of respondents said they expect “ increasing regulatory expectations and scrutiny” in the next two years. (That’s up from 73 percent in last year’s survey, which admittedly came from a smaller sample size.) Interestingly, a large portion of respondents in Canada and Europe believe pressure will “significantly” increase, while a much smaller portion of CCOs in the United States say that. I guess that’s because U.S. regulatory pressure is already so high?
Another interesting factoid is that regulators aren’t even the biggest source of pressure for your compliance program. Customers are. See Figure 3, below.
Let’s think about what Figure 3 is really telling us.
First, for most businesses, your customers are other businesses. So when we say, “Customers are exerting pressure on us to do better at compliance,” that’s likely to manifest as either (1) fewer compliance failures that affect those customers; or (2) greater demands for proof of your effective compliance program.
Those are the two issues that compliance officers need to contemplate. For example, one common compliance failure that affects customers is some sort of data breach. So it’s little surprise that further down in the KPMG survey, where CCOs were asked to list the specific processes they want to improve, the top two priorities were cybersecurity (cited by 36 percent) and data privacy (cited by 35 percent).
Nor should we forget that second way customers might pressure you to enhance compliance, by wanting to see proof of your effective program. That would imply that you need strong documentation and reporting capabilities — so that whenever a customer does ask about your program, you can call up specific data and other evidence to answer their questions with just a few keystrokes.
Of course there might be other ways customers could pressure you to do better at compliance, but I’d recommend that you keep asking yourself those two questions mentioned above. How could a compliance failure my company suffers affect our customers? How could we document the strength of our compliance program to satisfy customer inquiries quickly?
When in Doubt, Think Big
The KPMG report rightly notes that when the pressure to have a better compliance program comes from so many directions, you the compliance officer really need to focus on embedding compliance throughout the entire enterprise — from one line of defense to the other, and from top of the org chart down to the bottom.
OK, nice idea. What would that look like in practice? KPMG offered a few ideas:
- Integrate critical compliance challenges into risk and governance frameworks.
- Enhance policies and procedures to require more formalized documentation, mapping, and ownership and controls monitoring and testing to improve transparency. (I like this one because assigning ownership assigns accountability, and greater testing gives you the evidence to hold those owners accountable.)
- Elevate compliance to the level of other strategic functions and assure comparable investment, staffing and technology. (If you have done this successfully at your company, please identify yourself so we can have the entire management team cloned for other companies.)
- Continually monitor the evolving regulatory environment and associated reporting requirements to stay on top of new regulations.
One can fulfill that final bullet point, of course, by reading Radical Compliance every week.