Compliance: It’s all about the data

It's time for compliance to mature

“The most commonly reported information includes the number of employees trained, hotline statistics and an inventory of compliance risks. This information, while important, does not necessarily help the board and senior management to understand the impact of risks on the execution of corporate strategy, nor does it convey whether the compliance program is working, and whether it is helping the organization to achieve its strategic objectives.” The 2014 State of Compliance survey by PwC lays out it loud and clear—empty stats devoid of any actual analysis or meaning are useless. But still, according to last year’s survey only 9% of CCOs considered compliance data analysis experience when making team hires.

As compliance roles mature, more teams and top compliance leaders are understanding that they must move well beyond the basic practices of standing up a program. Implementing a hotline and monitoring the number and types of calls used to be a key element of a successful compliance program, but now it’s simply not enough. Now, teams must set up a hotline, monitor reports to ensure the hotline is being used and then take the next steps of analyzing the types of reports being made, where they are coming from, what policies and training courses they’re topically linked to and ultimately attempt to pinpoint the root cause of that report to identify any program weaknesses and be able to accurately communicate to the board of directors the true health and effectiveness of the program. You can see why simple hotline metrics aren’t enough.

Luckily, more CCOs seem to be getting the message. The results of year’s PwC State of Compliance survey were just released and this edition reports that data analysis experience is now found on 33% of compliance teams.

Compliance data analysis experience is now found on 33% of compliance teams

“With compliance becoming more complex and more critical to executing business strategy, CCOs would do well to add resources with business, sector, complex data analysis, and technology skills and knowledge to their teams,” the report reads.

It’s important to note that (in more cases than not) complex data analysis skills and technology acumen should go hand in hand these days. This could be why the 2015 State of Compliance survey found that both data analysis and technology skills are represented on 33% of teams. Though that’s a dramatic jump from the 9% and 7% (respectively) noted in last year’s study, these assets still have a long way to go. Skills such as business operations backgrounds, industry or regulatory compliance experience and a legal, audit or compliance background are all found on more than 50% of teams.

Information gathering and the data surfaced by modern compliance solutions is now so advanced and in depth that tech skills makes the job of analyzing the information and getting the very last drop of insight from that raw data much easier and more effective. Even solutions that make it easy to get the information you want, when you want it can benefit from someone who wants to dig deeper and twist the information every which way.

These are the people who keep asking “why” and “what does this mean” until they have enough data to answer the question. Exporting a recap of how all investigations were resolved is doing the bare minimum. Asking why those cases came up in the first pace, wondering if there is an underlying connection between them and knowing that actually understanding the issue (rather than just documenting it, resolving it and moving on without giving it another thought) is how you prevent further instances of noncompliance (making your future metrics and reports look better). To get to that level of maturity, you need a member of the compliance team who knows how to dig in deep to find correlations and important data points. You also need a system that doesn’t rely on paper case files, disparate intake channels and decentralized communications.

While it may seem advanced, that’s where compliance as a profession and successful business unit is headed. Any team that resists taking this next step into actually providing important and useful information to the organization will find themselves falling far behind peers who are finally earning an important voice at the C-suite table. And make no mistake, right now even teams who have a Chief Compliance Officer still find themselves struggling to make an impact.

Compliance is still under represented at the strategic level of many businesses. Only 35% of survey respondents said that compliance is included in annual business strategy development meetings and only 21% report directly to the board of directors or audit committee. It could be that organizations still haven’t fully embraced the importance of compliance as a standalone function that has a major impact on the company’s strategic goals and overall well being, or it could be that compliance teams haven’t proven their worth and impact. If you’re waiting to be invited to the big kids table, you could be waiting forever. But if you use what presence you have with the board, audit committee or CEO to present enhanced metrics that tie directly to business goals and highlight weaknesses that could negatively effect those objectives, you’re sure to capture attention and respect.

Unfortunately, 17% of teams don’t use data analytics in their programs at all. While there’s no way to tell from the survey if those companies are large or small or how new their compliance program is, not analyzing your compliance data is simply unacceptable.

If your program is more mature and you’re not practicing data analysis, then you are almost certainly not meeting the federal expectation of continuously improving on your program. Sure, you might be adding new policies or changing your training to improve completion rates, but why and what for? Do you actually need those new policies? Are they any more effective than the old ones? Are your training completion rates going up because it’s easier for employees to complete training without paying attention? Or was your training flawed to begin with and this new method actually is an improvement? Setting a benchmark and measuring against it is the only way to be sure you’re actually improving, not just changing, your program—and the only way to benchmark and measure improvement is to actually analyze the data your program is generating.

There is so much interesting knowledge to be had and impact to be made if only compliance teams spent the time and energy analyzing their data.

If your program is brand new, in depth compliance data analysis may seem like something that is out of your reach, a secondary priority or you may simply think that you don’t have enough data to analyze. In actuality, you have an amazing opportunity right now! Do what you can to get some time with the board of directors or CEO and find out their major business goals and concerns. In 2014, risk management and regulatory compliance showed up in the top eight concerns of both the board of directors and investors—compliance is clearly on everyone’s minds. Begin addresses the strategy-related concerns of your board/CEO as soon as you can and when it’s time to report, speak to these risks. Don’t spend 10 minutes of your precious meeting time explaining how the rollout of your new hotline is going. Instead, talk about what reports you’ve already received and how you interpret those against strategic goals and organizational risk. When you collect disclosures about potential conflicts of interest (you’ll likely receive a fairly large influx as soon as you implement a dedicated COI management system or immediately after you issue a new policy and training package), take the time to analyze them for trends and how they relate to your current or planned policies and procedures. Is there something you didn’t account for that’s going to change your implementation prioritization?

There is so much interesting knowledge to be had and impact to be made if only compliance teams spent the time and energy analyzing their data rather then collecting it and reporting the boring face value. Some teams are catching on, but as this latest study proves, compliance professionals still have a long way to go.