With so many studies and surveys giving us a picture of the compliance and ethics landscape it can be hard to find time to read them all (trust me). I’ve spent some time recently digging through some of this research and wanted to share some stats that stood out to me.
41% of the bottom quintile of compliance programs find preforming risk assessments challenging because of insufficient technology
LRN’s 2015 Ethics and Compliance Effectiveness Report has been talked about quite a lot for its analysis of compliance reporting structure (and how the majority of programs still report through legal or have a dual-hat GC/CCO). But there are some other gems of information in their comprehensive survey. (Quite a few actually.)
One of the stats I find most interesting is that some compliance programs are still struggling with outdated technology. When compliance programs were first put into place, many teams pieced together different technology and approaches from a variety of vendors. Now that some time has passed it’s become clear that this piecemeal approach keeps information and departments siloed, making it much harder to get a comprehensive understanding of the program’s effectiveness or an accurate picture of compliance risk and how that feeds into overall organizational risk.
A risk assessment is no small undertaking, but it’s a very important one. When compliance professionals are making the argument that investing in the right technology can have an impressive ROI the ability to better monitor and mitigate risks should be a key selling point.
More than 1 in 5 programs in the bottom quintile never preform a formal program assessment
If you don’t know it’s broken, you can’t fix it. Or, more in line with federal expectations, you can’t improve your program if you don’t understand its current state of effectiveness. To put this statistic in a little more perspective, half of the companies in the top quintile of LRN’s study “conduct formal assessments of program effectiveness annually.”
When was the last time your company conducted a program assessment?
Need help getting started? Check out The Practical Guide to Program Review & FSGO Benchmarking – complete with program assessment and inventory templates.
40% of the top quintile and 50% of the bottom quintile are not using Code of Conduct violations for risk assessments
This one is a major red flag for me because it appears that even the best programs are ignoring key information that’s right at their finger tips. Most, if not all, compliance programs track Code of Conduct violations, but simply having this information isn’t enough.
It’s time to take our reporting and analysis to the next level and dig into what these violations say about the effectiveness of our programs, what the weaknesses are, how those weaknesses might effect the organization and (most important to program improvement) what is causing these violations. You have the Code of Conduct in place for a reason—to mitigate known risks and promote your company’s culture—so why are teams ignoring the ramifications of violations by not considering them in risk assessments?
Misconduct and noncompliance lead to heightened risk and need to be evaluated and addressed quickly—this includes reassessing your overall risk for accuracy.
35% of compliance teams are part of annual business strategy development meetings — 17% are not involved in developing or implementing business strategy at all
Moving on from LRN, this stat comes from PwC’s State of Compliance Survey 2015. One of the main arguments for keeping the CCO role in the hands of the general counsel is that the GC has clout at the executive level that independent compliance departments haven’t yet achieved. This pair of disturbing statics prove just how far compliance still has to go.
Unfortunately, the compliance function is seen all too often as a cost center with little impact on business strategy or return on investment. But that could not be further from the truth. (I can see you nodding your head.) Building the business case for compliance by sharing examples of costly compliance mis-steps is one way to prove the function’s worth and potential impact on the organization.
It’s also extremely important to really listen to the company’s business objectives and five year plan. Compliance is a strict and sometimes negative field (that’s why compliance officers can come across as policy police if they’re not careful to foster the right company culture). Try to resist the urge to be a Negative Nancy and automatically raise issues with the business strategy. Instead, contribute positively to the conversation and help the company productively move in the direction that’s planned but in a compliant, prepared way.
35%of teams don’t actively measure compliance cost
If you want a seat at the strategy table, you need to have a full understanding of your program and how it’s fiscally effecting the company. This includes both how much it costs to run your program and what the program has saved the organization in potential fines. (While the latter may be hard to quantify, looking at recent SEC findings can be useful.)
Of course compliance is going to have the reputation of being a cost center if you don’t do anything to dispel that myth. Keep a careful eye on your program’s successes to demonstrate its effectiveness and business contribution. Also keep an eye on the cost of running your program so you can highlight efficiencies and improvements (and find those areas ripe for improvement in the first place).
21% of CCOs use a dedicated GRC tool
When PwC surveyed CCOs, they found that less than one third use a dedicated tool specifically designed for their profession—36% “say they’re getting by” with other tools. While that may not seem like a big deal let me put this in perspective: a type writer CAN help you produce the written word, but do you have one sitting on your office desk? I’m going to guess not. Why? Because it’s ineffective, inefficient and can’t actually do what you need it to (like connect to the internet or send an email).
It might help you get the job done on the surface but you’re likely missing out on key functionality
Relying on other software when you really need to manage a compliance program is along the same lines. It might help you get the job done on the surface, but you’re likely missing out on key functionality and spending way too much time on simple tasks.
The biggest example of this is reporting and analytics. You can get the data from disparate systems, but it takes much longer to collate and analyze this information than it would with a dedicated GRC tool that quickly and easily surfaces the key, integrated information you need to spot trends.
66% of employees choose to report concerns directly to their managers
On its face, this stat from CEB’s State of Compliance and Ethics Function 2014 report isn’t all that alarming or surprising. It’s easy and often less intimidating to bring up a potential issue or concern with a familiar face than it is to file an official report. But what compliance professionals should take away from this is the vital importance of having a proxy reporting system that’s as structured and well thought out as the rest of your reporting channels. You need to ensure that managers know what to do with reports, understand the type of information they need to collect and how to file it with the compliance department and are comfortable communicating any disclaimers and follow up actions with their employees. They also need to be 100% completely aware of non-retaliation policies.
No matter how hard you try, you won’t be able to change people’s natural inclinations to go to their boss over your hotline. So embrace this trend and build a program that can support it.
And one last parting statistic (from CEB) for good measure and to help you benchmark: