By Vincent Pitaro
CCOs are increasingly struggling to aggregate and analyze data due to lack of time or resources, according to a recently released Ethics and Compliance Survey by ethics and compliance consulting Ethisphere Institute and Convercent, a compliance management software company. They polled several hundred senior compliance professionals for their perspectives on the changing role of the CCO, the capture and use of relevant data, and compliance reporting. In a related webcast, Erica Salmon Byrne, an Ethisphere executive vice president, Angus Robertson, a Convercent vice president, and Katie Smith, Convercent’s CCO, discussed the key takeaways from the study. See also “Kroll/Ethisphere Report Highlights Concerns About Reputational Risk and Post-Onboarding Monitoring of Third Parties” (Apr. 12, 2017).
Survey Methodology and Demographics
Ethisphere and Convercent conducted the survey in the first quarter of 2017. They received 335 full and partial responses from senior-level ethics, compliance and anti-corruption executives. About half of the respondents were either the CCO or the ethics and compliance officer of their organization (together, CCO) and about one-eighth held the position of general counsel or chief legal officer. Most respondents were senior officers. About half of respondents had a dedicated ethics and compliance function in place for at least seven years. At the other end of the spectrum, 6% of respondents had such a function in place for less than one year.
A majority of respondents said that their companies have between $1 billion and $8 billion in revenue. Their median headcount is 8,200. The largest proportions of respondent organizations were from the healthcare (17%), manufacturing (14%) and energy (9%) industries. Most operate in North America and more than half in Europe. At least one-third operate in Asia, South America, Latin America and/or the Middle East
Ethisphere supplemented the 2017 Ethics and Compliance Survey report (Report) with data and insights from its “World’s Most Ethical Companies” database, Salmon Byrne said.
A Proactive Role for Ethics and Compliance
Since 2015 there has been a strategic change in the role of the ethics and compliance team, Robertson said. An increasing percentage of compliance officers now have “a seat at the table” with board or senior management, Salmon Byrne added. Ethics and compliance functions are also interacting more effectively with what she termed “sister control functions,” including human resources and audit.
The Report indicates that the percentage of CCOs who report to the CEO has nearly doubled in the past two years, from 16% in 2015 (when Ethisphere last conducted this survey) to 30% this year. During that time, the percentage of CCOs “almost always or regularly involved in strategic decisions” grew from 39% to 49%.
This is due in part to the maturation of the ethics and compliance sector and to DOJ messaging in recent years to the effect that the CCO must be a senior member of the team, with appropriate resources and access to relevant parts of the organization, Salmon Byrne said. That messaging was reiterated in the DOJ’s February 2017 Evaluation of Corporate Compliance Programs, which provides valuable insight into what the DOJ will be looking at if it chooses to review an organization’s ethics and compliance program. “Seniority, access, seat at the table and resources” are critical elements of that guidance, she added.
See “DOJ’s Guidance Shows That Compliance Programs Still Matter” (Mar. 15, 2017).
Insufficient Resources Remain a Significant Concern
Nearly two-thirds of CCOs said they struggle to aggregate and analyze data due to lack of time or resources, up from 57% in Ethisphere’s 2015 survey. The amount of resources available may vary by industry, and many companies in the survey data set are not in heavily regulated industries; less regulated companies consistently report that they do not have sufficient resources to carry out their ethics and compliance duties. In contrast, companies in the financial services sector and other heavily regulated companies have devoted significant resources to compliance due to regulatory activity.
A company has many sources of compliance and ethics data; hotline reports, in-person reports to management and data gathered through other company activities are all key to understanding the state of compliance at a company.
Creating Appropriate Tools
Being able to capture and analyze data from reports allows companies to identify and address issues quickly. However, nearly 90% of respondents still use spreadsheets as a “compliance and ethics reporting tool.” About three in ten use governance, risk and compliance software and one fifth use enterprise reporting tools. According to Ethisphere and Convercent, spreadsheets are not suitable for such diverse reporting and “lack the ability to enforce data consistency, integrity, security, confidentiality, scalability and so many other elements that are important in an ethics and compliance platform.”
The fact that so many respondents are still relying on spreadsheets is troubling, since they increase the chance for human error, Smith said. Moreover, regulators may view reliance on spreadsheets as a control failure or an indication that the organization devotes insufficient resources to compliance.
See “Using Data Analytics to Meet the Government’s Anti-Corruption Compliance Expectations” (May 4, 2016).
Handling In-Person Reports
Helpline, web-reporting portals and other intake methods are important elements of a compliance program, Robertson said. Many employees, however, prefer to make reports in person, according to Salmon Byrne. In Ethisphere’s data set, roughly three-quarters of employees indicated that they would report to their manager and some might report to HR or a local ethics and compliance professional. It is best to work with that instinct, rather than try to override it, she said.
A key challenge is capturing in-person reports, Salmon Byrne continued. Case-management software works well for hotlines, web reports, other electronic reports and reports made to trained compliance officers who know how to enter reports into the system. However, capturing data is much more challenging when employees go to their managers on an informal basis. Failing to gather that information can be detrimental, however, because many compliance functions have a direct line to the board and the ability to give it the “big picture” of the company’s compliance culture, Smith noted. A failure to capture in-person reports means that the “big picture” report will be incomplete.
Accordingly, managers must know how to respond and then make sure that an appropriate report be sent to compliance in a timely fashion. This is an area where many companies still have some work to do. While the overwhelming majority of respondents said that they track hotline calls (94%) and web reports (90%), only 40% think they are tracking “open door” reports effectively.
There is some risk that requiring managers to provide compliance with information on “open door” reports could chill such reporting, Smith acknowledged, but it is possible to manage the chilling effect by building in appropriate reporting thresholds for different types of reports and through appropriate communications and training.
Indeed, manager training is key, Salmon Byrne added. Nearly nine in ten companies in the Ethisphere database indicated that they train managers in their specific ethics and compliance responsibilities. Compliance must work with HR to assure that managers understand that they are role models for the organization; and that they are not just managing – they are leading those who report to them. Training also must make clear that managers do not have to resolve difficult ethics and compliance issues by themselves. Managers must know that ethics and compliance is a resource that they can use and rely on, Robertson added
See “Training Insights From In-House Experts”: (Part One of Two)” (Jun. 1, 2016); and Part Two (Jun. 15, 2016)
Partnering With the Audit Department
At many companies, there is collaboration that enables ethics and compliance to leverage the audit team. For example, ethics and compliance could provide the audit team with a list of questions and requests for specific information, or may be able to add topics to the audit plan. Audit data can be combined with ethics and compliance data to get a better view of the company.
See “How to Build a Compliant Culture and Stronger Company From the ‘Middle’ (Part One of Three)(Apr. 1, 2015); Part Two (Apr. 15, 2015); Part Three (Apr. 29, 2015).
Companies should seek to gather data on the root cause of problems. Half of respondents said that they do not track root cause effectively; about one-quarter track it in spreadsheets; and about one-quarter do not track it at all. Traditional reporting “shows what happened” using lagging indicators, Smith explained. In contrast, root-cause analysis seeks to identify why something happened and opportunities to improve process and culture. There is a natural tendency to oversimplify and attribute ethics and compliance issues to either “policy failure” or “culture failure,” Salmon Byrne noted. The solution is not always just better training or a clearer policy.
See “Best Practices for Performing Compliance Program Assessments: An Interview With Susan Markel of AlixPartners” (Feb. 24, 2016).
About three-quarters of respondents said that the way they leverage data from other business units for ethics and compliance purposes is through email. The next most common method, used by nearly half of respondents, is sharing of spreadsheets and other data files. Just 7% use an integrated software solution. Nearly one in five respondents said that they do not leverage information from other business units. The business units from which respondents most commonly seek data are HR (64%), enterprise risk (56%), finance (50%) and legal (16%).
A significant obstacle is that data is often housed in different places within an organization, Robertson said. More than half of respondents said that relevant data is housed in disparate and disconnected systems, Smith said. Mergers and acquisitions complicate matters because multiple organizations and systems should be integrated. Companies may also have different systems in different countries.
The single most important factor in cross-department collaboration is building strong relationships with internal partners who can provide valuable data, the speakers noted. Nearly two-thirds of respondents said they draw relevant data from HR. Such data could, for example, help to spot retaliation against whistleblowers. It was “startling” that most organizations use up to 10 systems, with email being the most common way to share data, Smith said. File transfers and emails provide disparate reports that make it hard to monitor the program and raise a host of concerns about data security, control, privacy and other issues. Connecting systems automatically can reduce manual labor and provide richer data. Technology is important to help visualize what is going on with a program, Salmon Byrne added.
Presenting the Data to the Board
More than half of CCOs said that they report on their progress quarterly; about one-fifth do so monthly. More than three-fifths of CCOs said they report to the CEO; about half report to either the general counsel, the ethics and compliance committee, the audit committee and/or the board. Less than one-quarter report elsewhere.
Content of Reports
Roughly three-quarters said that reporting includes training completion rates and/or hotline statistics. Seven in ten report on investigations. Six in ten report on “the likelihood and severity of issues in top risk areas,” which is a better means of communicating the effectiveness of the compliance program, in Smith’s view
Finally, 29% report on other matters, including proactive performance measurements, audit results, risk assessments, third-party due diligence, conflicts of interest and “culture surveys,” which shows a promising shift from “pure activity tracking to digging deeper into the data,” she said. These are better indicators of the health of a company’s compliance culture.
Boards are also being more proactive in asking for relevant data. They want to know the root causes of compliance issues and how the ethics and compliance function is mitigating risk and responding to issues, and understanding why something happened facilitates mitigation going forward.
Communicating Data Effectively
In organizing information for the board, it is helpful to look at how the company’s code of conduct is structured, Smith noted. Compliance should map issues to that code and align with risk management to assure a consistent message. Data should be normalized for reporting purposes. Some companies organize data by manager, region, tenure and other factors, Salmon Byrne added.