DLA Piper’s 2018 Compliance & Risk Report:
Compliance Settles In,
Personal Liability Concerns Persist and Technology Emerges as the Next Frontier
Increasing budgets and board access point toward greater prominence, independence
Amid a period of strong economic growth, most compliance professionals say their resources and access to their organization’s governing board are sufficient. So, why has their concern over their own and their CEO’s liability increased over the past year?
DLA Piper’s 2018 Compliance & Risk Report points to two potential and complementary explanations. First, the corporate world has been on a hot streak of late, closing a tremendous number of transactions over the past year. The pace and complexity of mergers and acquisitions may be a cause of CCOs’ restlessness, not to mention the anxiety that comes with keeping the newly combined venture on track vis-à-vis its legal, regulatory and contractual obligations. Second, as the businesses they serve increasingly leverage technology solutions to drive productivity and efficiency, compliance departments largely have not followed suit – perhaps because the available technology solutions are not yet up to the task or cost-effective, or because compliance professionals have not yet figured out how to use technology to detect, prevent and mitigate compliance failures. And for those early adopters who have devised and implemented technological solutions to help, say, monitor transactions or detect operational snafus, there’s the question of how to make sense of, let alone protect from misuse or disclosure, the troves of data that only exist because of the technological solutions.
These and other insights are drawn from our third annual Compliance & Risk Report. Beyond exploring traditional compliance program features, this year we focus on how technology is used or not used to enhance the efficacy of compliance programs. We are proud to present the results, paired with practical guidance and pragmatic suggestions for compliance professionals.
Stasia Kelly
Co-Chair of DLA Piper’s Global Governance and Compliance practice Managing Partner (Americas)
As Compliance Settles In, Personal Liability Concerns Persist and Technology Emerges as the Next Frontier
Corporate compliance officers (CCOs) around the world are feeling better about many aspects of their companies’ operations, particularly their allotted resources and organizational clout. But some complacency and difficulty finding the right technology solutions appear to be emerging – even as concerns about personal liability are again increasing.
That’s according to DLA Piper’s 2018 Compliance & Risk Report, the third survey in as many years that takes the pulse of individuals involved in corporate compliance. While the 2017 report showed the compliance function growing up, this year’s findings seem to point to growing pains.
First, the Good News
The CCOs surveyed feel good about their ability to do their jobs. Eighty-nine percent, the highest percentage in the history of the survey, say they agree to at least some extent that they have the resources, clout and board access they need. That’s driven by 42 percent of respondents who agree to a great extent that they have what they need – a 12 percentage-point jump from each of the past two years.
But when specifically asked about budgets, only 55 percent of CCOs say what they have is sufficient to accomplish the goals that support adequate compliance programs. That’s a 16 percentage-point jump from 2017 – perhaps fueled by companies providing more resources amid a strong economy – and 14 percentage points better than 2016.
“If CCOs use project management tools that include risk assessment, prioritization and project planning, then the activities that they think are obvious areas of residual risk can be discussed with the board to make the case for increased budget,” one CCO said. “In other words, if CCOs have enough board access, they ought to use it.”
Indeed, CCO overall satisfaction appears driven by their relationships with their boards and reporting regularity. After a slight decrease in 2017, 63 percent of respondents say they provide compliance metrics to their boards of directors and/or audit committees. More notably, quarterly reporting now appears to be the norm, with 68 percent of respondents saying they report on that cadence, up 14 percentage points from 2017 and 24 percentage points from 2016. Much of that appears to come from a decrease in the percentage of respondents who reported only annually or never in past surveys.
Struggles with Technology
For the first time, this year we asked respondents how they’re using technology. The results show that compliance departments are trailing other business units in embracing and leveraging technology. Why this is so is less clear.
About 90 percent of CCOs are using technology for training, far and away the most common application. While most companies are using technology for the training itself, only about one in five use technology or automated tools to measure compliance training participation among employees. This seems to be a fertile ground for expanding the use of technology, because the percentage of companies that penalize employees for not completing training or policy certifications improved to 56 percent. While employees are being disciplined more often for missing compliance training, their supervisors have largely escaped accountability. Only about a quarter of respondents say they evaluate managers or supervisors on whether their direct and indirect reports complete required compliance training.
While technology is being heavily used for training, the same cannot be said for compliance communications (51 percent), risk assessment (43 percent), and M&A due diligence and post-acquisition integration (26 percent). This could indicate that the available tools haven’t yet advanced enough to be useful or cost-effective to CCOs, particularly given that about half of them have concerns about their budgets.
“We do look at external data to judge compliance risks, but not in a scientific fashion,” one CCO said. For example, “we have not done any sort of scientific analysis … to see whether the trend for enforcement actions are up or down, whether penalties are increasing or decreasing, etc. “
Only about 40 percent of respondents use internal or external data to help forecast future compliance risks or measure the trajectory of future compliance risks. Nearly a third aren’t taking steps to protect against unauthorized disclosure of information generated by the use of technology (despite a great deal of apparent concern about discoverability and disclosure). Only 5 percent are using mobile apps for training purposes.
It’s hard to know how much of these findings stem from a lack of effective and affordable technology versus organizational reluctance. Either way, there’s an opportunity for technology to strengthen compliance departments in the years ahead.
And About that Personal Liability…
Seventy-five percent of respondents are concerned about their own or their CEO’s personal liability. That’s up from 66 percent in 2017 – and nearly as high as the 81 percent in 2016. A quick history lesson (and some economic prognosticating) might explain the trend lines.
The 2016 survey was taken in the wake of the Yates Memo, a Justice Department document that declared the DOJ’s intention to prosecute corporate executives for compliance failures. It was a big moment in the compliance world, but one that has resulted in little prosecution. The lack of enforcement, combined with a belief that regulators would be more business-friendly under President Donald Trump, could have calmed CCOs’ nerves last year.
But savvy CCOs recognize that extremely high M&A volume carries risk as compliance personnel vet national and international deals by conducting everything from initial due diligence to operational integration – often with multiple transactions occurring simultaneously. And the first half of 2018 was especially hot, with more than US$2.5 trillion in global activity and more than US$1 trillion in the US alone, according to Thomson Reuters. It’s possible we’re seeing a sprint to close deals for fear of an end to the economic growth cycle that began in 2009. And if that volume wasn’t enough to frazzle CCOs, the Department of Justice in July 2018 highlighted the extension of the Foreign Corrupt Practices Act (FCPA) to M&A transactions.
The frenetic M&A pace of 2018 won’t continue forever, so its effect on CCOs will fade. But the resulting concerns – and apparent reluctance to use technology to address them – serve as a powerful reminder: There will always be another challenge, and technology appears to be a powerful weapon that CCOs have yet to fully exploit.