Q1: On a scale of 1 to 10 (with 10 being greatest), how concerned are you about your personal liability as a CCO or the personal liability of your company’s CEO?
- The level of respondents who are at least somewhat concerned shot up to 75 percent in 2018, after falling from 81 percent in 2016 to 66 percent in 2017, despite more sanguine feelings among respondents about resources available to them.
- The increased personal liability concerns are likely the result of CCOs struggling to keep pace with record M&A activity – which might be influenced by dealmakers moving rapidly before the current window closes. “It’s … hard to ignore that the last two occasions when M&A activity reached similar levels were a year before the financial crash in 2007 and just before the bursting of the dot-com bubble in 2000,” Jana Mercereau, head of corporate M&A for Great Britain at Willis Towers Watson, told Bloomberg.
- Concerns in the survey two years ago came in the wake of the Yates Memo, which signaled that the Justice Department would hold CCOs personally liable for compliance failures. But few prosecutions have occurred since, even after Attorney General Jeff Sessions in April 2017 said the Trump administration would largely maintain Obama-era policies regarding white-collar crime.
- Board members we surveyed were generally more concerned than CCOs, mirroring findings from the 2017 report.
State of Compliance
Q2: To what extent do you believe you have sufficient resources, clout and board access to support your ability to effectively perform your job?
Q3: In your opinion, is your budget sufficient to accomplish the goals you believe are needed for an adequate compliance program at your company?
Q4: In which of these areas do you feel your compliance program is weakest? (Check all that apply)
Q5: What aspect of your compliance program takes up the largest amount of your time? (Rank the top 5 with 1 being the greatest amount of resources)
|1||Data breaches/data privacy||1|
|2||General increased regulatory risk||2|
|5||Third-party due diligence||5|
|7||Increased litigation risk and class actions globally||7|
|9||Theft, fraud, corruption||9|
- CCO satisfaction in Question 2 reached its highest level in 2018, with a noticeable jump (from 30 percent to 42 percent) in respondents who strongly agree that they have what they need. This tracks with other findings in this year’s survey that show CCOs are increasingly getting a seat at the table. Results from board members surveyed were largely in line with CCOs’ assessment regarding resources, clout and board access.
- At the same time, there was a significant jump in the percentage of respondents who believe they have adequate budgets to accomplish their goals, from 39 percent in 2017 to 55 percent this year. This is likely the result of companies’ willingness to add resources or personnel to compliance departments given the strong economy – but it shows a possible disconnect when CCOs are asked what they need to do their jobs generally, compared specifically with their budgets.
- We also asked respondents how they’re spending their compliance budgets. Common answers were third-party due diligence, cybersecurity, training and hotline matters.
Reporting and Evaluation
Q6: At your company, to whom does the compliance function report?
Q7: Do you report metrics to your company’s board of directors and/or audit committee?
Q8: What frequency of reporting is expected from the compliance group?
Q9: What tools do you use to evaluate the effectiveness of your compliance program? (Check all that apply)
Q10: What resources do you currently leverage as part of your compliance program? (Check all that apply)
- When asked about the chain of command, directors surveyed had shifting thoughts regarding whom compliance departments should report to on a day-to-day basis. Some deferred prosecution agreements in the healthcare industry require that legal and compliance be separated. But this year’s survey shows that legal is in vogue again.
- As companies’ strategies regarding the reporting structure for compliance continue to shift, one CCO for a consumer product company said he preferred reporting to the general counsel or legal department. “The legal department is the obvious place to house managing legal risk,” he said. “There are a lot of synergies – and regulators see that and can accept it if it’s set up the right way.”
- Interestingly, directors surveyed say their CCOs report to the boards, and most of them think it should stay that way. This might be a difference in perspective of day-to-day reporting versus regular updates at board meetings.
- After falling slightly in 2017, the percentage of CCOs who say they report metrics to their boards of directors and/or audit committees increased to 63 percent. More importantly, the percentage of companies where CCOs report quarterly increased to 68 percent, 24 percentage points higher than in 2016 and 14 percentage points higher than last year. Most of those gains likely came from companies that formerly reported less regularly: Quarterly reporting now appears to be the norm. Directors also said there has been an increase in reporting frequency.
- Respondents note a wide range of metrics that they report, with a heavy emphasis on hotline data, investigations and training.
- Much of Question 9 indicates the settling in of compliance. But the reduction in audits as a tool is notable and could reflect a shift in compliance evaluation to more real-time monitoring.
- Notably, there continues to be an opportunity for compliance programs to better leverage peer functions. For example, only 50 percent of compliance programs reported that they leverage the finance department. Valuable data and analytics such as revenue figures (cut by business unit or product) and the economics of existing and new compensation programs are likely at finance’s fingertips and could be reported to the compliance team — allowing it to better identify risk areas and pivot more quickly to head off issues before they become major problems.
Use of Technology
Q11: Do you use technology solutions for the following compliance program areas?
Q12: Do you plan to implement any technology solutions within any of these areas in the next 12 months?
- Training is clearly the area in which respondents rely most on technology. But there are areas where the lack of technology being used is somewhat surprising. That such small percentages say their companies use it in risk assessments and compliance communications is surprising, and that only a about quarter use technology in M&A due diligence is even more so – especially in light of the high M&A volume in the past few years. Tools that evaluate where companies can improve their own compliance programs can be used for acquisition targets.
- There appears to be a belief that technology for evaluating M&A matters could be improved (an interesting finding given the heavy M&A volume in 2018), but it’s not an area where most respondents are planning to spend next year (just 7 percent, according to Question 12).
- In fact, the only two areas in which even 30 percent of respondents expect to implement technology solutions in the next 12 months are training and policies and procedures, although third-party due diligence was close at 29 percent.
- These are areas where technology has already proven itself. But it’s likely CCOs aren’t as ready to invest in less-established technologies.
Q13: Are you using internal or external data to help forecast future compliance risks or measure the trajectory of current compliance risks?
Q14: Do you use technology or data analytics in your compliance program?
Q15: Which of the following statements best describes the current use of artificial intelligence within your compliance program?
- Only slightly more than four in ten respondents say they use external data to forecast future risks or measure the trajectory of current risks. Given the quickly evolving landscapes when it comes to technology and compliance, this may indicate complacency – even if it isn’t all that surprising given the difficulties in leveraging technology elsewhere.
- External data can be extremely valuable, but few companies appear to have the tools in place to use it effectively. And when it comes to data analytics, only slightly more than a third of respondents are using it. “We do look at external data to judge compliance risks, but not in a scientific fashion,” one CCO said. For example, “we have not done any sort of scientific analysis … to see whether the trend for enforcement actions are up or down, whether penalties are increasing or decreasing, etc. “
- It’s possible that artificial intelligence tools for compliance are too far away from being a reality, one CCO said. He recounted a session on artificial intelligence he attended at a recent conference. “No one even knows what A/I is, much less how to use it,” he said.
- The CCO went on to note that A/I’s use in other parts of companies – better screening of new employees to reduce the harassment claims or IT improving monitoring for cyberattacks – could end up aiding overall compliance, even if A/I within compliance departments is a long way off.
- And just 13 percent of respondents say they are using (2 percent) or implementing (11 percent) artificial intelligence in their compliance program. This is an area that companies are likely to continue to explore, especially sectors that involve big data.
Training and Accountability
Q16: Are you using technology to help carry out your compliance training?
Q17: Which of the following technologies do you use?
Q18: In terms of subject matter, what training programs has your compliance program updated in the last 12 months? (Check all that apply)
Q19: In terms of subject matter, on what does your compliance training program intend to focus on in the next 12 months? (Check all that apply)
Q20: How frequently do you update or change any of your training programs?
- Clearly, and as noted in Question 11, companies rely on technology to train their employees and managers. But despite new advancements – and a lot of excitement about apps – most companies are relying on interactive online programs.
- Data privacy and cybersecurity, as they have in past surveys, rank highly among areas for which companies have updated training programs. Codes of conduct, which are typically updated about once a year, ranked highly as well – and is the top area respondents say they plan to focus on in the next 12 months (followed closely by cybersecurity and data privacy and data breaches).
- The percentage of respondents who update their training programs annually fell for the second straight year – but the percentage who only update as needed has stayed about the same. That the biggest jump has been in programs that are updated every one to five years might be an indication of programs that are more established.
Q21: Do you use technology or an automated tool to track and measure compliance training participation?
Q22: Are managers or supervisors evaluated based, in part, on whether their direct and indirect reports complete required compliance training?
Q23: Are employees penalized for failure to complete training or certifications to policies?
- It’s noteworthy that only one in five respondents use automated tools to ensure their employees are participating in compliance training. But it makes some sense, given other findings.
- Nearly three in four respondents (74 percent) say they don’t evaluate managers based on employees’ participation in the training. Meanwhile, just 44 percent penalize employees (for example, via financial penalties or notes in their personnel files) for failing to complete trainings and certifications.
- Still, that last finding is an improvement over the past two surveys, giving reason to believe we’re seeing an upward trajectory. The improvement shown in Question 23 indicates that measurement of such training is improving and that it’s being more fully integrated into performance reviews. This is a positive trend, and one that will likely continue.
Q24: To what extent are you concerned about the potential discoverability or disclosure of information and data that is captured or generated through the use of various compliance technology solutions?
Q25: Is your compliance department taking any steps to protect from unauthorized disclosure information that is generated by the use of technology?
Q26: Do you have controls in place to protect any privileged information generated by the use of any of these technologies?
- There’s a great deal of concern when it comes to discoverability, and more than two-thirds of respondents are taking steps to address it. Regarding the rest, it’s possible parts of companies other than compliance departments (for example, legal or information security) are working on the issue.
- For respondents who are taking steps, actions included limits on the use of Dropbox, password protection controls and closer collaboration among departments. The “privacy team sits in compliance and works on data privacy/protection; we work closely with the IT security team on any applications/data uses,” says one respondent.
Q27: Do you have a Crisis Response Team identified in the event of a crisis?
Q28: Does data privacy and cybersecurity fall within the responsibilities of the corporate compliance department?
Q29: Do you have cybersecurity insurance?
Q30: Has your company ever filed a claim against that policy?
Q31: Has your company experienced a cyberattack?
Q32: What are the biggest compliance risks that your company faces today? (Check all that apply)
Q33: On which of these compliance risks is your company spending the most resources? (Rank the top 5 with 1 being the greatest amount of resources)
|wdt_ID||Compliance Risks||2018 Rank||2017 Rank||2016 Rank|
|1||Data breaches/data privacy||1||2||3|
|3||General increased regulatory risk||3||3||2|
|4||Increased litigation risk and class actions globally||4||9||7|
|5||Third-party due diligence||5||5||6|
|9||Theft, fraud, corruption||9||7||8|
|10||Rising use of technology and social media||10||8||9|
- If data privacy doesn’t fall under the purview of the compliance department, it’s often the responsibility of IT security and/or legal, according to respondents.
- More companies are getting cybersecurity insurance and filing claims. This likely indicates growing concerns about cyberattacks and perhaps even more awareness of when they occur. Forty-two percent of respondents say they have experienced such an attack.
- With that in mind, it’s not surprising that data breaches and data privacy topped the list of top compliance risks, with cybersecurity being among the top concerns for the third consecutive year.
- That these findings largely track with the results from Question 5 (regarding time commitment) shows companies are generally aligned correctly when it comes to priorities.
- And, in a somewhat hopeful sign, companies do seem to be putting their money where their risks are. For the first time, data breaches and data privacy are areas in which respondents are devoting the most resources. Cybersecurity, the top choice the past two years, was second in 2018.