LEGAL
Those are among the top findings in DLA Piper’s 2017 Compliance & Risk Report. Amid an uncertain global compliance landscape – following the election of Donald Trump, Brexit, and other factors – compliance professionals and directors from international and U.S. companies noted improvement and diminished concern about personal liability, even as they shared many of the same lingering worries.
This year, 67 percent of chief compliance officers surveyed said they were at least somewhat concerned about their personal liability and that of their CEOs, down from 81 percent in 2016. And 71 percent said they made changes to their compliance programs based on recent regulatory events – up from just 21 percent a year earlier.
But clearly, there is more work to be done. The fact that two out of every three respondents remain concerned is significant – and indicates that an evolving compliance landscape, both in the U.S. and abroad, still keeps many executives up at night. It could also indicate a general sense that compliance executives should never rest easy.
“You can never rest on your laurels – and there’s always something new out there. If you’re not moving forward, you’re falling behind,” said one CCO. “That’s the expectation of senior management and the board – that we’ll always be looking to improve our programs.”
The level of concern among members of boards of directors – surveyed for the first time this year – was even higher: 82 percent of directors said they were at least somewhat concerned about personal liability. This is likely related to other findings that show lingering kinks in communications channels and a persistent lack of training for directors. Together, these findings indicate that the relationship between the compliance function and boards needs work – despite efforts taken by organizations to upgrade their compliance program.
The full report analyzes the findings of this year’s survey, which we’ve broken into three categories, and provides practical guidance for organizations.
In 2016, 77 percent of compliance executives told us they had sufficient resources, clout, and board access to support their ability to effectively perform their jobs. This year, 84 percent said they felt that way. The improvement is possibly a reflection of the increased percentage of respondents who actually had the resources to make changes to their compliance program, compared with the 2016 findings.
It also points to another trend evident in our survey results. Respondents are increasingly able to affect change, procure adequate resources, access senior leadership and run strong compliance programs, even in the absence of heightened regulatory risk or enforcement. Taken together, these data points indicate that the compliance function is gaining independence and stature within organizations. They could also point to compliance officers’ growing ability to demonstrate the value of compliance beyond risk management. “Compliance officers have to think like a business person to make an impact,” one CCO told us.
Meanwhile, the percentage of respondents who said their budget was not enough to accomplish their goals increased from 28 percent in 2016 to 38 percent. This could reflect business growth; one respondent noted that growing companies require additional compliance resources. “We are a growth company so compliance budgets need to stay in line with product developments,” the respondent said.
Compliance professionals who don’t feel they have sufficient budgets may need to focus on convincing senior leadership, including boards. According to our survey, 53 percent of directors strongly agree that their compliance group has sufficient resources, clout, and board access. Just 29 percent of CCOs answered the question that way. While this could simply reflect a difference in perspectives, it could also show that some CCOs aren’t communicating their needs effectively. “It’s incumbent on the CCO to let people know at the board level if you don’t think you have the resources,” one CCO told us. “If there’s a compliance issue a year later, you can’t say you didn’t think you had what you needed.”
Further illustrating compliance’s growing prominence in corporate structures, the number of CCOs who report to the CEO increased compared with last year, while the number who report to general counsel or chief legal officers decreased. Still, respondents indicated a desire to continue climbing the corporate ladder. This year 37 percent of respondents said they believed compliance should report to the board – up from 29 percent in 2016. This could simply reflect the natural desire to move up the food chain. But it also likely reflects a growing focus on board oversight and an increased emphasis on ensuring boards understand the compliance function.
Of greater concern, many directors appear to be receiving inadequate reporting and training on compliance matters. About a quarter of both CCOs and board members said the compliance function at their organization reports to the board less than once per quarter – a remarkable finding. “When you realize the ramifications of board membership, it’s hard to operate without those regular reports from compliance,” said one CCO.
There also was a noticeable difference in direct reporting to boards between public- and private-company respondents. CCOs at public companies had more board access, and public-company directors are more aware of their heightened liability exposure. “At the end of the day, regulators will hold boards accountable,” one CCO told us.
Training. In light of that perceived heightened liability exposure for directors, it is puzzling that 44 percent of director respondents said they hadn’t received any training on compliance issues. Given evolving compliance standards and regulations – such as new Securities and Exchange Commission guidance on conflict minerals and updated DOJ guidance on corporate fraud – it’s arguable that training is more important than ever. Failure to engage in training could amount to a breach of fiduciary duty.
The duty to train directors also falls upon CCOs. One CCO we spoke to advised thinking differently about training when it comes to boards. “Their schedules are packed. You really have to combine it with other messaging,” she said. “Last year we redid our code of conduct and the board had to approve it – we used that as our vehicle for training.”
Implementation. Despite the potential for increased personal liability, driving compliance initiatives remains a challenge. For example, less than half of organizations penalize employees for failing to complete compliance training. This is a confounding finding given the emergence of technology to make training more convenient for employees. But the nearly even split between organizations that use negative and positive reinforcement to incentivize training indicates how tricky the issue is. Many companies are reluctant to come down hard on employees who don’t complete training, and some have tried creative incentives.
Primary Risks. CCOs’ primary concerns – data security and privacy, cybersecurity, and regulatory risk – haven’t changed much since last year. Not surprisingly, those concerns map to the areas where compliance budgets are concentrated, according to our respondents.
Monitoring. The challenges in monitoring compliance programs continue to bedevil compliance officers – 46 percent of our respondents chose monitoring as the weakest part of their compliance program. Monitoring is particularly important in managing third-party risk, as regulators remain focused on violations related to third parties and as companies struggle to manage sprawling global organizations. “A lot of people don’t have systems to monitor third parties,” one CCO told us. Or they don’t take the proper steps to investigate and potentially clear red flags that their monitoring uncovers. “That’s monitoring,” he said.
DLA Piper distributed surveys in the first quarter of 2017 and received responses from 137 corporate in-house counsel, compliance professionals, and members of boards of directors. Forty-three percent of the respondents held the title of Chief Compliance Officer or GC/CLO, and nearly 40 percent came from companies with more than US$1 billion in revenue. Fifty-two percent of respondents’ revenue comes from North America, followed by 21 percent from Europe, the Middle East and Asia, 15 percent from Asia-Pacific, and 13 percent from Latin America. Forty percent of respondents represented publicly traded companies, while 60 percent were private. For more information and to receive the complete survey report, please visit: https://www.dlapiper.com/compliance_survey.
-->
