“The current challenge in the industry is with how to implement the right technology. Compliance can be both effective and efficient with tech that operationalizes the policies and business processes we’ve put to paper. We need to identify the data that will tell us something useful about our third parties and the transactions those parties do.”
KPMG recently published its latest survey of chief compliance officers. The report highlights the increasing value of effective Compliance. It also reveals growing pains of our industry, specifically in maximizing efficiencies.
Let’s start with the good—94 percent of organizations say that compliance requirements are embedded in policies and procedures. This is true as well for Codes of Conduct, which are available to all employees. This means organizational missions and values are being woven into the fabric of our businesses. Embedded compliance is effective compliance.
Now although compliance programs are becoming more effective, there is still room to grow in the way of efficiencies. “Many CCOs (31 percent) acknowledge that they do not have or do not know if they have [a] regulatory change process to capture changes in laws and regulations,” according to the report. This is even more concerning when it comes to third parties. Sixty-nine percent do not manage third-party risks through an enterprise-wide tool that monitors “Key Risk Indicators” (KRIs).
We have to embed compliance into our operations just as we have done in our policies, especially around oversight of third parties. Third parties present one of the greatest risks to our companies. Their issues are our issues. Their wrongdoings are our wrongdoings. To not monitor them efficiently takes our brand out of our hands and gives reputational damage a foot in the door.
The current challenge in the industry is with how to implement the right technology. Compliance can be both effective and efficient with tech that operationalizes the policies and business processes we’ve put to paper. We need to identify the data that will tell us something useful about our third parties and the transactions those parties do. We need to collect that data and match it to KRIs that matter for our entire company. We need to monitor those KRIs often—not just quarterly or annually. Without continuous attention, periodic third-party “monitoring” ends up being little more than having a vendor check a box that says “Yep, we read your compliance requirement.”
That goal is very much in spirit with the guidance we saw from the Justice Department in February. The guidance delineates how to evaluate the effectiveness of compliance programs, with the grand theme being to operationalize compliance. This include tone at the top, policies and procedures and systems and technology.
As suggested in the KPMG survey, many companies have mastered the written part of that task. But we still have the technology part of the task to do.
By: Chris Morton, SVP, Marketing and Corporate Development
- Impact of digitized environments & modern workplaces on internal investigations - April 15, 2020
- Whistleblower hotlines decrease the cost & duration of corporate fraud schemes - March 18, 2020
- Entering the era of operational resilience - February 27, 2020