CCOs Say Policies Are Getting Stronger; Adoption of Technology – Not So Much

nelson pratt

KPMG recently published its latest survey of chief compliance officers. The report highlights the increasing value of effective Compliance. It also reveals growing pains of our industry, specifically in maximizing efficiencies.

Let’s start with the good – 94%of organizations say that compliance requirements are embedded in policies and procedures. This is true as well for Codes of Conduct, which are available to all employees. This means organizational missions and values are being woven into the fabric of our businesses. Embedded compliance is effective compliance.

Sixty-nine percent do not manage third-party risks through an enterprise-wide tool that monitors.

Now although compliance programs are becoming more effective, there is still room to grow in the way of efficiencies. “Many CCOs (31%) acknowledge that they do not have or do not know if they have [a] regulatory change process to capture changes in laws and regulations,” according to the report. This is even more concerning when it comes to third parties. Sixty-nine percent do not manage third-party risks through an enterprise-wide tool that monitors “Key Risk Indicators” (KRIs).

We have to embed compliance into our operations just as we have done in our policies, especially around oversight of third parties. Third parties present one of the greatest risks to our companies. Their issues are our issues. Their wrongdoings are our wrongdoings. To not monitor them efficiently takes our brand out of our hands and gives reputational damage a foot in the door. 

Read More: Judged by the Company You Keep

The current challenge in the industry is with how to implement the right technology. Compliance can be both effective and efficient with tech that operationalizes the policies and business processes we’ve put to paper. We need to identify the data that will tell us something useful about our third parties and the transactions those parties do. We need to collect that data and match it to KRIs that matter for our entire company. We need to monitor those KRIs often—not just quarterly or annually. Without continuous attention, periodic third-party “monitoring” ends up being little more than having a vendor check a box that says “Yep, we read your compliance requirement.”

That goal is very much in spirit with the guidance we saw from the Justice Department in February. The guidance delineates how to evaluate the effectiveness of compliance programs, with the grand theme being to operationalize compliance. This include tone at the top, policies and procedures and systems and technology.

Read More: New Guidance from the DOJ on Your Compliance Program

As suggested in the KPMG survey, many companies have mastered the written part of that task. But we still have the technology part of the task to do.

Automation of due diligence, automation of risk monitoring and automation of analytics for suspicious payments needs to be high on the to-do list.

That’s not surprising. Organizations already want to automate many other business processes and functions, and compliance is no different. Automation of due diligence, automation of risk monitoring and automation of analytics for suspicious payments needs to be high on the to-do list.

The good news is that we can and will get there; many of the tools compliance officers need already exist. As technology is increasingly adopted by Compliance, our programs will become more effective as well as efficient.

Get the Guide: Definitive Guide to Third-Party Risk


Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.


AG Jeff Sessions Left Compliance Officers with More Questions than Answers … and an Invitation

Attorney General Jeff Sessions was a keynote speaker at the 2017 Ethics & Compliance Initiative’s Annual Conference last week. We heard a lot of things that an audience filled with ethics and compliance professionals would expect to hear during his scripted remarks. The question is, however, did we all try to read between the lines too much, or too little?

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

Don’t Outsmart Yourself: AI and Compliance

AI, regtech, big data and the various other forms of automated intelligence are taking our work into a new era of effective customer-centric experience improvement and support. Let’s look at how to maximize all forms of intelligence without risking outsmarting ourselves.

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.

Comments