KPMG recently published its latest survey of chief compliance officers. The report highlights the increasing value of effective Compliance. It also reveals growing pains of our industry, specifically in maximizing efficiencies.
Let’s start with the good – 94%of organizations say that compliance requirements are embedded in policies and procedures. This is true as well for Codes of Conduct, which are available to all employees. This means organizational missions and values are being woven into the fabric of our businesses. Embedded compliance is effective compliance.
Sixty-nine percent do not manage third-party risks through an enterprise-wide tool that monitors.
Now although compliance programs are becoming more effective, there is still room to grow in the way of efficiencies. “Many CCOs (31%) acknowledge that they do not have or do not know if they have [a] regulatory change process to capture changes in laws and regulations,” according to the report. This is even more concerning when it comes to third parties. Sixty-nine percent do not manage third-party risks through an enterprise-wide tool that monitors “Key Risk Indicators” (KRIs).
We have to embed compliance into our operations just as we have done in our policies, especially around oversight of third parties. Third parties present one of the greatest risks to our companies. Their issues are our issues. Their wrongdoings are our wrongdoings. To not monitor them efficiently takes our brand out of our hands and gives reputational damage a foot in the door.
The current challenge in the industry is with how to implement the right technology. Compliance can be both effective and efficient with tech that operationalizes the policies and business processes we’ve put to paper. We need to identify the data that will tell us something useful about our third parties and the transactions those parties do. We need to collect that data and match it to KRIs that matter for our entire company. We need to monitor those KRIs often—not just quarterly or annually. Without continuous attention, periodic third-party “monitoring” ends up being little more than having a vendor check a box that says “Yep, we read your compliance requirement.”
That goal is very much in spirit with the guidance we saw from the Justice Department in February. The guidance delineates how to evaluate the effectiveness of compliance programs, with the grand theme being to operationalize compliance. This include tone at the top, policies and procedures and systems and technology.
As suggested in the KPMG survey, many companies have mastered the written part of that task. But we still have the technology part of the task to do.
Automation of due diligence, automation of risk monitoring and automation of analytics for suspicious payments needs to be high on the to-do list.
That’s not surprising. Organizations already want to automate many other business processes and functions, and compliance is no different. Automation of due diligence, automation of risk monitoring and automation of analytics for suspicious payments needs to be high on the to-do list.
The good news is that we can and will get there; many of the tools compliance officers need already exist. As technology is increasingly adopted by Compliance, our programs will become more effective as well as efficient.