As we've stated before, to say 2020 was disruptive is an exercise in understatement. And while we may reasonably hope that the worst is behind us, the uncertainty and risk that it introduced is unlikely to recede anytime soon.
Fortunately, there are valuable lessons to be learned from the events of the past year, as well as positive signs for the risk and compliance space in particular. In the face of sudden and massive shifts in how, where and with whom we work, the risk and compliance functions of businesses across the globe responded with strength and resiliency, adapting to new conditions and challenges as they arose.
Risk and compliance functions are taking a broader, more integrated and holistic approach to managing uncertainty.
The crisis also prompted new and renewed interest in going beyond compliance to tackle a host of risks through activities including business continuity planning; enhanced due diligence and continuous monitoring of third parties; advancements in how we update, disseminate, and document the use of policies and procedures; and in better training of employees, third parties and leadership on ethics and compliance issues. Our incident management systems proved consistently robust, taking full advantage of technology and automation solutions.
Similarly, the increasing size and scope of environmental disasters has led to an increased (and welcome) sense of urgency from the broader public, as well as commitments from businesses to make a difference through robust and impactful Environmental, Social and Governance (ESG) programs.
Above all, this year’s benchmark report demonstrates that the quickly-maturing risk and compliance sector is taking a broader, more integrated and holistic approach to managing uncertainty. And that’s a good thing, because there is every indication that this will be its defining challenge in the months and years to come.
This rapid pace of change makes benchmarking your program more important than ever. As risk and compliance functions innovate to meet an expanding universe of business needs, it is essential they measure their programs and progress against both their peers and increasingly demanding regulatory guidance.
To that end, this year’s risk and compliance benchmark has drawn on a variety of expert opinion and regulatory guidance, including the U.S. Department of Justice’s “Evaluation of Corporate Compliance Programs,” for its questioning and analysis. We chose this guidance for its current and holistic view of the ethics and compliance function. However, be aware; this tool is just one of many global guidelines for creating and maintaining effective R&C programs. Its purpose is to guide prosecutors in assessing programs that have already committed a compliance failure. As former compliance counsel for the Justice Department and author of the original DOJ corporate compliance guidance Hui Chen notes, “If you can give fairly reasonable answers to these questions, congratulations, you are a C student. The A students are not in front of us.”1 In other words, the guidance provides the necessary table stakes to play, but not best practices to win.
The results of our survey identified several key successes and challenges, specifically:
- The risk and compliance sector is rapidly maturing. This year we witnessed sizable increases in program maturity and confidence. The number of Mature and Advanced programs grew by 29%, while the number of Reactive and Basic ones declined by 35%. We also saw a significant increase in the adoption of purpose-built systems to manage R&C functions, as well as robust use of program measures, continuous access to data across functions and integration of risk management throughout the enterprise. However, programs should take note: More sophistication can create opportunity for growth, but programs that don’t seize the moment could be left behind.
- The pandemic did not significantly disrupt risk and compliance, but it did impact R&C priorities. Surprisingly (given the size and scope of the pandemic), risk and compliance programs emerged relatively unscathed. None of the R&C functions surveyed were described as “disrupted” or “very disrupted” by more than a fifth of respondents, and over half reported that none of the R&C functions surveyed experienced significant disruption. Workplace culture also remained largely unharmed. Half of those surveyed said they experienced no change in their workplace culture, while the other half was just as likely to say it improved as not. However, R&C priorities did shift. Business continuity ranked as the number two priority for respondents, right behind data privacy, protection and security – a clear sign R&C programs are thinking about operational risk.
- Programs say they are under-resourced. One major point of interest this year is the fact that many programs say they suffer from a lack of adequate funding and staff. Only a third (34%) of respondents rated their access to both these resources as “good” or “very good.” This is especially important since, as the report demonstrates, substantive resourcing is strongly correlated to a host of positive program outcomes. Fortunately, however, respondents are satisfied with the skill and quality of the staff they have. Over two-thirds (69%) say their staff have appropriate experience and qualifications.
- Leadership’s commitment to compliance wavers in challenging circumstances. Three-fourths of respondents said their senior leaders and managers both demonstrate a commitment to compliance. However, when asked if their leadership had persisted in that commitment in the face of competing interests or business objectives, that number shrank by as much as 37 percentage points. This is further validation of last year’s benchmark finding that a substantive portion of leadership support was “soft” or situational.
- Organizations are good at acquiring data – but are not effectively utilizing it. Overall, R&C programs are excelling at collecting information. They relied on multiple sources for their program audits, testing and analysis, and rated their continuous access to data across business functions relatively high. However, programs still lagged when it came to effectively leveraging that access, whether that meant using risk assessment results to make risk-based resource allocation decisions or using metrics to track policy access or to assess reporting effectiveness.
To make the most of this moment, R&C professionals must make culture a must, not a “nice to have.” That means elevating the importance of improving organizational culture in your decision-making processes and holding all employees accountable for their actions. They must also make securing funds and staff a top priority, and jealously pursue leadership support even in the face of competing priorities. They must learn to effectively use the data available to them and integrate their risk management practices throughout the enterprise. Above all, they must seize the opportunity of this moment, uncertainty and all – or risk getting left behind.