News

KPMG Survey: Chief Compliance Officers

April 18, 2017
Categories: Compliance

Despite Chief Compliance Officers stating that they are making progress in their “compliance journeys,” compliance departments remain challenged in several core areas: technology and data analytics; monitoring and testing; and people, skills and due diligence. These findings were released in a recent KPMG survey of Chief Compliance Officers (CCOs) in 63 major US organizations across seven industries.

Highlights of the areas for improvement in compliance programs:

  • Technology and data analytics: Out of all the compliance components in the survey, organizations report the least progress in technology and data analytics. Many organizations say they do not leverage technology or know if they leverage technology to support their compliance initiatives. Further results in regard to technology and data analytics include:
    • Six in 10 CCOs said technology was not checked to ensure it meets compliance requirements. This is an area of concern because 69 percent of CCOs also say their organization leverages technology to support its compliance initiatives.
    • More than half of respondents do not use Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) in support of their monitoring and testing. Download CREATe.org’s whitepaper on using KPIs.
  • Monitoring and testing: Most compliance officers report that they undertake periodic assessments of their compliance programs and report the results to senior management and the Board. However, a significant amount do not have a compliance monitoring and testing program that encompasses process, control, and transaction testing, and tracks regulatory changes. Monitoring of third-party vendors is also a component that needs to be strengthened in many organizations. The survey indicates that a significant amount of organizations lack a process, or are unaware if their vendors have a process to confirm they comply with due diligence. Companies should continue to provide reports on compliance; however, they should expand the means and scope of monitoring and testing. The following indicates further results in regards to monitoring and testing:
    • Monitoring: While a majority (84%) of organizations provide reports on the state of compliance, only 47 percent of CCOs say their reporting system is integrated with compliance monitoring. Furthermore, 33 percent of CCOs report their compliance testing program does not include transactional, process, and controls testing.
    • Third-Party Risk: Slightly more than half of organizations indicate they have a compliance monitoring process to confirm that third party vendors adhere to compliance due diligence processes; however, just 31 percent manage third-party risk and issue tracking through an enterprise-wide tool capable of monitoring KRIs/KPIs.
  • People, skills, and due diligence: Many respondents of the survey reported they do not assess compliance skills of personnel and a significant number of CCOs do not have defined compliance roles and responsibilities for compliance personnel. CCOs also do not consider adherence to compliance policies and procedures as a factor in performance ratings and compensation decisions. In these areas and others, CCOs can instill accountability across their organizations. Additional responses from the survey include:
    • Corporate culture and communication: The top compliance challenge indicated by 39 percent of the CCOs in the survey is governance and culture. Only 15 percent of CCOs strongly agree that their lines of business management take ownership of the compliance culture and agenda. Surprisingly, 31% of the CCOs surveyed do not know whether or not they communicate about conduct and culture lessons across their organizations.
      • Further areas of concern focus on clear communication about the roles and responsibilities of employees in compliance. The survey found that 29 percent of CCOs do not have formalized compliance roles and responsibilities for their staff.
      • Although 94 percent of organizations report that compliance requirements are featured in policies and procedures and code of conduct; nearly four in 10 CCOs (39%) do not consider employee adherence to compliance policies and procedures as a factor in performance ratings. However, 29 percent of organizations report that they assess compliance proficiencies and skills of their staff on an ongoing basis.
    • Risk assessment: While most CCOs have an adequate compliance risk assessment process, only 32 percent say their business unit, operations, and IT management are involved in assessing compliance risk within their units. In addition, roughly one-third of CCOs do not conduct reassessments of their risk profiles upon business changes.

The full KPMG report can be found here.

Download CREATe.org’s new whitepaper: Anti-Corruption Compliance: Using KPIs to Mature and Manage Programs.