sign in sign up
<<
Home , Tone at the top

pwc.com/us/stateofcompliance

PwC State of Compliance Study 2016 Laying a strategic foundation for strong compliance risk PwC State of Compliance Study 2016 PwC State of Compliance Study 2016

Welcome Table of contents

Welcome to our State of Compliance report for 2016—2016 marks our 6th annual Introduction 2 Delve into the study which is designed to give corporate compliance officers benchmarking data full analysis of to help them understand common industry practices today and plan for more the PwC State of effective, more efficient compliance operations in the future. The study aims to Compliance Study give compliance leaders a view into organizations’ tone at the top, process to assess Tone at the top 4 2016 at pwc.com/us/ risk and compliance and ethics oversight structure and scope. These compliance stateofcompliance program elements, representing the business strategy elements of compliance and ethics, are among the most frequently debated topics by compliance practitioners. Risk assessment 8 We extend our sincere thanks to the more than 800 executives globally who participated in this year’s survey. Respondents represented a great diversity of company sizes, industries and responsibilities. This year, just over a third of respondents came from companies with anticipated revenues of more than $5 Oversight and responsibility 13 billion. Banking and Capital Markets organizations showed a particular interest (15% of total respondents), just as in 2015. A third of our respondents are either a Chief Compliance Officer (CCO), Chief Ethics and Compliance Officer (CECO), Chief Legal Officer or General Counsel and a fourth described themselves as a Chief Audit A look at those with the strongest compliance commitment 17 Executive or equivalent. Additional respondents are senior legal counsel or directors or managers of compliance, ethics, audit, or risk.

We hope you find the information in this PwC State of Compliance Study 2016 report insightful and valuable in helping you improve the effectiveness of your Conclusion 18 organization’s corporate compliance function.

Sincerely,

Andrea Falcione Seth Cohen Managing Director, PwC Director, PwC [email protected] [email protected] +1 617 530 5011 +1 646 471 0105

Laying a strategic foundation for strong compliance risk management 3 PwC State of Compliance Study 2016 PwC State of Compliance Study 2016

Introduction

State of Compliance Study 2016 at a glance In our 6th annual State of Compliance programmatic performance essential business processes and to assess the Study, we took a slightly different to determining the effectiveness of effectiveness of compliance efforts Embedding compliance into both strategy and everyday operations begins with effectively establishing the tone at approach than in prior years—this risk and compliance processes and against strategic objectives. By focusing the top, assessing compliance and ethics risks in efficient collaboration with other risk functions and building the time, focusing on the elements identifying potential blind spots in our study more closely on these three governance and oversight structure that provides a high level of confidence over regulatory matters. represented in the business strategy oversight or management. strategic elements of an effective portion of PwC’s proprietary compliance and ethics program, we Tone at the top: Strategic We focused this year on business Risk assessment: Coordinated compliance and ethics framework, hope to provide CECOs and other involvement approach depicted in Figure 1 and refreshed strategy because the connection of compliance leaders with meaningful since first introduced in our 2015 study. compliance to business strategy— information against which they may Senior executives support compliance and ethics Compliance and ethics is aligning activities with including tone at the top, risk benchmark and further develop programs, but are less visibly engaged in leading other assurance functions, but more coordination Within the framework, business assessment, and oversight and the strategic cornerstones of their their companies’ programs is possible strategy refers to the approach and responsibility—lays the strategic compliance and ethics programs. In have senior leadership that is committed to tenor the organization takes to align foundation for both a culture 98% 54% conduct compliance and ethics-specific risk subsequent studies, we will look more compliance and ethics assessment activities beyond ERM efforts risk and compliance with its business of compliance and ethics, and closely at the business management indicate senior leadership provides only ad hoc strategy and to manage associated management programs that help and business performance elements of 55% In their risk assessment, compliance and ethics program oversight or delegates most compliance and risks. Business management refers to ensure the organization conforms to the framework, all of which are needed teams may be missing valuable “bottom up” ethics oversight activities how risk and compliance management all necessary regulatory requirements to drive effective compliance and ethics information… is owned by the business and and ethical standards. Without strong programs. integrated into the business processes alignment of compliance management Deficiencies in measurement may contribute to 21% use employee surveys to gather information for and culture. Business performance is to business strategy, it is difficult to lagging leadership engagement their risk assessments the measurement of operational and efficiently integrate compliance into 48% report their organization assesses its “tone at …and, in execution, falling short on getting the top” business units to own compliance risk

Figure 1: PwC’s compliance and ethics framework To align compliance to business strategy, 67% have a process to identify owners of specific compliance officers will need to be more actively compliance and ethics-related risks involved in strategic discussions Legal or compliance “owns” 11 of 17 compliance Business strategy Tone at 36% are “inherently integrated” or “play a key role” and ethics-related risks most frequently the top in strategic planning Risk assessment

Oversight & responsibility

Policies & procedures Oversight and responsibility: Focused and efficient Business management Board-level oversight committees demonstrate a rising focus on compliance and ethics Training Communication 20% have Boards of Directors that formed a separate, stand-alone compliance/ethics committee Monitoring, analysis, & response Dedicated business unit compliance officers are keenly focused on monitoring activities have dedicated business unit or business area compliance officers Reporting 72% Business oversight 89% select compliance monitoring as a primary area of responsibility Enforcement Resource & Auditing & discipline performance In-house compliance committees are becoming more streamlined management In-house committees do 11 of 14 activities less frequently than in 2015

2 PwC Laying a strategic foundation for strong compliance risk management 3 PwC State of Compliance Study 2016 PwC State of Compliance Study 2016

Tone at the top

An organization has established more accountable for participation, Figure 2: Sample compliance and ethics executive scorecard effective tone at the top when senior which is motivating some innovative “Our program goal is to leadership demonstrates personal organizations to incorporate executive manage global risks that We have adapted the following compliance and ethics executive scorecard from a similar version developed by one of our more and organizational commitment to metrics into their compliance and ethics innovative clients. It is a great example of how one organization holds executive leadership accountable for its critically important compliance and the compliance and scorecards (Figure 2). Such scorecards impede meeting strategic role in the company’s compliance and ethics program. ethics program, and this commitment enable both senior leadership and goals while not adding To use such a scorecard, a company might first require the executive to provide a self-rating, followed by a blind rating by the permeates all levels of management. compliance and ethics department unnecessary cost and compliance and ethics department—similar to many organizations’ general performance management processes. In the event that leadership to stay focused on the burden to the bottom line.” an executive is found to be deficient, the CECO might co-develop an action plan designed to increase the executive’s compliance Executive commitment. Senior elements that matter most to actively leadership proficiency. Should there be a lack of improvement on a year-over-year basis, the individual’s incentive compensation executives appear to be supporting driving a culture of compliant behavior 2016 study respondent may be affected, and he or she may be otherwise held to task by the CEO or the Board. their compliance and ethics programs, and ethical decision making. They but they are less visible as actively enable senior leadership to be more Compliance and Associated metrics Executive’s self Compliance and frequent reinforcement. However, our engaged leaders of their companies’ attuned to what is happening with the ethics program rating ethics department’s study revealed that only 26% of senior element(s) rating programs. An overwhelming majority compliance and ethics program and, as executives speak of compliance and Tone at the top; 1) Incorporates compliance and ethics messaging into broad of respondents to our survey (98%) importantly, the employee population. indicated that senior leadership ethics as part of everyday business communication communications to employees and in day-to-day interactions with With better metrics, organizations employees is, at the very least, committed to communications. can also gain efficiencies and improve 2) Regularly reminds employees of the importance of ethical and compliance and ethics. But a majority program effectiveness by focusing on Participation in strategic planning. compliant behavior, raising concerns and the Company’s non-retaliation of respondents (55%) indicated senior policy successful activities while discarding Rising unease among senior leaders leadership either provides only ad hoc 3) Models the Company values and demonstrates ethical and compliant ineffective ones. about increasing regulation is not oversight of the compliance and ethics behavior in everyday decision making and when enforcing disciplinary yet translating into widespread program or delegates most oversight Executive communication. One measures participation of compliance and activities. This disconnect appears to way in which senior leaders appear to Enforcement and 1) Consistently recognizes compliance and ethics-related successes and ethics leaders in strategic planning. discipline; resource consistently disciplines compliance and ethics-related violations impact employee perception of senior be participating in their compliance PwC’s 19th Annual Global CEO Survey and performance leadership’s role in their organizations’ and ethics programs is in their management identified that CEOs continue to be very compliance and ethics programs, as messaging to both management and Training 1) Achieves at least a 95% completion rate for compliance and ethics concerned about increasing regulatory only 16% of respondents indicated employees, yet there is more to be training within 3 months of deployment complexity. In fact, 79% of CEOs cited their employees view the CEO as the done. Eighty-two percent (82%) of Monitoring, anaylsis, 1) Maintains an compliance and ethics related incident rate below 5 over-regulation as a top threat to their compliance and ethics champion at respondents indicated their senior and response incidents per 100 employees organizations’ growth prospects— their organizations. leaders formally communicate the 2) Develops and implements corrective actions plans in a consistent and making it the fourth year in a row that importance of a compliance and ethics timely manner regulatory concerns have risen. Yet, Measurement. Perhaps this lagging culture. Just over half of respondents Auditing 1) Provides full cooperation with compliance and ethics related audits and on a year-over-year basis, we continue ensures audits are completed in a timely manner leadership engagement is partially a report their senior executives formally to see that compliance officers are not result of deficiencies in measurement. communicate at least quarterly on actively involved in their organizations’ Good rating Only 48% of respondents indicated compliance and ethics-related topics, strategic planning efforts. Only 36% that their organization assesses its and the vast majority use email for of respondents indicated they are Somewhat good rating “tone at the top.” Among those who such communications, with town hall “inherently integrated” or “play a key do, just 24% include senior leadership meetings and business unit meetings role” in their organizations’ strategic compliance and ethics performance receiving significantly lower response Poor rating planning, which is not measurably metrics as part of that evaluation. rates (Figure 3). While these formal different from our 2015 results, when Organizations that lack distinctive communications are necessary, 35% of respondents indicated they measures of executive participation are embedding compliance and ethics were involved in annual business missing out on an opportunity. Metrics into day-to-day operations requires certainly help to hold executives strategy development.

4 PwC Laying a strategic foundation for strong compliance risk management 5 PwC State of Compliance Study 2016 PwC State of Compliance Study 2016

Figure 3: Executive communication regarding compliance and ethics “Our top priority is to Senior leadership that formally communicate with employees regarding compliance and ethics topics become trusted advisors to the lines of business and Email Town hall Business unit communications meetings meetings add value through process How? 82% 59% 46% improvement.” Video All hands Audio messages calls/meetings messages 2016 study respondent 38% 28% 11% 82% Training Intranet 6% 2% included. If not overtly included at the executive level, CECOs can participate Monthly Quarterly Semi-annually through functional and operational How often? 19% 33% 21% planning meetings, where strategic priorities may be discussed. This Annually Every other year Don’t know participation may serve to integrate 22% 1% 4% compliance leaders into the process Food for thought—Board reporting and establish them as key participants Compliance and ethics officers should to take a more forward-looking view in strategy-setting discussions over the At a minimum, CECOs generally report to the Board on We are focused on culture consider ways to enhance their of how compliance issues affect longer term while raising their overall basic compliance and ethics program statistics, such as change to get compliance participation in strategic planning, operations, yet only 49% agree their profile. CECOs can also take advantage hotline metrics, training data and risk assessment results. CECOs also which could result in an enhanced compliance function has a proven involved in the very early of the opportunities presented to them, typically provide more detailed briefings regarding higher-risk internal profile for the compliance function track record of proactively addressing such as interactions with the Board compliance and ethics investigations (e.g., substantiated claims involving stages of new product and across the organization and better potential growth impediments. of Directors or , to potential reputational or financial harm to the company, claims involving position the function to anticipate and demonstrate the value of their formal executive-level management, and claims involving / financial service development. Involvement begins with mitigate compliance and ethics-related participation. fraud). CECOs at companies with more mature programs may also (a) 2016 study respondent demonstrating interest in the process risks. PwC’s 2016 Risk in review study do deeper dives into particular compliance and ethics risks and the and presenting a business case for Board visibility. Compliance and highlights that 78% of risk executives company’s associated risk management efforts, (b) train the Board on why compliance and ethics should be ethics functions are getting fairly agree that senior management wants risk-specific topics (e.g., anti-bribery/anti-corruption) or more general consistent visibility with their Boards compliance and ethics topics (e.g., the standards for compliance programs of Directors and senior leaders. Sixty- set by the Federal Sentencing Guidelines and the Board’s duties and Tone at the top in action three percent (63%) of respondents responsibilities relative to compliance and ethics program oversight), indicated their Boards receive reports The CECO at one PwC client recently worked collaboratively with her company’s CISO to engage the (c) brief the Board on recent compliance and ethics headlines and trends on their organizations’ compliance Board in a sample data security breach crisis management exercise. She included in the Board’s and / or (d) present and vet the company’s annual compliance and ethics and ethics performance on at pre-read materials a faux newspaper article announcing the fictional data breach in very unflattering terms, program plan. least a quarterly basis, and 67% of asking Board members to imagine awakening to this news on their doorstep (or tablet, as the case may be). At respondents indicated their senior the Board meeting, the CECO staged a mock crisis management scenario, inviting Board members to poke holes leadership receives similar reports on in the company’s plans and to otherwise challenge senior executives’ actions—or inactions—in the face of the strategic elements in their Board results and ideas in that context, and at least a quarterly basis. To elevate presented crisis. This reproduction of a potentially real-life scenario actively engaged the Board in a critical risk reports and at Board meetings. (See proactively bringing issues to the their status as strategic thinkers and management exercise and helped to solidify the CECO’s stature as a strategic resource with both the Board and Food for thought—Board reporting.) forefront, they can open the door to trusted advisors, compliance leaders with other members of senior leadership at her company. By mapping their compliance strategy more active and formal participation in should consider providing more to the business strategy, presenting strategy.

6 PwC Laying a strategic foundation for strong compliance risk management 7 PwC State of Compliance Study 2016 PwC State of Compliance Study 2016

Risk assessment

Risk assessment is a critical lynchpin scrutiny, have resulted in more aligning their activities with other sufficient to fully meet compliance and can improve efficiency for all groups of an effective compliance and ethics challenging, and at times inefficient, assurance functions within their ethics team needs. For example, nearly in the longer-term while easing “Our top priority program. Leading organizations compliance and ethics management. organizations. Alignment helps four-fifths of respondents indicated that the burden on the business. Today, is better aligning develop a formal methodology reduce duplicate work across the there is an enterprise risk management just 54% of respondents (the same our compliance risk to conduct assessments of their Alignment across risk functions. groups and prevents the business (ERM) process at their organizations, percentage that conduct additional compliance and ethics risks at least In an effort to improve both risk from being subjected to redundant and most indicated that the ERM risk assessment beyond what is done management processes annually. They use risk assessment identification and productivity, many risk management activities. However, process covers compliance and ethics- by ERM) report the framework they with our enterprise risk compliance and ethics groups are results to develop / revise the collaborative efforts are not always related risks (Figure 5). However, 54% use for their compliance and ethics risk management processes.” organization’s compliance plan, Figure 4: PwC's critical business imperatives: Navigate risk and of respondents indicated they needed assessment aligns with the framework 2016 study respondent including policies and procedures, regulatory complexity to conduct at least some additional the organization uses for its ERM training, auditing and monitoring. compliance and ethics-specific risk process. On a timely basis, the organization Take the first step, set the tone. The first step towards success is to set a enterprise-wide tone assessment activities in order to risk assessment process. However, only identifies and addresses any new to embrace change as both inevitable and an opportunity. fully address their organizations’ Risk assessment approach. In 21% of respondents include employee or changing laws and regulations compliance and ethics risks. addition, it appears that, while Set the tone surveys. By limiting the inputs of applicable to its business. L compliance and ethics teams rely While coordination and collaboration heavily on the top of the organization compliance and ethics risk assessments L Regulatory requirements are on the among groups is key to any successful when conducting risk assessment to the executive view of risk, the results could miss potential operational or rise across all sectors of our economy, R compliance and ethics program, these activities, they may be neglecting to from market conduct regulation efforts must be efficient and lead to obtain valuable information from front-line employee issues that might in the financial services industries Set productivity gains for the program middle management and rank-and-file be critical identifiers and / or elevate objectives the importance of particular risks. to food safety updates in the retail Analyze and the company. Collaboration across employees. A majority of respondents and consumer space. Because each groups may initially require a greater indicated their organizations include data Ideally, compliance and ethics-related new regulation adds complexity and investment of time and resources, interviews with management (59%) L R risk assessments would include input introduces additional risk, PwC feels but the establishment of common and / or Board / management input of employees from multiple levels at that clear and confident navigation frameworks and repeatable processes (55%) in their compliance and ethics the organization, thereby increasing of risk and regulatory complexity is one of 11 critical business imperatives for organizations in 2016 and Figure 5: ERM coverage of compliance and ethics needs beyond (Figure 4). However, for Gain Understand risks and many organizations, increasingly insights R Respondents reporting their company has Does your ERM process cover compliance and ethics-related risks? opportunities complicated regulations, combined L an ERM process with a heightened level of regulatory Evaluate do cover compliance options 88% R and ethics-related risks “Our risk assessment process is consistent Manage, measure and 77% 9% do not cover compliance with ERM, which helps adjust X and ethics-related risks guide a more risk based R L audit and monitoring of 2% don’t know Take action ? compliance.” L 2016 study respondent

8 PwC Laying a strategic foundation for strong compliance risk management 9 PwC State of Compliance Study 2016 PwC State of Compliance Study 2016

the likelihood of identifying and truly understanding the inherent nature of Food for thought – Risk assessment “We are currently Risk assessment in action compliance and ethics-related risks considerations developing a method to Assessing compliance and ethics-related risk is an at the company. PwC refers to this ensure we identify all important—and often overlooked—part of integrating newly approach as conducting both a “top Through a combination of surveys and interviews involving acquired organizations. One highly acquisitive PwC client has instituted down” and “bottom up” compliance not only risk owners but also rank-and-file employees, companies applicable compliance a new risk assessment process to address this challenge. To start, the and ethics risk assessment (Figure can prioritize each individual risk area’s strengths, weaknesses, and requirements and assign CECO is a member of the M&A due diligence team, having contributed to 6). (See Food for thought – Risk opportunities, identify top risks by business unit, and inform a roadmap owners.” the overall criteria assessed by the company when considering making assessment considerations.) for addressing risks over time. In addition to keeping risk in each business unit’s line of sight, top-down and bottom-up findings help to assure the 2016 study respondent an acquisition. Pre-acquisition, she also establishes a 30/60/90-day Risk owners. Critical to effective risk /audit committee that the company fully understands plan to integrate the new subsidiary after the closing of the transaction. assessment and the implementation the risks associated with conducting its business and is mitigating them Post-acquisition, as part of that 30/60/90-day plan, the compliance and of control programs is the ability appropriately. In addition, when conducting a compliance and ethics organizations to identify owners of ethics team will travel to the new affiliate’s HQ to conduct an affiliate- to identify the persons within risk assessment, it can be helpful to clearly establish accountability with specific compliance and ethics-related specific compliance and ethics risk assessment, folding the output into the the organization responsible for risk owners by sharing detailed risk assessment results with the Board risks. However, organizations may be consolidated risk assessment results for the company as a whole. specific risks, which is not always of Directors/audit committee—once risk owners understand that risk relying too heavily on the legal and/ straightforward. Sixty-seven reporting is important to the Board of Directors/audit committee, they or compliance and ethics functions those risks most frequently. Our more (e.g., bribery and corruption), ideally, percent (67%) of respondents stated may take the task even more seriously. to manage these risk areas on a than 800 State of Compliance survey the business should “own” many there is a process in place at their day-to-day basis. respondents very rarely identified compliance and ethics-related risks, We asked respondents to identify who their organizations’ business units as such as import/export controls and Figure 6: Top-down, bottom-up risk assessment “owns” seventeen different compliance owners of any compliance risk. While government contracting, with the legal and ethics-related risks at their there are certain compliance and and/or compliance and ethics teams Identify executive and organizations (Figure 7). Respondents ethics-related risks that are typically monitoring and providing support to senior stakeholders Traditional approach indicated the legal or compliance and directly managed by the legal and/ the risk management efforts of the ethics departments “owned” eleven of or compliance and ethics functions business. Understand enterprise Traditional “top-down” approach where risk coverage should be strategic initiatives driven by issues that directly impact business value, with clear and Figure 7: Key “owners” of compliance and ethics-related risks Evaluate risk explicit linkage to strategic issues of impact the organization. Each risk has been attributed to the department which was most frequently selected as the ‘owner’. Figures in parentheses show the percentage of respondents who selected that department as the ‘owner’. The size of the circle depends on the number of risks "owned" (most frequently cited as the leader) by the department or function.

More fulsome Legal risk assessment results Compliance & Ethics Intellectual Procurement property Bribery or HR IT Operations Corporate (69%) corruption Communications “Bottom-up” approach Fraud Ethical Evaluate risk Records Insider (47%) (33%) sourcing impact management trading (40%) Employment Money Conflicts of Data Safety or Social “Bottom-up” approach is based on (30%) (43%) and labor environ- laundering interest Supplier security media information gathered from other Government Fair competition compliance mental (38%) (51%) compliance (79%) (41%) (71%) (26%) stakeholders who are “on the line” Conduct interviews with contracting or antitrust (42%) (29%) (59%) Privacy and and “in the trenches.” key stakeholders confidentiality Import-export controls (38%) or trade compliance Identify additional, middle (19%) management and employee stakeholders

10 PwC Laying a strategic foundation for strong compliance risk management 11 PwC State of Compliance Study 2016 PwC State of Compliance Study 2016

Oversight and responsibility

Overall, in examining compliance In leading compliance and ethics for, respondents selected compliance and ethics functions, it is clear that “Our most important priority this year is mapping of programs, the organization clearly monitoring (89%) more often than any “We are installing a hybrid the ownership of particular risks requirements to owners, policies, controls, and other defines oversight responsibilities other area of responsibility (Figure 8), structure as a central plays a critical role in determining and accountability for the Board of and this response cut across virtually how a compliance and ethics function information.” Directors, the designated compliance all of the industries represented in compliance function that is structured and operates on a 2016 study respondent function, the compliance committee the study. These results perhaps will operate as a guide, day-to-day basis. If many risks are and members of senior leadership. demonstrate that companies are not coordinating the oversight owned by the businesses, a central A reporting structure supports only increasing their emphasis on compliance and ethics function these oversight responsibilities and compliance with the law, but are also of the organization, may play more of a coordination accountabilities, with regular and being more sensitive to risk tolerance while the accountability role; if, as our study has indicated, a appropriate sharing of relevant and monitoring to ensure they stay for implementation of large majority of risks are owned by information. within acceptable bounds. compliance, the central function may compliance will remain take a more active role in guiding the Role of business unit compliance. Board-level compliance and with the business units to business and may have more significant Increased geopolitical pressures ethics committees. While the audit which the rules apply.” justification for greater headcount and, and subsequent regulations have committee oversees most compliance 2016 study respondent perhaps, funding. heightened compliance programs’ and ethics programs (65%), it is focus on “the rules” and increased the somewhat surprising that 20% of emphasis on ensuring compliance. respondents indicated that their committee to provide the appropriate This trend is illustrated in the results Boards of Directors have formed a level of oversight. of our study when considering how separate, stand-alone compliance/ companies utilize their business unit ethics committee to provide oversight Relative emphasis on ethics. While or business area compliance officers. of the compliance and ethics program. an increased focus on “the rules” has Seventy-two percent of respondents It may be that, due to the increased been necessary to keep pace with indicated they have dedicated business scope of companies’ compliance and increasing regulations, the emphasis unit or business area compliance ethics programs, Boards of Directors on ethics may have suffered as a officers. When asked what these are increasingly finding it necessary result. According to our survey, 9% compliance officers are responsible to form a separate compliance/ethics

Figure 8: Roles of business unit compliance officers What are the roles and responsibilities of your business unit or business area compliance officers?

Compliance monitoring 89% Investigations 58%

Advise and counsel to business unit management and employees 82% Compliance auditing 50%

Reporting to local management and/or Training 79% 50% local compliance committee

Disciplinary 69% 25% Policy development decision-making

Risk assessment 62% Other 4%

Reporting to central compliance function 60%

12 PwC Laying a strategic foundation for strong compliance risk management 13 PwC State of Compliance Study 2016 PwC State of Compliance Study 2016

legal may be a further indication of thought—Compliance committees.) to select those activities their in-house “We strive for regulatory the function’s rising emphasis on Fewer companies this year indicated compliance committees regularly Oversight and responsibility in action regulatory compliance, particularly in they have an in-house compliance conduct. Respondents selected eleven compliance underpinned Organizations have landed in different places when it comes to by a good ethical climate.” highly regulated industries. Expanding committee, compared to respondents of the fourteen possible activities less the compliance function beyond a in 2015 (Figure 9). However, of those frequently than in 2015 (Figure 10). assigning dedicated compliance and ethics officers to business 2016 study respondent traditional focus on the legal aspects of participants who responded that there Concurrently, it appears that more units. Some have taken the path of creating a “liaison” or “ambassador” compliance, such as to oversee ethics is no in-house compliance committee at compliance committees than ever role, typically a person who has business responsibilities that has taken or become more involved in business their organizations, a majority (55%) “review output of key compliance on additional responsibilities without a formal reporting line to the of respondents’ organizations have central or corporate compliance and ethics function. In one organization, a Chief Ethics Officer separate from strategy, may be more difficult to do indicated there is another management performance indicators (KPIs),” “review when the function is housed in the committee that is responsible for (annually) the effectiveness of the compliance and ethics “champions” are volunteers who are then formally their CCO, and one-third (33%) have appointed by senior management. The champion role is considered a CCOs who also serve as Chief Ethics legal department. However, in those overseeing compliance risk or risk compliance program,” and “approve organizations where compliance is overall. By eliminating or, ideally, corporate compliance policies or policy position of distinction, and the champions support a variety of compliance Officers. A majority of respondents’ and ethics campaigns and provide advice to business unit personnel. organizations (56%) do not have firmly rooted in the legal area, the never creating redundant committees, revisions.” By focusing more time on opportunity to leverage the chief these organizations may be attempting fewer activities, compliance committees Typically, these individuals would not become involved in monitoring anyone in a Chief Ethics Officer or even investigations, but their existence is an important tool for the capacity at all. legal counsel’s possible standing as a to increase efficiencies in compliance may be attempting to streamline their member of the executive or leadership and ethics risk management and efforts, increase effectiveness and organization to embed compliance and ethics into the business. While the organizational structure team could provide a pathway to perhaps have achieved a higher level reduce overlap with other committees / for ethics responsibilities can, and driving additional strategic inputs by of coordination with other risk-based groups. probably should, vary significantly by compliance leaders. functions. company and by industry, the absence of ethics in an officer title could be In-house compliance committees. Furthermore, those respondents Figure 9: In-house compliance committees by company size one indication that there may not be One area where organizations may be whose organizations do have in-house enough focus on ethics across the working to increase the effectiveness compliance committees appear to Does your company have an in-house compliance committee to support compliance efforts? organization. However, depending of their compliance and ethics- be refining the activities with which on how domestic and international related activities is the in-house those committees are tasked. As part compliance committee. (See Food for of our survey, we asked respondents geopolitical uncertainty plays out, 81% the pendulum could swing back, with decreasing regulatory demands. In 68% that case, companies may have more Food for thought—Compliance committees 63% 58% profound interest in focusing on 56% While our study reveals that compliance committees are 53% 52% ethics and a greater capacity to do so. 51% focused on a tighter group of activities to provide support of companies have an in-house Regardless, there is really no room compliance committee compared to the compliance function, we also recognize that committee members 42% for a swinging pendulum, as leading to 64% in 2015 (in particular those representing the business) are key to establishing compliance and ethics programs focus and reinforcing connections with business units to ensure that risks on both aspects. are sufficiently and effectively managed. One trend we have seen is that Reporting structure. Our data committee members themselves are taking on some compliance-related also shows that compliance and tasks rather than adding to compliance and ethics headcount. For example, ethics functions most often report some members may be specifically responsible for following up with their businesses (or functions) on training completion, compliance risk Less than $1 billion $1 billion to less than $5 billion to less than Over $25 billion organizationally to the chief legal $5 billion $25 billion counsel—this reporting structure assessment activity or mitigating controls deemed to be weak following a occurs in 36% of companies, up compliance breach or other incident. For more information, see the PwC 2016 2015 5 points from 2015. The tie into paper, Trends in compliance organizational structures, May 2016.

14 PwC Laying a strategic foundation for strong compliance risk management 15 PwC State of Compliance Study 2016 PwC State of Compliance Study 2016

A look at those with the strongest compliance commitment

For the first time this year, PwC communication efforts. It was Our data shows that organizations Figure 10: Activities conducted by in-house compliance committees created an index to measure and tempered by lower overall scores in where senior leadership is more What activities does your in-house compliance committee regularly conduct? monitor organizations’ commitment to senior leadership’s support of the committed to compliance (those compliance. The index is based on five compliance and ethics program and the with a high index) are more often Identifying compliance-related risks 73% questions relating to senior leadership’s compliance and ethics function’s lack of taking actions to inject compliance 74% personal and organizational participation in strategic planning. management into both strategy commitment to the compliance and and everyday operations. They are Reviewing (annually) the effectiveness of the compliance 70% ethics program. It provides a score that Based on the overall index score, we effectively establishing the tone at the program 64% can be tracked over time. categorized companies as scoring top, assessing compliance and ethics either high, medium or low. Companies risks in efficient collaboration with Approving corporate compliance policies or policy 69% The average 2016 index across with a high index (i.e., those where revisions other risk functions and building the 63% all respondents is 7.10 based on a the index identifies leadership as more governance and oversight structure possible range of two to 10. The index committed to compliance) stand out in Assessing business risks and their impact on compliance that provides them with high levels of 55% was buoyed by the pervasiveness each of the three dimensions discussed confidence over regulatory matters. 57% of organizations having a CCO or in this report (Figure 11). Inputting to annual compliance and ethics work plans CECO and by leadership’s formal 53% 58% Figure 11: Areas where organizations with a strong compliance and ethics commitment stand out Undertaking compliance risk management activities 51% Companies with All respondents 68% a high index Reviewing risk indicators and analysis of trends Tone at the top The compliance and ethics function is inherently integrated into all strategic 33% 18% 45% activities and plans 50% Senior leadership formally communicates monthly with employees regarding 27% 19% Approving annual compliance and ethics work plans the importance of a compliance and ethics culture and/or other compliance and 45% ethics-related topics 46% The oganization assesses its tone at the top 63% 48% Reviewing output of key compliance performance Risk The company has an ERM process 84% 77% 44% indicators (KPIs) assessment 44% They conduct compliance and ethics risk assessments 79% 66% They have a process in place to identify owners of specific compliance and 78% 67% Crafting compliance and ethics-related communication 28% ethics-related risks plans 37% Oversight and They have an in-house compliance committee to support or oversee compliance 61% 52% Determining compliance and ethics-related curricula and 27% responsibility efforts associated audience(s) 34% Business unit or business area compliance officers are full-time compliance 66% 58% resources Prioritizing compliance related investment decisions 26% 28%

Vetting compliance and ethics staff/staffing changes 15% 28%

Approving annual compliance and ethics budgets 13% 2016 20% 2015

16 PwC Laying a strategic foundation for strong compliance risk management 17 PwC State of Compliance Study 2016 PwC State of Compliance Study 2016 Contacting PwC Conclusion

Certainly compliance officers have ethics, which will help to solidify data reflects a genuine focus and To have a deeper conversation about how a tough challenge grappling with a both commitment and active program prioritization of activity performed, compliance officers can expand their roles complicated risk landscape and ever- engagement. as evidenced by the board-level to become partners to the business, please changing regulatory requirements. compliance/ethics committees and contact: Connecting compliance to business At the same time, management of risk business unit compliance officers’ focus strategy provides the foundation for is becoming more nuanced, which can on monitoring. both a culture of compliance and make it both more complicated and Authors ethics, and management programs expensive. Compliance leaders should By laying a strong foundation with Andrea Falcione that help ensure the organization find the balance between the use of the right executive tone, strategic Managing Director conforms to all necessary regulatory enterprise-wide risk management involvement, coordinated risk (617) 530 5011 requirements and ethical standards. programs and the need for more assessment and focused oversight, [email protected] detailed compliance risk assessments chief compliance and ethics officers Tone at the top does just that; it sets so that efficiencies can be gained yet can enhance the value that compliance the compliance and ethics tone for the the Board and senior leadership can provides to the organization, helping Seth Cohen organization, which is particularly remain confident that compliance risks to manage risks associated with the Director important as compliance and ethics are adequately assessed and owners of organization’s strategic objectives, and (646) 471 0105 enters its next phase of maturity. those risks are appropriately identified. driving cost-effective compliance. [email protected] Organizations have the opportunity to drive a more refined approach to Finally, the structure of compliance James McKillop measuring senior leadership and oversight varies, driven in part by Manager its commitment to compliance and organizations’ risks. In all cases, the (617) 530 7458 [email protected] Five tough questions to ask about your organization’s

state of compliance? www.pwc.com/us/stateofcompliance 1. Does your organization’s senior leadership make the delivery of compliance and ethics messages a priority?

2. Is your organization’s senior leadership measured in any way on its commitment to compliance and ethics?

3. Does your organization’s existing risk assessment process capture the current state of compliance and ethics risk management with sufficient detail so as to power your planning and execution of necessary mitigation activities?

4. Does the structure of your organization’s compliance and ethics function truly enable and support key activities to address prioritized risk areas?

5. Do your organization’s Board and senior leadership provide meaningful oversight and support of the compliance and ethics function?

18 PwC Laying a strategic foundation for strong compliance risk management 19 pwc.com

© 2016 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. 205524-2017