Anti-corruption, data privacy measures, and creating the right “compliance culture” were the top three priorities for companies’ compliance departments in 2016 according to CEB data, and all of them will preoccupy heads of compliance this year too.
Recent news backs this up. For example, the $800 million that Rolls-Royce paid to settle bribery allegations with the UK Serious Fraud Office, US Department of Justice, and the Brazilian Ministério Público Federal shows that countries are joining forces in anti-corruption prosecution. Examples also abound of companies affected by data privacy issues (Yahoo’s recent woes being just one) and, on top of that, companies must prepare to comply with the EU General Data Protection Regulation taking effect in May 2018.
Three Compliance Priorities to Manage
Beyond these two big risks for heads of compliance to help manage and mititgate, they say they see the most valuable use of their team’s time as “evaluating and nurturing” a compliance culture, according to CEB data. Below are suggestions for how to tackle each of these priorities.
Anti-corruption – a KRI tracking system: While most companies have anti-corruption policies, less than a quarter of executives have confidence in their effectiveness. Regulatory requirements, which vary by location, can be extremely complicated to oversee.
To conquer this problem, a US-based insurer in CEB’s global network of compliance teams created a “key risk indicator” (KRI) model that used root cause analysis to detect anti-corruption risks before they burgeon into full-blown compliance failures.
The compliance team cooperated with other functions — including HR, Enterprise Risk Management, business units, and IT – to break down anti-corruption risk into smaller parts. Then, by taking external and internal factors into consideration, Compliance consolidated the 12 KRIs into four indicators for implementation. These included things like the percentage of “high risk” employees in high risk countries that had completed corruption training, or the number of times exceptions were granted to that country’s official government gift limit.
Finally, the function incorporated these KRIs into a risk tracking system, and created an anti-corruption dashboard that transformed abstract, unpredictable risk into something measurable (see chart 1).
Chart 1: Centralized KRI tracking system Anti-corruption risk snapshot, illustrative Source: CEB analysis
Click chart to expand
Data privacy – start with the right philosophy: Data privacy is new enough as a risk that responsibility for it is still not fully settled at many firms, but it’s most common for the responsibility to fall under the compliance function, according to CEB data. This means that Compliance needs to collaborate with many other functions to make sure the company is protected.
The compliance team at an e-commerce firm in CEB’s networks developed a specific philosophy to guide its data privacy policies. To start off, Compliance referred to an industry framework — the American Institute of CPAs’ Generally Accepted Privacy Principles (pdf) — to get a handle on the scope of data privacy risks and to avoid overlap with existing information security policies (something that often falls under the purview of the IT function).
Then it adds new elements to the framework, based on the company’s “global business and correlated enterprise risk,” according to the firm’s senior manager, risk and compliance (see chart 2).
Next, Compliance met with senior leaders from a variety of teams – including HR, Legal, IT, and Finance – for monthly discussions to check that the philosophy and actual data privacy practices are aligned throughout the enterprise. Once consensus is reached, the company reflects those principles in specific data privacy policies and guidance.
Chart 2: Adding to GAPP Source: CEB analysis
Company culture – an integrity dashboard: A culture of integrity is the best defense against misconduct. Many companies are aware of that, yet they are still unsure of how to boost culture. One healthcare firm in CEB’s networks deployed a diagnostic survey on culture and analyzed findings across business units, functions, and geographies. The survey covered the seven components of a culture of integrity (pdf; see page 19), including comfort speaking up, openness, and tone at the top (see chart 3).
Then, the compliance team conducted a cultural audit of business units receiving low scores. During those audits, Compliance interviewed senior business leaders and employees to understand cultural barriers perceived by the business. And, from that, identified the root causes underlying compliance failures and the necessary measures for improvement.
Chart 3: Corporate integrity dashboard Illustrative Source: CEB analysis