DLA Piper’s 2017 Compliance & Risk Report:

 

Compliance Grows Up

Increasing budgets and board access point toward greater prominence, independence

The Winds of Change Sweep through Compliance

Much has happened around the globe since we issued DLA Piper’s 2016 Compliance & Risk Report. Voters in the United Kingdom shocked the world by voting to leave the European Union last summer – and then Donald Trump defied predictions that said he wouldn’t be elected president of the United States last fall.

 

We held those geopolitical developments in our thoughts as we started planning for our 2017 survey. Specifically, we wanted to know, how do boards of directors view the current state of corporate compliance in an era of deepening uncertainty? And how do those views compare with the perspective of compliance executives, the individuals tasked with the daily responsibility to ensure organizations stay within the bounds of constantly evolving rules?

 

In my career, I’ve been a chief compliance officer and a director, so I understand these different, but closely related, perspectives. Still, many of the disparities revealed by this year’s survey surprised me.

 

It’s important to acknowledge these differences and to try mightily to close lingering communication and knowledge gaps between directors and compliance executives. In fact, in the era we live in, it’s absolutely vital.

 

With these important thoughts in mind, I’m proud to present the second annual DLA Piper Compliance & Risk Report.

Stasia Kelly

Co-Chair of DLA Piper’s Global Governance and Compliance practice

Co-Managing Partner (Americas)

EXECUTIVE SUMMARY

Improvements to compliance programs, likely combined with recent political changes, are helping to reduce compliance executives’ concerns about personal liability. At the same time, the compliance function is becoming more independent and prominent in large organizations worldwide – though there remains significant room for improvement, especially in compliance’s relationship with boards of directors.

 

Those are among the top findings in DLA Piper’s 2017 Global Compliance & Risk Report. Amid an uncertain global compliance landscape – following the election of Donald Trump, and Brexit, among other factors – compliance professionals and directors from international and US companies noted improvement and diminished concern about personal liability, even as they shared many of the same lingering worries.

This year, 67 percent of chief compliance officers surveyed said they were at least somewhat concerned about their personal liability and that of their CEOs, down from 81 percent in 2016. And 71 percent said they made changes to their compliance programs based on recent regulatory events – up from just 21 percent a year earlier.

 

But clearly, there is more work to be done. The fact that two out of every three respondents remain concerned is significant – and indicates that an evolving compliance landscape, both in the US and abroad, still keeps many executives up at night. It could also indicate a general sense that compliance executives should never rest easy.

made changes to their compliance programs based on recent regulatory events

chief compliance officers surveyed remain concerned about personal liability

“You can never rest on your laurels – and there’s always something new out there. If you’re not moving forward, you’re falling behind,” said one CCO. “That’s the expectation of senior management and the board – that we’ll always be looking to improve our programs.”

 

The level of concern among members of boards of directors – surveyed for the first time this year – was even higher: 82 percent of directors said they were at least somewhat concerned about personal liability. This is likely related to other findings that show lingering kinks in communications channels and a persistent lack of training for directors. Together, these findings indicate that the relationship between the compliance function and boards needs work – despite efforts taken by organizations to upgrade their compliance program.

 

The following report analyzes the findings of this year’s survey, which we’ve broken into three categories, and provides practical guidance for organizations.

 

 

Resources

 

In 2016, 77 percent of compliance executives told us they had sufficient resources, clout and board access to support their ability to effectively perform their jobs. This year, 84 percent said they felt that way. The improvement is possibly a reflection of the increased percentage of respondents who actually had the resources to make changes to their compliance program, compared with the 2016 findings.

 

It also points to another trend evident in our survey results. Respondents are increasingly able to affect change, procure adequate resources, access senior leadership and run strong compliance programs, even in the absence of heightened regulatory risk or enforcement. Taken together, these data points indicate that the compliance function is gaining independence and stature within organizations. They could also point to compliance officers’ growing ability to demonstrate the value of compliance beyond risk management. “Compliance officers have to think like a business person to make an impact,” one CCO told us.

Meanwhile, the percentage of respondents who said their budget was not enough to accomplish their goals increased from 28 percent in 2016 to 38 percent. This could reflect business growth; one respondent noted that growing companies require additional compliance resources. “We are a growth company so compliance budgets need to stay in line with product developments,” the respondent said.

said their budget was not enough

Compliance professionals who don’t feel they have sufficient budgets may need to focus on convincing senior leadership, including boards. According to our survey, 53 percent of directors strongly agree that their compliance group has sufficient resources, clout and board access. Just 29 percent of CCOs answered the question that way. While this could simply reflect a difference in perspectives, it could also show that some CCOs aren’t communicating their needs effectively. “It’s incumbent on the CCO to let people know at the board level if you don’t think you have the resources,” one CCO told us. “If there’s a compliance issue a year later, you can’t say you didn’t think you had what you needed.”

 

 

Reporting Structure

 

Further illustrating compliance’s growing prominence in corporate structures, the number of CCOs who report to the CEO increased compared with last year, while the number who report to general counsel or chief legal officers decreased. Still, respondents indicated a desire to continue climbing the corporate ladder. This year 37 percent of respondents said they believed compliance should report to the board – up from 29 percent in 2016. This could simply reflect the natural desire to move up the food chain. But it also likely reflects a growing focus on board oversight and an increased emphasis on ensuring boards understand the compliance function.

Of greater concern, many directors appear to be receiving inadequate reporting and training on compliance matters. About a quarter of both CCOs and board members said the compliance function at their organization reports to the board less than once per quarter – a remarkable finding. “When you realize the ramifications of board membership, it’s hard to operate without those regular reports from compliance,” said one CCO.

said they believed compliance should report to the board

There also was a noticeable difference in direct reporting to boards between public- and private-company respondents. CCOs at public companies had more board access, and public-company directors are more aware of their heightened liability exposure. “At the end of the day, regulators will hold boards accountable,” one CCO told us.

 

 

Persistent Concerns

 

Training. In light of that perceived heightened liability exposure for directors, it is puzzling that 44 percent of director respondents said they hadn’t received any training on compliance issues. Given evolving compliance standards and regulations – such as new Securities and Exchange Commission guidance on conflict minerals and updated DOJ guidance on corporate fraud – it’s arguable that training is more important than ever. Failure to engage in training could amount to a breach of fiduciary duty.

 

The duty to train directors also falls upon CCOs. One CCO we spoke to advised thinking differently about training when it comes to boards. “Their schedules are packed. You really have to combine it with other messaging,” she said. “Last year we redid our code of conduct and the board had to approve it – we used that as our vehicle for training.”

 

Implementation. Despite the potential for increased personal liability, driving compliance initiatives remains a challenge. For example, less than half of organizations penalize employees for failing to complete compliance training. This is a confounding finding given the emergence of technology to make training more convenient for employees. But the nearly even split between organizations that use negative and positive reinforcement to incentivize training indicates how tricky the issue is. Many companies are reluctant to come down hard on employees who don’t complete training, and some have tried creative incentives.

 

Primary Risks. CCOs’ primary concerns – data security and privacy, cybersecurity and regulatory risk – haven’t changed much since last year. Not surprisingly, those concerns map to the areas where compliance budgets are concentrated, according to our respondents.

 

Monitoring. The challenges in monitoring compliance programs continue to bedevil compliance officers – 46 percent of our respondents chose monitoring as the weakest part of their compliance program. Monitoring is particularly important in managing third-party risk, as regulators remain focused on violations related to third parties and as companies struggle to manage sprawling global organizations. “A lot of people don’t have systems to monitor third parties,” one CCO told us. Or they don’t take the proper steps to investigate and potentially clear red flags that their monitoring uncovers. “That’s monitoring,” he said.

DLA Piper is a global law firm with lawyers located in more than 40 countries throughout the Americas, Europe, the Middle East, Africa and Asia Pacific, positioning us to help clients with their legal needs around the world.

© 2017 DLA Piper.  DLA Piper is a global law firm operating through various separate and distinct legal entities. For further information about these entities and DLA Piper's structure, please refer to the Legal Notices page of our website. All rights reserved. Attorney advertising.

In