DLA Piper’s 2016 Compliance & Risk Report:
CCOs Under Scrutiny
The first DLA Piper compliance survey arrives at a crucial hour, with regulators and enforcement authorities increasingly viewing the establishment of ethical and compliant business cultures as one of the most important tasks for corporate boards and C-suite executives.
In this environment, companies must create sustainable cultures of integrity that empower personnel at all levels to make the right decisions. This is often the most difficult job for CCOs. Our survey results demonstrate that CCOs are worried about personal liability and that companies are still struggling with monitoring and auditing their compliance programs.
Building on the success of our inaugural examination of compliance programs, we already are at work on our second annual compliance survey, which will include a special focus on directors – their views of compliance and how best to engage and educate a firm’s governing body about compliance issues – and on the unique issues confronting both foreign and domestic multinational businesses.
Senator George Mitchell
In my career as General Counsel and Chief Compliance Officer at global Fortune 500 companies, and more recently as a director of publicly traded companies, I have seen the best and the worst of how compliance can affect a company’s financial performance, reputation and culture. And so, through that lens, we at DLA Piper set out to conduct a survey that would produce meaningful and practical direction for compliance professionals in companies big and small, public and private.
More than simply a collection of data, this survey provides insights, analysis and actionable guidance to help ensure that your compliance program is working to protect not only your company, but also yourself and all of the individuals charged with developing and implementing the program.
And with that, I am proud to introduce the first annual DLA Piper compliance survey.
Co-chair of DLA Piper’s Global Governance and Compliance practice
Co-managing Partner (Americas)
“One of the most effective ways to combat corporate misconduct is by seeking accountability from the individuals who perpetrated the wrongdoing.”
— U.S. Deputy Attorney General Sally Q. Yates, Sept. 9, 2015
Contained in what is now commonly referred to as the Yates Memo, those words sent waves of apprehension through the corporate compliance world last fall. Coupled with the appointment of Hui Chen as the Justice Department’s first-ever compliance counsel and accompanied by a steady drumbeat of guidance from Andrew Ceresney, Securities and Exchange Commission director of enforcement, the memo seemed to signal a new era of scrutiny and personal liability for senior executives and compliance officers.
That apprehension hasn’t subsided among the vast majority of compliance officers and CEOs, according to DLA Piper’s 2016 Compliance & Risk Report: CCOs Under Scrutiny. More than eight in 10 respondents to our survey said they were at least somewhat concerned about the change in tone and tactics from Washington. Ninety-one percent predicted greater scrutiny now that Hui Chen has been appointed compliance counsel. And nearly two-thirds said the recent developments would affect their decision to remain or accept positions as CCOs.
Potentially exacerbating the situation, compliance resources aren’t keeping pace with increasing oversight, respondents said. Only about a third were confident that they had sufficient resources to do their jobs – and the vast majority said they have not changed their compliance programs in the wake of the recent saber rattling from Washington.
The tension between heightened personal liability and stunted resources could have multiple negative implications for the compliance industry. It could drain the industry’s talent pool, for instance, acting as a deterrent for early-to-mid career professionals. “If you have another 25 years to work, do you really need this kind of risk?” one experienced compliance officer told us.
at least somewhat concerned about the change in tone and tactics from Washington
predicted greater scrutiny now that Hui Chen has been appointed compliance counsel
said the recent developments would affect their decision to remain or accept positions as CCOs
With this as a backdrop – and with no indication that federal oversight will diminish any time soon – the following report aims to provide an insightful picture on the state of compliance: What are the greatest risks companies face, how are employees being trained, what is the status of the compliance chain of command and what actions should companies take in this new landscape?
More external pressure, but little change – so far
Despite the change in tone from Washington, 79 percent of survey respondents said they had not altered their compliance programs in response. This could be a timing issue – Chen’s appointment and the Yates Memo are both fairly fresh – but other factors could be at play.
Many respondents don’t seem to think they have the resources necessary to build and maintain strong compliance programs. When asked if they had sufficient resources to do their jobs, only about a third (30 percent) answered “to a great extent.” This could be a function of CCOs’ continuous drive to improve, and of senior managers’ general reluctance to allocate resources to non-revenue-generating functions and exclusive focus on measuring the return on investment for any expenditure. But clearly some CCOs feel they’re not getting what they need – nearly a quarter said they only had sufficient resources “to a small extent” (12 percent) or “not at all” (12 percent). That group is likely to experience particularly acute anxiety as regulators turn up the heat.
“You sit in this role and you always think of more that could be done if you had more people or more resources,” one seasoned CCO told us. “But if you’re being held accountable and you don’t feel you have sufficient resources – and you’ve asked for them – that’s very problematic.”
Respondents were about evenly split on whether they encountered resistance when requesting budget increases, though some said pointing to the consequences of violations helped their cause. In that sense, the new scrutiny from Washington could help shake loose the resources they need. Sometimes, one CCO said, senior executives and board members need to be “scared straight.”
encountered resistance when requesting budget increases
But in post-survey interviews, several CCOs said some companies likely haven’t changed their programs simply because they don’t feel they need to. These CCOs said the recent changes from Washington, while significant, merely add clarity to the guidelines that companies were – or should have been – following already.
“For companies that have not taken compliance responsibilities seriously in the past, I guess having a compliance counsel in the DOJ to ask questions is frightening,” said another CCO. “But, you know what? Compliance responsibilities have been out there for a long time.”
Still, as the survey results demonstrate, the majority of compliance officers are deeply concerned. In certain industries, that concern may be justified even if they believed their houses were in order prior to fall 2015. The most heavily regulated industries, such as financial services, healthcare and chemicals, already face the most scrutiny, and compliance executives in those organizations are more likely to be unnerved by increases in scrutiny. One CCO told us that financial services – which he described as “about as popular as Congress” – stands to feel the most heat.
Concern about growing personal liability will also enter into career choices for many compliance professionals, according to the survey. Sixty-five percent of respondents said the increased scrutiny would have an impact on their decisions to remain CCOs or to accept new CCO positions.
said increased scrutiny would have an impact on their decisions to remain CCOs
“If it’s a higher-risk company or one with a prosecutorial history, you’re going to weigh the risk of whether it could destroy your career and your personal life,” said one CCO we spoke to.
Greatest risks, preparedness and training
Not surprisingly, cybersecurity, data privacy and regulatory risk were respondents’ greatest compliance concerns, and their compliance spending tracked closely with those concerns. Interestingly, though cybersecurity topped the list, only 50 percent of respondents said they had cybersecurity insurance policies and only 10 percent had ever filed a related claim.
More than three-quarters (77 percent) said they had business continuity and disaster recovery programs and crisis response teams in place. Seventy-three percent said they had formal, written crisis management protocols.
said they had business continuity and disaster recovery programs and crisis response teams in place
Respondents said they considered monitoring to be the weakest aspect of their compliance programs and also the aspect (along with training) that took up the most time. Audits were respondents’ tools of choice for measuring the effectiveness of compliance programs, along with training data and online assessments. Sixty-five percent said they used online, interactive training – and public companies were more likely to use those methods.
Chain of Command and Board Reporting
Forty-four percent of respondents said the compliance officer at their company reports to the chief legal officer, while 25 percent of respondents said the compliance officer reports to the CEO. When asked about optimal reporting structures, however, respondents were more evenly split between these two reporting lines – 28 percent believed a direct report to the chief legal officer was best while 29 percent preferred a direct line to the CEO. Also interesting, whereas 11 percent of respondents said their compliance officer reports to the board, more than two times as many respondents (29 percent) preferred a direct report to the board.
said the compliance officer at their company reports to the CLO
Reporting to the board has the clear advantage of creating a direct line to the ultimate decision makers and would satisfy the oversight requirement in the federal sentencing guidelines. Given the current environment, that advantage may be increasing, particularly for CCOs who foresee increased scrutiny without a corresponding increase in resources. Directors also often bring broader perspectives than senior executives. In addition, regulators expect CCOs to have access to senior decision makers, including the board.
“A lot of our board members sit on other boards,” one CCO told us. “They bring that learning to the boardroom, and from that standpoint, the board has helped a lot – getting educated on the outside or through their own reading.”
About two-thirds of respondents said they report metrics to their board of directors or an audit committee. Increased exposure to the board and/or audit committee can help CCOs and directors alike. Directors become more informed about the organization’s greatest risks while CCOs become more informed about how to best reach and communicate with directors.
“What’s happening is corporate America is seeing that the position they once thought might be more of a mid-level is more of a higher level,” Roy Snell, CEO of the Society of Corporate Compliance and Ethics, told The Wall Street Journal in October.
Amid this shifting compliance landscape, we present the following results. When informative, we’ve provided a comparison of results by respondents from public and private companies.
Co-Chair, Global Governance and Compliance
T +1 410 580 4177
DLA Piper is a global law firm with lawyers located in more than 30 countries throughout Africa, the Americas, Europe, the Middle East and Asia Pacific, positioning us to help companies with their legal needs anywhere in the world.