Compliance and ethics management can be a bit like exercise: Intentions may be good and you can put a plan into place, but your results won't be superb unless you continue to work at it with diligence.
Just as many well-intentioned fitness efforts fall short, so too do many companies' efforts to address compliance and ethics issues if they are unfocused and inefficient. There isn't much room for error, given the twin challenges of an increasingly complicated regulatory landscape and the heightened level of scrutiny from regulators.
A recent report sheds light on just how much work companies still have to do to get in shape. PwC's sixth annual State of Compliance Study, which surveyed more than 800 global executives, shows that a number of factors hinder compliance and ethics efforts, ranging from inefficient top-down communication to uncertainty about who owns the responsibility for particular initiatives.
Sometimes, it's also a question of how ethics fits into foundational strategy. "After many years, maybe 20-plus, of compliance and ethics programs, we're still seeing that compliance officers aren't truly integrated into the strategy activities of companies," said Seth Cohen, director, risk management and compliance solutions at PwC and co-author of the report. Just 36% of compliance officers are so integrated, the study reveals, "and you'd think that number should be higher. There's room to grow."
As for how to approach compliance and ethics successfully, Cohen suggested these six steps companies can take:
Keep communication clear, consistent, and constant. The report indicates that while 82% of senior leadership communicates with employees on ethics points, the dialogue often takes place though channels such as email, for example.
"If you go under the hood, only 46% go through business [unit] meetings, so much of the communication gets lost in the shuffle," Cohen said. "It should be more integrated at all levels—and not just come from the senior leadership, but the ones who run the business operations every day and communicate every day with employees."
Identify the risk owners and take their responsibilities companywide. Do you know who in your company is responsible for overseeing certain risks? The answer isn't as straightforward as you might think. The study shows that while two in three companies have a process in place to determine the owners, many may rely too heavily on legal and/or compliance and ethics functions for day-to-day risk management.
"It's surprising that there's not more ownership in the business in general," Cohen said. "It's thinking that for a potential risk, compliance and legal would initially own it and then transfer it to the business, which we believe is the ideal structure."
Make compliance and ethics part of company strategy. Cohen said strategic involvement is essential for companies to focus their compliance and ethics and monitoring activities. One in five respondents reported that their organizations now have a stand-alone board-level compliance and/or ethics committee.
"We think there's some specialization taking place on the board level, and that might be a good thing," Cohen said. "The compliance report may be the last 15 minutes in a four-hour meeting, but at least they're getting more than five minutes, and we hope that trend continues."
Form a "risk incubator." Risks to companies are changing at a speed as fast as the digital landscape. "But if a new risk emerges, with a risk incubator we can develop the necessary activities to mitigate the risk," Cohen pointed out. "And after an amount of time, those strategies come out of the incubator, and you give them to the company."
A risk incubator is analogous to a business innovator: Think of an environment within the company where businesses can develop a comprehensive risk strategy before putting it into place. In doing so, they tap the brain power of capable employees who follow regulation and compliance issues and are familiar with the landscape.
Go beyond standard enterprise risk management. The study shows that 77% of companies have some kind of ERM process—and quite a number of those that have one, about 88%, say it covers compliance and ethics risk.
"But 54% overall are doing compliance and ethics risk assessments beyond ERM," Cohen said. Those that don't "are not getting the data and information they need to do their short- and long-term planning, because they do not have enough granularity."
Put someone in charge. If your company doesn't have a chief ethics officer, now is a great time to consider naming one. Fifty-six percent of companies do not have a chief ethics officer, Cohen said. Even if appointing one is not in the cards, find another way to take compliance and ethics front and center.
"We believe the organization should have a focus on ethics in some way: either with an officer, as a core value, or making sure that employees are taught about how to make decisions ethically," Cohen said.
The original version of this article, "How to Keep Compliance and Ethics on Target," by Lou Carlozo, is available at cgma.org.
CGMA Magazine is published in conjunction with the Chartered Global Management Accountant designation, which was created through a partnership between the AICPA and CIMA. The magazine offers news and feature articles focused on elevating and emphasizing management accounting issues.