Drawing on the opinions of 201 senior decision-makers from more than 30 countries, White & Case LLP and KPMG LLP issued the results of its “2023 Global Compliance Risk Benchmarking Survey” earlier this month.
The report offers powerful insights into compliance practices across industries worldwide and the strategies employed by companies to manage their compliance risks, including anti-corruption risk assessments, third-party management, ESG risk, use of artificial intelligence and ongoing cybersecurity worries.
Below, we delve into a few of these areas and survey results – and the significance of them.
Third-party risk
Asked whether the Compliance and Ethics function ever felt pressured to approve a third-party engagement that the respondent believed posed an unacceptable corruption risk perception, 13% in the financial services sector said “yes, on more than one occasion or for more than one third party”. As did 11% in the energy sector, making financial services and energy the two highest industry sectors for “yes” responses.
Use of third parties was cited as the greatest anti-corruption risk facing their company by 59% of respondents.
Pressure to meet sales targets came in second (36%) and managing gifts and entertainment came in third (35%). At the other end of the scale, so far less concerning for organizations, was managing the risk of lobbying and political contributions (around 9%).
A large number of respondents (40%) said they only audit third-party compliance “irregularly, depending on triggering events”.
Most interesting was the question of performing compliance audits on third parties. A large number of respondents (40%) said they only audit third-party compliance “irregularly, depending on triggering events”.
This assumption depends on being able to detect all of those triggering events when they happen, which in reality is not always the case.
Also, given the fact that liability in this area can be strict and, as the report highlights, that 90% of Foreign Corrupt Practices Act enforcement matters identified a third party as part of the bribery scheme, it is almost certainly worth investing compliance time and resources into it.
Anti-corruption risk management
A majority of respondents said they conduct documented anti-corruption risk assessments (79%), but only 47% conduct these specific risk assessments every year, 17% do so on an irregular basis, and 11% say they do not perform them or have any planned. Almost one in five companies with fewer than 10,000 employees report not conducting them at all (18%).
A concerning aspect of the findings involved the different rates between industry sectors: Companies in the energy and natural resources and pharma/healthcare industries are most likely to conduct risk assessments, with 94% and 93% of respondents in these industries, respectively, conducting risk assessments.
Companies in the financial services and technology, media and telecom industries were far less likely to report that they conducted (only 15%) or planned to conduct (only 17%) risk assessments.
Companies in financial services, technology, media & telecom were less likely to report they conducted (15%) or planned to conduct (17%) risk assessments.
This is shocking considering the emphasis the financial services regulators have placed on businesses conducting regular risk assessments and the sometimes steep penalties meted out for not doing so.
Also interesting is just how much those regular risk assessments make a difference. Among those respondents who perform them, 69% said their boards are adequately engaged in discussions about the compliance program’s performance, and 73% said the same about the board’s understanding of anti-corruption risks.
Among those who don’t perform risk assessments, though, the numbers drop to 32% and 36% for board engagement and understanding, respectively.
Companies that spend time and devote resources to assessing risk are likely communicating their findings to their boards, and getting support and feedback from board membership. Each ingredient of this loop reinforces another.
Expertise in and emphasis on anti-corruption initiatives likely trickle up and down from management to the board leadership to place the company on a path toward more decisively monitoring this risk area.
Data analytics
The survey showed that use of data analytics is becoming more commonplace, but most companies are still developing their approach.
Most said they were still developing them, for example through a patchwork of scalable system processes and manual processes (45%), and a sizable minority said they had what they’d call a “rudimentary” approach that involved mainly non-scaling and manual processes (24%).
Only 9% would call their data analytics approach “advanced,” with integrated monitoring, reporting and automation across systems.
Overall, the survey showed that most companies are using data analytics to support core compliance program activities. Over half of respondents reported using data analytics to enhance risk assessments (58%); develop reports, visualizations and/or dashboards (58%); and manage training and certification requirements (55%).
Most companies are using data analytics to support core compliance program activities, with over half using it to enhance risk assessments (58%).
Notably, the 9% of companies that self-identified as having “advanced” data analytics programs were more likely to use data analytics in areas that relate to management of real-time business risk. For instance, these respondents were almost twice as likely to report using data analytics to perform risk-based transaction monitoring and testing (89%) than the average (47%).
They also were more likely to use data analytics to identify third parties for heightened screening and diligence (72%) than the average (48%); and to track and manage compliance requests and approvals (72%) than the average (39%).
All of this goes back to an earlier point on third-party risk management – if more respondents had answered “advanced” with regard to their data analytics capabilities, they could possibly be better at detecting risk factors with their business partners.
It’s also interesting to see some delay or disinterest in this area, considering that regulators such as the SEC are using more advanced technological solutions (here is FINRA”s approach) and often remind businesses they expect the same from the institutions they oversee.
Additionally, data analytics are another way to showcase one’s adherence to robust risk monitoring and can further enhance a compliance program in need of remediation, possibly earning cooperation credit from the Department of Justice.
Reporting wrongdoing
A full three in 10 respondents (75%) said their anti-corruption programs are not tested regularly for effectiveness. Only 28% report doing it annually, with 27% doing so periodically but less frequently than annually, and 22% doing it only when specific risk is identified.
When it comes to reporting bad acts internally, fear of retaliation topped the list of reasons for employees to be reluctant to use corporate reporting mechanisms. A full 55% cited that fear, with the number being a whopping 75% for the largest businesses – those with over US $50b in revenue.
A concern that “nothing will be done about it” came in second – 50% for all businesses and 63% for the largest ones.
Worth noting is how many people are concerned the reporting mechanism is not anonymous; 47% of all businesses said this was their greatest fear of reporting wrongdoing, and 67% of those in the largest businesses said as much.
Anonymity is a tough response to get around, as investigations of reported wrongdoing cannot always stay fully anonymous.
A fear of retaliation topped the list of reasons for employees to be reluctant to use corporate reporting mechanisms.
But there has to be more corporate resolve around strongly prohibiting any form of retaliation in the business. Inside and outside counsel can provide guidance here, and various departments should weigh in when any employee who has made a report is being considered for any type of employment change.
But more importantly, employees must hear the company has an anti-retaliation policy, that it takes the matter quite seriously, and then witness evidence of this commitment actually play out.
Escalations
There is also a significant amount of uncertainty around compliance escalations. Here again, testing and measurement remain a challenge for organizations.
For example, only 51% of respondents indicate that their company measures employee awareness of escalation and reporting mechanisms, with even fewer, only 36% reporting that employee comfort levels with using these mechanisms were being measured.
The shift to remote working and its general acceptance means that investigations and interactions with regulators are being conducted remotely and that this will continue to be the case in the near future.
A disproportionate number of companies that received high escalation volumes reported a decline in them during the pandemic.
A disproportionate number of companies that received high escalation volumes reported a decline in compliance escalations during the pandemic. It would be interesting to see whether this trend continues post-pandemic.
The survey authors suggest that compliance teams at companies that are experiencing a drop in the number of escalations should examine “whether these declines were related to a general decrease in high-risk activities during the COVID-19 pandemic and/or whether remote working may have caused an underreporting of compliance issues, which, in turn, could inform thinking about remote work policies going forward”.