How to Keep Compliance and Ethics on Target

By Lou Carlozo – December 21, 2016
How to Keep Compliance and Ethics on Target

Compliance and ethics management can be a bit like exercise: Intentions may be good and you can put a plan into place, but your results won't be superb unless you continue to work at it with diligence.

Just as many a well-intentioned fitness effort falls short, so too do those companies that approach compliance and ethics issues in unfocused, inefficient ways. There isn't much room for error, given the twin challenges of an increasingly complicated regulatory landscape and the heightened level of scrutiny from regulators.

A recent report sheds light on just how much work companies still have to do to get in shape. PwC's sixth annual State of Compliance Study, which surveyed more than 800 global executives, shows that a number of factors hinder compliance and ethics efforts, ranging from inefficient top-down communication to uncertainty about who owns the responsibility for particular initiatives.

Sometimes, it's also a question of how ethics fits into foundational strategy. "After many years, maybe 20-plus of compliance and ethics programs, we're still seeing that compliance officers aren't truly integrated into the strategy activities of companies," Seth Cohen, director, risk management and compliance solutions at PwC and co-author of the report. Just 36 percent of compliance officers are so integrated, the study reveals, "and you'd think that number should be higher. There's room to grow."

As for how to approach compliance and ethics successfully, Cohen suggested these six action steps companies can take:

Keep communication clear, consistent, and constant

The report indicates that while 82 percent of senior leadership communicates with employees on ethics points, the dialogue often takes place though channels such as email, for example. "If you go under the hood, only 46 percent go through business [unit] meetings, so much of the communication gets lost in the shuffle,"; Cohen said. "It should be more integrated at all levels — and not just come from the senior leadership, but the ones who run the business operations every day and communicate every day with employees."

Identify the risk owners and take their responsibilities company-wide

Do you know who in your company is responsible for overseeing certain risks? The answer isn't as straightforward as you might think. The study shows that while two in three companies have a process in place to determine the owners, many may rely too heavily on legal and/or compliance and ethics functions for day-to-day risk management. "It's surprising that there's not more ownership in the business in general," Cohen said. "It's thinking that for a potential risk, compliance and legal would initially own it and then transfer it to the business, which we believe is the ideal structure."

Make compliance and ethics part of company strategy

Cohen said strategic involvement is essential for companies to focus their compliance and ethics and monitoring activities. One in five respondents reported that their organizations now have a stand-alone board-level compliance and/or ethics committee. "We think there's some specialization taking place on the board level, and that might be a good thing," Cohen said. "The compliance report may be the last 15 minutes in a four-hour meeting, but at least they're getting more than five minutes, and we hope that trend continues."

Form a "risk incubator"

Risks to companies are changing at a speed as fast as the digital landscape. "But if a new risk emerges, with a risk incubator we can develop the necessary activities to mitigate the risk," Cohen pointed out. "And after an amount of time, those strategies come out of the incubator, and you give them to the company."

A risk incubator is analogous to a business innovator: Think of an environment within the company where businesses can develop a comprehensive risk strategy before putting it into place. In doing so, they tap the brain power of capable employees who follow regulation and compliance issues and are familiar with the landscape.

Go beyond standard enterprise risk management

The study shows that 77 percent of companies have some kind of ERM process — and quite a number of those that have one, about 88 percent, say it covers compliance and ethics risk. "But 54 percent overall are doing compliance and ethics risk assessments beyond ERM," Cohen said. Those that don't "are not getting the data and information they need to do their short- and long-term planning, because they do not have enough granularity."

Put someone in charge

If your company doesn't have a chief ethics officer, now is a great time to consider naming one. "Fifty-six percent of companies do not have a chief ethics officer," Cohen said. Even if appointing one is not in the cards, find another way to take compliance and ethics front and center. "We believe the organization should have a focus on ethics in some way: either with an officer, as a core value, or making sure that employees are taught about how to make decisions ethically."

This article first appeared in CGMA Magazine. For more articles, sign up for the weekly email update from CGMA Magazine at