The latest findings released today from the anticipated Deloitte and Compliance Week survey demonstrate a tidal shift with modern corporate compliance functions gaining more authority and stronger organizational support for compliance programs. Fifty nine percent of respondents reported that the chief compliance officer (CCO) job is now a stand-alone position, up from 37 percent in 2013, with 57 percent now reporting directly to either the CEO or the board.

In its fifth year, the "In focus: Compliance Trends Survey 2015" measured the responses of more than 360 compliance professionals from around the world representing more than a dozen industries including financial services, health care, and consumer and industrial products. While the survey data shows a clear trend toward a more empowered CCO with a higher position in the organization, concerns and challenges related to broader recognition of the value of compliance appear to persist. In addition, many companies' existing technology solutions continue to fall short of compliance needs.                               

"In the five years since we began the survey, we've seen a significant rise in the establishment of compliance officers and departments as critical functions across organizations worldwide," said Matt Kelly, editor and publisher, Compliance Week. "That growth strengthens the findings of this survey, and hopefully sheds the collective spotlight on the ethics, compliance and risk issues organizations are facing today."

CCO Authority Across the Enterprise 
According to this year's survey, challenges remain in embedding compliance culture throughout the entire organization and its extended enterprise. Results are mixed on whether the enhanced authority and positioning of the CCO has also enhanced the perceived value and level of support of the program throughout the entire organization. As with prior surveys, a minority of respondents – only 32 percent in the 2015 study – feel that the compliance program is recognized for driving business value throughout the company. With small staffs continuing to be the norm, support of the compliance program within the business is critical to the CCO as he or she tries to help build a strong, transparent, risk-intelligent enterprise.

On a related point, only 43 percent of respondents said their corporations have designated compliance officers in subsidiaries, business units, or geographic markets. And within that group who do, only 49 percent of those business unit compliance officers report to the global CCO; 40 percent report to local senior managers. One question to contemplate as CCOs digest this report, then, is whether their entire compliance "function" has proper ability and authority to carry out its mission, regardless of the CCO's particular reporting relationship.

Assessing Risk and Program Effectiveness
Thirty percent of respondents still say they do not measure the effectiveness of their compliance programs. Tom Rollauer, executive director, Deloitte Center for Regulatory Strategies, Deloitte & Touche LLP, emphasizes the importance of the risk assessment process. "For me, the risk assessment is at the center of the effort to manage compliance risk. If you have a robust enterprise-wide risk assessment process, your priorities will evolve out of that. CCOs should be setting compliance monitoring and testing priorities based upon these risk assessments."

A potentially concerning trend carried over from the 2014 and prior surveys relates to the oversight of third-party relationships across the extended enterprise. Third parties compliance risks continue to be the single biggest worry for surveyed compliance professionals, and proactive management of risks within the third-party population appear to remain inconsistent. Forty two percent of respondents indicated that they always audit compliance with policies or regulations; 38 percent always perform extensive background checks; and 32 percent always require training or certification.

Big Problem with Big Data
Compliance teams are keenly interested in advanced predictive analytics that can aid in predicting future risks before they erupt into a catastrophe, or to assist with regulatory change management. Few tools now can perform those functions without a major customization effort. "While big data and GRC tools may hold the key to effective risk assessment and control monitoring, many organizations are still waiting for the promise to be fulfilled. New applications and increasing access to data are coming, and that will take compliance to the next level with predictive analytics," said Nicole Sandford, partner and national practice leader, enterprise compliance, Deloitte & Touche LLP.  

Only 32 percent of survey respondents report feeling confident or very confident in their IT systems, down from 41 percent in 2014. The report suggesting lack of confidence in IT systems may trace back to the relatively small size of compliance departments, which forces them to depend on other departments or business units in the enterprise to supply the data CCOs need. "In essence, compliance functions are still spending a disproportionate amount of time collecting data, versus time spent adding strategic value to the business through analyzing and trending the data collected," added Sandford.