How to keep compliance and ethics on target

Compliance and ethics management can be a bit like exercise: Intentions may be good and you can put a plan into place, but your results won’t be superb unless you continue to work at it with diligence.

Just as many a well-intentioned fitness effort falls short, so too do those companies that approach compliance and ethics issues in unfocused, inefficient ways. There isn’t much room for error, given the twin challenges of an increasingly complicated regulatory landscape and the heightened level of scrutiny from regulators.

A recent report sheds light on just how much work companies still have to do to get in shape. PwC’s sixth annual State of Compliance Study, which surveyed more than 800 global executives, shows that a number of factors hinder compliance and ethics efforts, ranging from inefficient top-down communication to uncertainty about who owns the responsibility for particular initiatives. 

Seth CohenSometimes, it’s also a question of how ethics fits into foundational strategy. “After many years, maybe 20-plus of compliance and ethics programmes, we’re still seeing that compliance officers aren’t truly integrated into the strategy activities of companies,” Seth Cohen, director, risk management and compliance solutions at PwC and co-author of the report (at left). Just 36% of compliance officers are so integrated, the study reveals, “and you’d think that number should be higher. There’s room to grow.”

As for how to approach compliance and ethics successfully, Cohen suggested these six action steps companies can take:

Keep communication clear, consistent, and constant. The report indicates that while 82% of senior leadership communicates with employees on ethics points, the dialogue often takes place though channels such as email, for example. “If you go under the hood, only 46% go through business [unit] meetings, so much of the communication gets lost in the shuffle,” Cohen said. “It should be more integrated at all levels—and not just come from the senior leadership, but the ones who run the business operations every day and communicate every day with employees.”

Identify the risk owners and take their responsibilities company-wide. Do you know who in your company is responsible for overseeing certain risks? The answer isn’t as straightforward as you might think. The study shows that while two in three companies have a process in place to determine the owners, many may rely too heavily on legal and/or compliance and ethics functions for day-to-day risk management. “It’s surprising that there’s not more ownership in the business in general,” Cohen said. “It’s thinking that for a potential risk, compliance and legal would initially own it and then transfer it to the business, which we believe is the ideal structure.”

Make compliance and ethics part of company strategy. Cohen said strategic involvement is essential for companies to focus their compliance and ethics and monitoring activities. One in five respondents reported that their organisations now have a stand-alone board-level compliance and/or ethics committee. “We think there’s some specialisation taking place on the board level, and that might be a good thing,” Cohen said. “The compliance report may be the last 15 minutes in a four-hour meeting, but at least they’re getting more than five minutes, and we hope that trend continues.”

Form a “risk incubator”. Risks to companies are changing at a speed as fast as the digital landscape. “But if a new risk emerges, with a risk incubator we can develop the necessary activities to mitigate the risk,” Cohen pointed out. “And after an amount of time, those strategies come out of the incubator, and you give them to the company.”

A risk incubator is analogous to a business innovator: Think of an environment within the company where businesses can develop a comprehensive risk strategy before putting it into place. In doing so, they tap the brain power of capable employees who follow regulation and compliance issues and are familiar with the landscape.

Go beyond standard enterprise risk management. The study shows that 77% of companies have some kind of ERM process – and quite a number of those that have one, about 88%, say it covers compliance and ethics risk. “But 54% overall are doing compliance and ethics risk assessments beyond ERM,” Cohen said. Those that don’t “are not getting the data and information they need to do their short- and long-term planning, because they do not have enough granularity.”

Put someone in charge. If your company doesn’t have a chief ethics officer, now is a great time to consider naming one. “Fifty-six per cent of companies do not have a chief ethics officer,” Cohen said. Even if appointing one is not in the cards, find another way to take compliance and ethics front and centre. “We believe the organisation should have a focus on ethics in some way: either with an officer, as a core value, or making sure that employees are taught about how to make decisions ethically.”

Lou Carlozo is a freelance writer based in Chicago. To comment on this article, contact Ken Tysiac (, a CGMA Magazine editorial director.

(Photo courtesy of PwC)