Compliance professionals are increasingly weighed down by limited resources, competing demands, and urgent orders from company leaders to fight new fires.
As we head into 2022, these pressures on compliance teams are only set to grow, undermining their ability to be proactive and systematic in addressing third-party risks. This comes at a time CEOs increasingly depend on them as the first line of defense against an array of threats that could result in devastating fines, sentences, or permanent damage to their companies’ reputations
Fortunately, there are measures CEOs and their boards can take to support their teams better. These measures begin with identifying the newest challenges and threats.
Not immune to the Great Resignation trend, compliance teams have been beset by staff shortages. Almost half of U.S. executives say their companies have “much higher turnover” of employees overall over the past six months. At the same time, departments are still grappling with pandemic-caused remote-work challenges.
Compliance professionals are increasingly being saddled with responsibility for emerging concerns such as ESG (environment, social and governance) compliance, while maintaining vigilance in core areas like anti-bribery and corruption. It’s not uncommon for departments to become dumping grounds for tasks, such as contract management, employee screening or litigation support.
CEOs add to the pressure, depending on their compliance departments as the first line of defense against a growing array of threats that could result in devastating fines, sentences or permanent damage to their companies’ reputations.
Fortunately, we are at a pivotal point. The pandemic is waning, and companies are reinvigorating previously shelved plans. Now’s the time to increase compliance budgets, boost spending on due diligence and seek new compliance solutions.
One urgent priority these days is mitigating the risk that third-party suppliers overseas could be involved in modern-day slavery in countries such as Brazil, China and Thailand. A wide range of companies, from tech firms to medical device makers to industrial manufacturers, have partners in high-risk countries and are demanding extra layers of due diligence.
Also, Europe’s GDPR, California’s CCPA, and the recent German GSCA, have pushed third-party risk management, data privacy, and ESG high up on compliance departments’ agendas, requiring serious investments and training in the right kind of technology systems.
At the same time, compliance departments can’t relax their guards on the core areas of bribery and corruption. Even though the number of U.S. FCPA actions and total penalties fell sharply in 2021, companies know that it has the biggest teeth of any law and could easily spring back in the years ahead.
CEOs must step up
The more compliance departments come under these strains, the greater the risk of being exposed to serious violations. C-suite leaders and their boards should be looking to step up and offer greater support in several areas.
Compliance teams need the mandate of their C-suites, as well as the time and resources to do their jobs. Company leaders must have realistic expectations of what their teams can do —and how quickly—given their resources.
For example, leadership should give much greater clarity on which departments oversee particular issues, and staff those departments accordingly. For example, does ESG monitoring fall to the compliance department or to supply-chain professionals?
Still using spreadsheets?
Investing in technology is also crucial, giving leaders greater visibility and allowing compliance teams to better assess risks. It’s shocking to see how many companies, even ones operating in high-risk regions, still use spreadsheets and email to manage their third-party risks. Others will rush out to buy screening tools but don’t think enough about how to deal with the administrative burden of analyzing the results.
Modern systems now allow compliance teams to build tailored programs, rather than relying on the old one-size-fits-all approach. These models can incorporate factors such as CPI score, nature of business, type of third party, private or public company, and transaction volumes – all tailored for the risk level of the industry or country. By automating the onboarding and recertification of third parties, these programs can free up time to focus on higher-risk tasks.
Implementing these changes isn’t always straightforward; it requires buy-in from other departments, including beleaguered IT teams. But they can go a long way towards making compliance teams more efficient and better able to insulate companies from the growing range of external risks.