Posted by Nicole Sandford, Partner, Deloitte & Touche LLP
Deloitte recently presented at the 2014 Compliance Week Conference in Washington, D.C., which drew top executives and compliance professionals from leading companies across a wide range of industries. Hot topics included the rising importance of reputation risk and third-party risk, as well as the need for a more integrated and efficient approach to managing different types of compliance risk.
Managing risk and compliance in today’s fast-paced global business environment is more challenging than ever. To avoid trouble, many companies are conducting a number of risk assessments for different purposes, including those executed by internal audit, enterprise risk and compliance. All of these are important. However, many compliance professionals and executives at this year’s conference expressed concern that these efforts have not been well coordinated, resulting in “assessment fatigue” in the businesses.
In addition, there seems to be growing frustration at the sheer volume and complexity of risk-related information that is being generated without being appropriately linked and synthesized. Looking ahead, we expect to see a strong push for improved efficiency and consolidation in this area. For example, companies may choose to expand their enterprise risk assessment efforts to more fully consider compliance-related risks rather than continue to conduct them separately. This may require additional tailoring of the assessment processes as many compliance risks won’t rise to the level of a strategic, or critical “enterprise” risks as traditionally defined. However, such risks need to be identified and appropriately managed across the organization.
Another point that was made throughout the conference related to reputational risk, which is increasingly being considered a strategic risk. With the rise of social media and other global communication technologies, bad news spreads like wildfire. And few problems are more damaging to a company’s reputation and brand than a compliance problem. In the past, most businesses did not pay much attention to compliance unless they operated in a highly regulated industry such as banking or pharmaceuticals. But now, companies in every sector are making compliance a priority in order to protect the value of their brand.
Third-party risk is another rapidly emerging challenge. Outsourcing a set of business activities does not absolve an organization of its responsibilities for those activities in accordance with applicable laws and regulations. Many companies have found themselves being scrutinized in the public and press for actions committed by an obscure supplier buried deep in the supply chain. What’s more, regulators are increasingly holding companies accountable for the actions of their suppliers and vendors — punishing big-name companies to set an example for everyone else. Although more and more companies are recognizing the problem of third-party risk, few have actually addressed the issue through more active, hands-on monitoring or auditing procedures. To be able to take these more active measures, companies should prioritize their third-party relationships, perhaps by establishing a tiered structure for suppliers that is based on business volume and underlying risk. This can help companies focus their efforts on the supply relationships that are more likely to cause problems.
Our experience at this year’s Compliance Week Conference suggests that today’s compliance professionals and executives recognize the growing importance of risk to their businesses and are making a conscious effort to improve their capabilities. However, most agree they still have much work to do and are open to new ideas on how to manage business risks and compliance challenges more effectively.