Insight

The CCO at the forefront of change

Risk and compliance client perspectives

Amy S. Matsuo

Amy S. Matsuo

ESG and Regulatory Insights Lead, KPMG LLP

 

Chief Compliance Officers (CCOs) are operating in a new reality that poses a number of functional and operational challenges. Whether it be responding to the added risks brought on by the pandemic, developing an approach to technology and data analytics that satisfies evolving regulatory expectations, or overseeing a remote or decentralized workforce, CCOs must continue to evolve their practices to manage the change.

The disruptions from 2020 have caused significant and ongoing changes to organizational operations, and have impacted how compliance departments prioritize risk, communicate expectations, and conduct auditing and monitoring activities. Government stimulus programs, along with the iterative changes and associated potential for fraud schemes, continue to present a host of risks that must be monitored appropriately. Similarly, the “work-from-home” mandates that have been common across industries, and only recently have begun to evolve into “hybrid” arrangements, have necessitated reassessing communications, training, and monitoring approaches adding challenges to resource cohesion and connectivity as well as to data and customer protections.



"The trend toward more hybrid work is unmistakable. But how will compliance leaders maintain influence, team cohesion, and regulators’ trust in the newly detached environment? At Mayo, our compliance team will seek to optimize the quality of on-site days through relationship-building conversations. We need the people who are still on-site every day to keep thinking of us even though we’re not as visible."
-Adam Briggs, Chief Compliance Officer at Mayo Clinic




Technology demands: Tools and skill sets

In spite of these disruptions, or perhaps because of them, regulators are looking more closely at the effectiveness of compliance programs as well as the manner in which organizations are gauging such effectiveness. In particular, regulators expect compliance programs to be evaluated on an ongoing basis, enabled by technology (using automated analytics/AI, and digitized data and processes), linked to the company’s enterprise risk management, and revised based on relevant operational data and “lessons learned.” Regulators also expect organizations to invest adequate resources into the compliance function, including to develop and maintain sufficient subject matter expertise and expand existing skill sets as the demands of compliance programs change. As noted in the KPMG 2021 CCO Survey (Survey)*, organizations identified the use of automation and data analytics as areas presenting the biggest opportunities for enhancement to the compliance program alongside the need to enhance their compliance skill sets across data analytics, IT security, and technology.

More than two-thirds of the Survey respondents said that they relied primarily on reactive, or “hindsight” metrics, such as findings from internal/external audits and regulatory actions/inquiries to tell the story of the effectiveness of their program and guide activities going forward. While most organizations have funded automation and technology projects and trainings within their business profit centers, they generally have been slower to provide similar resources to support second-line risk and compliance functions. This gap in technology and resource capabilities has impeded the adoption of advanced modeling and analytics, limited potential insight into current and emerging vulnerabilities and risks.

Risk management and remote work

Technology and skills gaps also serve to exacerbate the challenges of the current remote work environment. Without day-to-day touchpoints with resources and business units to encourage interconnection and reinforce compliance expectations, organizations must rely on alternative ways to promote standards and proactively monitor the evolving compliance risk profile. Further, the need for these alternate approaches may not diminish even as the pandemic fades, as organizations don’t expect to fully return to the pre-pandemic work model.

Location of compliance department personnel


Over 60 percent of Survey respondents expect their staffing resources to be working remotely at least half the time following the pandemic; another 10 percent expect their teams to be working mostly or entirely remotely. In contrast, over 90 percent of respondents stated that their teams had been working entirely or mostly on-site prior to the start of COVID-19. Across industries, the organizations that are most adaptable and have varied approaches and tools to leverage, will be in the best position to respond to this new working model. Striking a balance between on-site work to encourage relationship building and remote working arrangements that can facilitate effective risk monitoring while still promoting ethics, compliance, and workforce health and safety is critical.




“Ethics and compliance must be at the forefront of change across product development, business and sales practices, culture, regulatory change, and emerging risk. CCOs must both drive change as well as respond to it, which requires investment in data analytic and regulatory skills in addition to continuous advances in compliance technology and automation.”
-Amy Matsuo, Principal and National Leader, Regulatory Insights and Compliance Transformation, KPMG LLP

 


Considerations going forward

CCOs should have a seat at the table when business decisions related to changes in operating models are made, as their roles are critical in identifying and addressing risk impacts throughout the change management process. As CCOs navigate the changing environment and respond to evolving expectations, they should consider a variety of initiatives focused on streamlining communications and training, collaborating with business units to share observations and lessons learned, and assessing their technologies, data sources, and supporting metrics. In particular, CCOs should:

  • Prioritize opportunities to simplify compliance policies and procedures and eliminate redundancies in order to allow for better ease of use and comprehension across the organization
  • Enhance outreach to business units to maintain connectivity and continue to promote compliance as a trusted business partner, particularly in light of the diminished in-person touchpoints tied to remote and hybrid working models
  • Strengthen auditing and monitoring activities in areas of heightened and emerging risk resulting from the remote work environment, such as information protection/data privacy, third party vendor management, staffing and resource constraints, fraud and misconduct, and compliance and consumer protection risks stemming from new regulatory requirements and governmental programs implemented in response to the pandemic
  • Assess existing technologies and data sources, along with the metrics that are captured to gauge compliance effectiveness, to determine the impacts from the new environment and determine new questions that need to be addressed through quantifiable data in order to tell a broader, more insightful story. Evaluate needed new technology and data resources and metrics, as appropriate
  • Leverage existing technology functionality and evaluate new technology needs in order to support ongoing connectivity across the organization and ensure that effective auditing and monitoring procedures can be conducted in a remote setting.

Footnotes

To be published August 2021.