This site uses cookies to provide you with a more responsive and personalized service. By using this site you agree to our use of cookies. Please read our cookie notice for more information on the cookies we use and how to delete or block them.

Bookmark Email Print this page

Risk Angles: Five Questions on Compliance


Corporate ethics and compliance programs continue to be challenged on numerous fronts. The intricacy and sheer volume of laws and regulations around the globe, the intensifying scrutiny of enforcement officials (and the public), the rising cost of compliance breaches, and the underlying risk of reputation damage are all forces to be reckoned with. Moreover, compliance leaders, often titled Chief Compliance Officers (CCOs), face challenges in how they and their function are perceived within their organization. As they take on new responsibility for risks not previously in their purview, their ability to command a seat at the executive table and offer strategic guidance to the business is increasingly important.

This edition of Risk Angles features an interview with Maureen Mohlenkamp, principal, Deloitte LLP in the United States, about the evolution of the compliance function and the emerging risks compliance executives are focused on today. Also, we take a closer look at the evolving role of the CCO with Aida Demneri, Director of Enterprise Risk Services for Deloitte Netherlands.


Maureen’s take

How has the role of the compliance function shifted over the years? I’ve seen the pendulum swing between compliance and ethics. In the '90s, much of the focus was on compliance, for example in the Power & Utilities industry due to deregulation. Then there was a distinct swing to a focus on ethics in the early 2000s, and the realization that even if you have controls and processes in place, there needs to be a culture of ethics and ‘doing the right thing’ for the system to work. After the 2008 financial downturn, I see a swing back to a heavy focus on compliance, with companies concerned about complying with Dodd-Frank and the global anti-corruption laws that have become more prevalent and heightened enforcement, such as the Foreign Corrupt Practices Act (FCPA) in the U.S., the UK Bribery Act 2010, and Brazil’s new anti-corruption law.
What’s the relationship between the compliance and risk function? It used to be that compliance and risk were separate functions, each carrying their own concerns in the organization with minimal interaction. But the level of integration between compliance and risk management has increased exponentially in recent years, to the point where conversations about compliance inevitably involve discussions of risk. There is much greater emphasis on how compliance fits with the organization’s overall enterprise risk methodology and in making sure compliance programs are identifying and mitigating against emerging risks and educating employees. The “who’s doing what” dynamic between the CCO and the chief risk officer can be muddy at times, so it’s important that both recognize that sometimes they share the responsibility and sometimes one passes the baton to the other.
What are some of the top risks in this area?

A major emerging concern for CCOs wasn’t even a consideration a few years ago, and that’s external cyber risk — threats to an organization originating from outside, rather than from something an employee might do, such as engaging in risky behavior on social media. We now see CCOs making a concerted effort to work with the chief information officer or chief security officer to gain insights into how the organization’s information systems are being protected, monitored, and tested.

The second area high on a CCO’s radar is corruption risk. This has been evolving over a longer period, but the emergence of new anti-corruption laws globally, increased scrutiny by enforcement officials, and record-breaking fines make it a particularly high priority for CCOs today. The difficulty of conducting due diligence on vendors and other third parties the organization may engage with when doing business overseas is a significant concern. In a recent survey conducted in collaboration with Deloitte in the United States, 85 percent of respondents said they are reassessing their business links with third parties. Yet 17 percent of respondents say they ‘rarely or never’ conduct background checks on third parties, while 48 percent ‘sometimes’ do.1 This can be quite risky behavior depending on the business an organization is in.

How can the compliance function become more effective in combatting risk? Companies should emphasize both compliance and ethics to be truly strong; the trend toward ‘either-or’ thinking is counterproductive. At the end of the day, risk is rooted in behavior. There should be as much time spent on cultivating a culture of compliance built around ethical behavior as there is ticking the box on policies and processes. CCOs should also work to change the perception of the compliance function away from being seen as a watchdog or police force toward being viewed as a trusted business partner. Being able to manage compliance and its associated risks effectively can become a competitive advantage for an organization. It’s about emphasizing the value compliance can bring to the business, rather than having it be seen as a burden or necessary evil.
What role does technology play? Compliance leaders are used to looking backward to try to discern trends or potential issues — helpline activity, survey data, analysis of internal investigations. But more forward-looking technology tools are available today that weren’t around 10 years ago that can help CCOs take a more proactive approach to risk sensing. Tracking and analyzing things like regulatory activity; sizes of fines or penalties; internet chatter or discussions (both positive and negative) about your company, competitors, vendors, and other third-party associates; and following social and political happenings in the countries you do business in can all provide insight.
Return to top

A closer look: The evolving role of the CCO

By Aida Demneri

Recent Deloitte member firm surveys originating in the UK2, the Netherlands3, and the U.S.4 point to a maturation of the compliance function and the growing realization that compliance is central to achieving business strategy. But compliance, and those who lead it, are still on a journey to be recognized as business partners rather than police and to take their place at the executive table, on par with other strategic leaders.

In the U.S. study of senior-level corporate compliance, audit, risk, and ethics executives worldwide, 50 percent of respondents said their organization has a stand-alone CCO. Yet only 37 percent of those CCOs hold a seat on the executive management committee, and only 33 percent of respondents feel the compliance function is viewed as a business partner across the organization. In the UK study, 38 percent of respondents say the compliance function is perceived as a trusted advisor to the business, while 33 percent say it’s viewed as a police officer/enforcer.

CCOs are in a tough position. Their job is to mitigate the risk to the organization, but not in a way that hampers the organization’s ability to function as intended, be innovative and make money. This is why alignment with the business is so critical. Doing this well makes the business stronger and can become a distinct competitive advantage.

As they work to increase their effectiveness and elevate the status of the compliance function, CCOs should be mindful that their position comprises four critical roles, or what Deloitte calls “faces.” At times CCOs are Strategists, providing compliance leadership; at times they are Communicators, promoting a culture of compliance and integrity; at times Risk Managers, directing the compliance risk management program, and at times Stewards, assuming ownership and identifying accountability and resources for compliance processes, controls, and technology tools. Which face they wear, and when, is often situational, depending on their business and industry, the maturity of the compliance function, their particular goals for the function and themselves, and other factors. By consciously allocating more of their time to their Strategist and Communicator faces, they can begin to change the perception of compliance in the organization and become trusted business advisors.

1 In Focus: Compliance Trends Survey 2014. Deloitte Development LLC, and Compliance Week and WCW, Inc., 2014
2 Compliance in the spotlight: Challenges and opportunities for corporate compliance functions, Deloitte UK, 2013.
3 Compliance in Motion: A closer look at the Corporate Sector, Deloitte Netherlands, 2014.
4 In Focus: Compliance Trends Survey 2014. Deloitte Development LLC, and Compliance Week and WCW, Inc., 2014.



By participating in this poll, you consent and acknowledge that your responses may be disclosed without attribution by Deloitte in future publications and you are authorized to respond to the poll on behalf of your company.

*Please review the guidelines before providing your comments.

As used in this document, “Deloitte” means Deloitte LLP and its subsidiaries. Please see for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.


Related links

Share this page

Email this Send to LinkedIn Send to Facebook Tweet this More sharing options

Stay connected