This site uses cookies to provide you with a more responsive and personalized service. By using this site you agree to our use of cookies. Please read our cookie notice for more information on the cookies we use and how to delete or block them.

Bookmark Email Print this page

Risk Angles

Five questions on enterprise compliance


An interview with Donna Epps, partner, Deloitte Financial Advisory Services LLP and a closer look by Nicole Sandford, partner, Deloitte & Touche LLP.

If you’ve noticed that the issue of compliance risk is taking more of your organization’s time and resources lately, you’re not alone. As globalization continues apace, the regulatory environment is tightening and becoming more complex around the world. As a result, leaders that have been able to “make do” with a fragmented approach to compliance are rethinking their compliance strategies as they weigh the possibility of a heightened exposure to compliance risk.  

“Enterprise compliance” —  a coordinated approach to compliance spanning multiple businesses, organizational units, and geographies — is moving to the top of the compliance agenda for many executives. For a term that was scarcely heard of only a few years ago, this growing interest in enterprise compliance may come as a surprise. It doesn’t help that there has yet to be a clear, shared understanding of how enterprise compliance actually works.  

In this issue of Risk Angles, Donna Epps offers some thoughts on questions executives ask her most frequently about enterprise compliance. Then, Nicole Sandford takes a closer look at the pros and cons of a centralized versus decentralized enterprise compliance program.

Quick links:
A closer look: Is enterprise compliance always centralized? | Comments | Poll


Donna's take

We’re already investing plenty on compliance issues.  How is enterprise compliance any different?   The leaders I talk to every day already know they’re directing considerable resources to compliance issues. But when you take a closer look at how they’re investing in this area, what seems like a strategy from a distance actually appears to be muddled with overlapping goals and investments. Not only is this inefficient from a cost standpoint, but it may result in a critical lack of transparency and an inability to move quickly. That’s exactly where enterprise compliance can help.  
Enterprise compliance may work well in a business with a fairly limited scope. But how could it actually work in a large, global organization engaged in a wide variety of very different businesses?   Granted, you have to know your limits when implementing an enterprise compliance strategy for a large, complex global organization. At the same time, that’s exactly the environment in which an enterprise-level approach could potentially have the biggest impact. You don’t need all your businesses to follow the same approach. But you do need them to be operating with the same framework, goals and values. Set the parameters and allow for some flexibility along the way.
Who has primary responsibility for leading an enterprise compliance approach?   It’s easy to say “everybody,” and it is definitely true that everyone has some responsibility in an enterprise compliance approach. That said, some people have more responsibility than others. In our view, it’s the board and C-Suite that lead the charge.  

Doesn’t it make more sense to focus on compliance culture, rather than enterprise compliance?      


Compliance culture should be the goal. Enterprise compliance and enterprise culture aren’t mutually exclusive. In fact, it’s our view that enterprise compliance offers the most direct, effective path to cultivating a compliance culture. Those who can master the compliance aspect of their business strategy and give their people ample incentive to do the right thing may be better positioned to break away from the pack.  
Why would we take on the challenge of enterprise compliance if we haven’t encountered any big compliance problems to date?

When’s the last time you read a newspaper or magazine article investigating the fallout after a major compliance failure? If you’ve read one of these accounts recently, you’ll recognize a pattern: Nobody seems to have seen it coming. The truth is that we’re all operating in a more constrained regulatory environment, and we should expect that it’s going to create some unexpected headaches for some companies that may have encountered little or no compliance-related challenges. Plus, the penalties and impact on brand can be significant. Compliance just isn’t an issue where you can take a wait-and-see approach.  

Return to top


A closer look: Is enterprise compliance always centralized?

By Nicole Sandford

For many, “enterprise compliance” is synonymous with “centralized compliance.” But in reality, that’s not the case at all. An enterprise compliance program can take the form of either a centralized or a decentralized function. The right approach depends on the organization, its goals, and the market context. It goes without saying that there are risks and benefits to both approaches. If you’re weighing which option is right for your organization, here are some important considerations.

One risk to a centralized approach to enterprise compliance is cultural. Once you carve out a dedicated, centralized function focused on compliance, people may begin to view compliance risk as someone else’s problem — namely, the compliance functions. Compliance can essentially become a back-office function. Line employees may begin to view those in the compliance function as adversaries — enforcers that must be tolerated — rather than business partners that can accelerate success. This is not an insurmountable challenge, but those leading a centralized compliance function should acknowledge this risk and plan to address it through consistent and ongoing communication. It is critical that centralized compliance personnel get “out in the field” to build and deepen relationships within the business units.

Meanwhile, a decentralized approach can make it difficult for executive and board leadership to look across the organization and understand how compliance risks are evolving. Just as important, it can result in the inconsistent application of compliance policies — different regions or business units are more likely to take their own approach. That’s one reason why even a decentralized strategy should include a unifying thread — a technology, or a person, or even a limited set of processes designed to confirm that risks are accounted for and being addressed. This “hybrid” approach — where certain compliance activities are pushed out to the business units but are connected through a centralized “nervous system” — can be an effective way to foster an enterprise compliance approach.

In the end, enterprise compliance is about taking a centralized view of compliance — regardless of whether processes or functional units are executed centrally. Even in a decentralized environment, there needs to be a way for leaders to look across their compliance infrastructure to understand, monitor and address developments. The winning model for enterprise compliance is the one that can deliver that view in a consistent and efficient way.

Download the Risk Angle above. 



By participating in this poll, you consent and acknowledge that your responses may be disclosed without attribution by Deloitte in future publications and you are authorized to respond to the poll on behalf of your company.*

*Please review the guidelines before providing your comments.

As used in this document, “Deloitte” means Deloitte LLP and its subsidiaries. Please see for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Related links

Share this page

Email this Send to LinkedIn Send to Facebook Tweet this More sharing options

Stay connected