Skip to main content
Perspective:
Perspective

Compliance in focus: findings from Deloitte’s 12th Energy Industry Compliance Survey

Insights to fuel future readiness amid evolving regulatory environment

As the regulatory environment surrounding the energy industry continues to evolve, energy companies are expected to bolster and scale programs with acceptable controls to proactively manage compliance risks from emerging areas. Deloitte’s 12th Energy Industry Compliance Survey focused on capturing insights into the latest compliance trends and leading practices in the energy industry to help organizations improve their compliance programs and manage risks more effectively.

Download the survey to learn more
Download PDF (11 MB) View PDF

The 2024 survey gathered responses from 39 energy companies, including power and utility, independent power producers, and oil and gas sectors. Participants included chief compliance officers, plus directors and managers focusing on compliance and/or regulatory risk within their company. The survey focused on capturing insights into how organizations stay abreast of the evolving compliance environment across four specific areas: 1) Compliance Program Governance; 2) Compliance Risk Assessments (CRA); 3) Information Governance (IG); and 4) Risk, Controls, and Assurance. It was carefully curated to highlight specific regulatory and compliance matters across these four major areas of interest.

Two themes emerged across the four specific areas and are echoed throughout this report:

  1. Organizations should take a broad-based approach to compliance, integrating emerging areas like Generative AI with traditional enterprise and regulatory matters. Proactive management of compliance risks is crucial, balancing the rising risks of data privacy and cybersecurity with traditional risks such as corruption and regulatory risk.
  2. The digitization of operations and commerce, has altered risk management approaches. Policies and controls are being updated to handle digital information, yet many control infrastructures remain manual.

The four areas—why are they so important?
Compliance and ethics program governance

Effective governance enables organizations to not only adhere to legal and regulatory requirements but also uphold the standards of integrity and ethical conduct. Strong governance frameworks enable companies to proactively identify and mitigate risks, promote transparency, and demonstrate accountability across many levels of the organization. Ultimately, the commitment to compliance and ethics is essential to maintaining a competitive edge and achieving strategic objectives in a responsible and principled manner.

Compliance risk assessments

CRAs are a cornerstone of an organization’s commitment to maintaining the standards of legal and ethical conduct. These assessments are vital for identifying, evaluating, and mitigating potential compliance risks that could impact a company’s reputation, regulatory scrutiny, and financial stability.

Information governance

This is needed for companies striving to manage their data assets responsibly and effectively. It helps keep information correct, secure, and accessible, thereby supporting compliance with regulatory requirements and mitigating risks associated with data breaches and misuse. By maintaining stringent information governance standards, companies can build and sustain trust with stakeholders―demonstrating a commitment to data privacy and security. Common factors considered when prioritizing information governance are compliance risk, reputational risk, litigation, and security threats/obligations.

Risk, controls, and assurance

Controls and assurance activities provide a structured approach to identifying, assessing, and managing potential threats and risks. By establishing strong internal controls, companies can better prevent and detect errors, fraud, and non-compliance, thereby protecting their assets and reputation. Assurance activities, like audits and reviews, offer an additional layer of oversight, considering that controls are functioning as intended and that risk management processes are effective.

So … what is the data telling us?

  • 90%

    Continue to have a largely centralized or mixed structure for their enterprise compliance and ethics programs, with 59% of enterprise compliance programs and 65% of regulatory compliance programs having a mixed structure in 2024.

  • 27%

    Have a designated stand-alone Chief Compliance Officer (CCO) position, a 15% decrease from the 2022 survey. This indicates a shift in expanding the responsibilities of compliance officers across the industry beyond just compliance. Expanded responsibilities may include legal, risk, safety, or the corporate secretary.

  • 61%

    Feel that their company characterizes the enterprise compliance organization as a centralized compliance function that acts as an oversight authority or a coordination and administrative support function.

  • 43%

    Conduct an annual compliance risk assessment, while 20% don’t have a set frequency; 14% infrequently conduct CRAs.

  • 85%

    Responded that compliance risk scores and rating methodologies are not used in larger enterprise risk assessment scoring. When considering criteria by which to assess the level of compliance risk, respondents indicated that their organizations are commonly selecting reputational, legal, and commercial/financial risk criteria.

  • 63%

    Currently do not leverage dedicated tools as part of their CRA process, which highlights a general lack of tech-enablement across the participating organizations.

  • 71%

    Are still working to set up their IG programs―anchoring on compliance risk, litigation efforts, and security threats as important elements being prioritized to drive programmatic maturity. Only 9% of respondents indicated they have are fully developed in this space.

  • 76%

    Reported having information governance policies clearly documented, while only 38% noted that compliance with policies is monitored regularly.

  • 61%

    IG leadership and stakeholders tend to solve issues identified based on available infrastructure. Given the nascency and foundational focus on IG across the industry, it is natural that many IG programs currently operate in a ”reactive” mode.

  • About 50%

    Track their compliance controls (across both regulatory and enterprise compliance functions) with integrated tools or systems. The remaining organizations either use spreadsheets, track controls ad hoc or don’t do so at all.

  • 78%

    Have not increased their risk appetites year over year. For 16%, it has increased; and for the rest, 6%, it has decreased.

  • 73%

    Rely on the second line to play a performance-based role in challenging the first line, indicating the adoption of the Committee of Sponsoring Organizations (COSO) Three Lines of Defense Model and confidence in Compliance programs’ ability to provide guidance and assurance.

Keeping pace with emerging ethics and compliance developments

As risks facing the industry continue to grow and become more complex, organizations find themselves requiring greater measures in place and attempt to anticipate risks, but there is room for improvement. Compliance continues to have a strong voice within organizations, often wearing a dual hat with other positions and continues to collaborate more with other business and assurance functions to help prepare their organizations for the future.

Did you find this useful?

Yes
No

Thanks for your feedback

Your feedback is important to us

To tell us what you think, please update your settings to accept analytics and performance cookies.

Need help updating cookies?

Get in touch

Howard Friedman

Howard Friedman

Managing Director | Deloitte & Touche LLP
+1 713 982 3065