Compliance digitalization The impact on the Compliance function Deloitte Risk Services April 2016
2
Contents Preface 5 Management summary 6 Effects of digitalization 7 Using data in the compliance function 11 Privacy 16 Respondents profile 18 Compliance in Motion A closer look at the Corporate Sector 3
The availability of data and opportunities for datamining are growing very rapidly. Companies that don t respond pro-actively will be less competitive than they can be and will have an information disadvantage. 4
Preface Welcome to the fourth in a series of annual surveys designed to gauge the challenges faced by compliance functions across industries. For the first time, this year s survey also includes the financial services industry. This report is the continuation of Deloitte s Compliance Benchmark. This report provides insight into the trends and challenges faced by compliance functions and their organizations in the Dutch corporate sector and financial services industry. This year s Compliance Benchmark includes in-depth questions and responses on the growing trend of digitalization in compliance. Last year s results and many questions we received on data and digitalization made us realize that many compliance officers see these topics as key opportunities to increase effectiveness of compliance in the coming years. The success of this benchmark depends on companies willingness to share their practices. We are very pleased, therefore, that the number of companies participating is growing each year. This benchmark was developed by the Governance, Risk and Compliance (GRC) team of Deloitte Risk Services B.V. We would like to thank the many people who contributed to it, including those who participated in this year s benchmark. We trust you will find the report valuable, and hope that you will gain useful insights from it. Digitalization means compliance will stop being boring. It will be easier for top management to see results. Compliance digitalization The impact on the Compliance function 5
Management summary The 2016 Compliance Benchmark explores the market trends and developments in compliance digitalization, data and privacy observed by compliance officers. Compliance function remains relevant Digitalization will change both the nature of compliance work and the tooling used. Today s compliance officers expect to be able to adapt to the digitalization of their functions. The vast majority of respondents do not expect digitalization of the compliance function to make compliance officers obsolete. Adaptive tooling Digitalization will enable compliance officers to become more flexible and adaptive. Respondents are confident that digitalization is an enabler rather than a challenge for using and developing policies, procedures, training material and so on. Selecting the right data When it comes to data and compliance, we see that respondents are struggling to collect and select the right data. Collecting data from the different business units is seen as a challenge. Compliance officers often feel they should be the ones performing the analyses rather than the business. Compliance digitalization The ever growing role of data in the compliance function will change the required skill set of a compliance officer to include IT and data analytics skills, according to the majority of respondents. The data that were seen as the most important input for the improvement of the compliance function are data regarding: reported incidents, training completion records, internal audit reports and the follow-up on incidents. Privacy at risk Companies are looking into the appealing and promising opportunities for using digitalization and big data. Our respondents feel that privacy regulations could be a showstopper for compliance innovation and a majority of the respondents expect the rising tide of big data to create privacy risks. Difference between industries While differences can be observed between the financial services industry and the corporates these are relatively minor compared to the way they view the challenges regarding digitalization, data, privacy and compliance. All industries see both challenges and great possibilities for compliance when it comes to digitalization and the use of data. 6
Effects of Digitalization Digitalization brings technological advances, which create new opportunities for companies. However, staying compliant while using new technologies can prove challenging. Although regulators are trying to keep up with the pace of technological change, they are not always successful. Companies are struggling to comply with technology-neutral regulations that have been put in place, but that do not take account of new technological developments. 34% In last year s Compliance Benchmark, participants considered data protection, ICT integrity and privacy as key themes for the coming years. On the other hand, it showed the rising trend of compliance officers looking increasingly to data and digitalization as a way of improving the compliance function with more and more of the compliance budget being spent on tooling. This year we have taken a closer look at the effects of the digitalization of compliance. Evolving technology and advanced analytics, such as machine learning, are enabling new risk-management techniques. For example, some companies are already working with selflearning algorithms to monitor and detect fraud. These eventflagging solutions are producing results that are promising for all compliance officers. Staying compliant in a digital world Our respondents believe that, to the extent their companies are affected by disruptive technologies and innovations, these disruptions will make it harder for them to stay compliant. Even though disruptive technologies may not seem to affect a company directly, certain compliance issues relating to technological innovations are foreseen by the majority of the respondents. Only 7% of the respondents claim to be certain that technological innovations will not pose a threat to remaining compliant. of respondents use advanced and automated pattern recognition Compliance digitalization The impact on the Compliance function 7
Compliance officers of the future The respondents in this year s Compliance Benchmark overwhelmingly (over 80%) think that digitalization will change both the nature of compliance work and the tooling used. Interestingly, only 33% is certain that the required skill set for compliance officers will expand to include IT and data analytics expertise. Feedback received from various clients indicates, however, that many compliance officers believe that digitalization will enhance rather than substantially change the function. Today s compliance officers expect in any event to be able to adapt to the digitalization of their function. Digitalization and the different industries Our survey shows that the respondents from the Financial Services Industry (FSI) have the most positive view on the role digitalization will play as a compliance enabler. The Energy, Resources and Transport (ERT) sector seems to be most critical of what digitalization will bring compliance. 37% of the respondents from this group deem it unlikely that digitalization will be a serious compliance enabler. Comments by respondents show that the level of regulation in the different industries play a crucial role in the extent in which digitalization is seen as a compliance enabler. This also explains why only 7% of respondents is most certain and 24% deems it likely that current compliance officers will become obsolete as a result of digitalization. Digitalization is a compliance enabler according to: 87% of FSI respondents 63% of ERT respondents 8
Digitalization and culture Various respondents state that they expect challenges regarding Compliance culture, tone at the top and perception of compliance will increase due to the digitalization of compliance. They state that the focus on hard controls to mitigate compliance risks will increase. Last year s Compliance Benchmark identified a trend of companies increasingly using hard controls, both in order to improve and measure the effectiveness of their compliance program. This year s report shows this trend to be catalyzed by digitalization, with 63% of respondents expecting a shift from soft controls to hard controls. Despite the various challenges perceived, our clients and also the respondents in the benchmark survey state they are looking forward to the benefits that digitalization can offer the compliance function. Of the respondents, 90% expect digitalization to enable their company to use more adaptive and compliant policies, procedures, training materials and so on. Feedback from various industries indicates, however, that finding adaptive tools can prove challenging as preferred options may not yet be available or can be deemed too expensive to use. Data and IT systems provide great opportunities for compliance. However, the cultural aspects and personal integrity must not be forgotten, for these are crucial for compliance. Compliance digitalization The impact on the Compliance function 9
The biggest challenge in using data for the compliance function is selecting the right key data to define hard and soft controls without causing an overkill of control on the business. 10
Using data in the compliance function The ever-increasing volumes of data available are creating a wide range of new opportunities, not only for business purposes but also for compliance officers. Never before has there been so much data potentially able to provide a solid picture of business performance. In theory, every compliance officer could have perfect insight into the state of compliance and performance of the company as a whole. However, as our respondents indicate, the data available in their companies are predominantly unorganized and still need processing before such meaningful intelligence can be provided. When measuring the effectiveness of the compliance function and program, companies indicated in last year s benchmark that they were looking at ways to incorporate professional judgment and data analytics so as to paint a reliable picture of the state of their compliance. Companies are increasingly basing their business strategies on the results of data analysis. Our respondents state that these opportunities also present new challenges. Making the right analysis and correctly interpreting the information extracted from the available data are becoming more and more important. It is no longer about producing the correct data, but about using the data correctly. Challenges in using data We asked our respondents what they see as the biggest challenge in using data as part of the compliance program. According to their responses, by far the most challenging aspect of incorporating data into the program is collecting the available data from the various parts of their organization (73%). The second biggest challenges (both in the 50%) are a lack of alignment between different IT systems (53%), and data and privacy issues (57%) that can arise. Most of the time, compliance uses its own data (77%) or data provided by HR (63%) for performing data analyses. Fewer than one third of the respondents are helped by their CIO office in collecting the data needed. Another remarkable finding is that 33% of the respondents use data supplied by external parties. It is no longer about producing the correct data, but about using the data correctly. Data for analysis was provided by: Compliance 77% HR 63% Legal Security 50% 50% CIO office External party 33% 33% Compliance digitalization The impact on the Compliance function 11
Turning data into information Turning data into useful information can be challenging. What tools do you need? What information can provide the most insight? What follow-up actions should be taken? Compliance reporting, Risk Assessments and compliance performance (KPI s & KRI s) continue to form the main purpose for which data is used by Compliance Officers. New and interesting purposes mentioned in the survey include culture assessment (50%), real-time compliance monitoring (40%) and pattern recognition (33%). Data scientists and compliance officers increasingly need to be able to convert data insights into business actions. This is shown by the fact that amongst respondents, data analysis is performed by the compliance function (90%) or the risk function (43%). In doing this they can become trusted advisers to support different business areas. Interestingly, 19% of our respondents state they use an external party to analyze data. Tooling is used to extract compliance and management information in support of data analysis. Most companies choose to develop their own tools for data analysis (60%) or use externally developed GRC tools throughout their organizations (37%). Data and the different industries Differences between industries appear. The FSI is more prone to using event flagging and the corporate sector show more inclination to using data from risk assessments to determine what actions to undertake. When it comes to using data to measure effectiveness of the compliance function it appears that the corporate sector puts greater confidence in the data at hand. A substantial part of the FSI respondents state that they do not use the data gathered to assess whether the compliance function is effective. For which purposes do you use data? Compliance Reporting Risk Assessments Compliance Performance KPI s & KRI s 12
Compliance and tooling Compliance officers are constantly seeking ways to enhance their compliance program. Using data to improve the compliance function is commonly believed to be a necessity and may even create strategic advantages. The trend seen in last year s Compliance Benchmark has continued with regard to the tooling and functionalities being used to improve the compliance function. The international Compliance Trends Survey conducted in 2015 by Deloitte and Compliance Week showed only 32% of respondents to be confident or very confident in the ability of their compliance department s IT systems to fulfill their organization s compliance responsibilities and reporting requirements. This year s Benchmark shows that the undisputed tools of the compliance officer remain: Questionnaires Training apps Dashboard functionalities The comments of respondents make it clear, however, that the number of tools is limited to the aforementioned as other tools and apps are often simply not available to compliance officers. The Compliance Trends Survey found the most frequently mentioned compliance program components not supported by technologies or tools to be: Tracking legislation or regulations Measuring effectiveness of compliance program Third-party risk management Conflicts of interest Undisputed tools of the compliance officer 1 2 3 Questionnaires To assess compliance and simultaneously raise awareness of compliance and other risks. Training apps Specific compliance trainings apps are being used on ipad/ iphone and other mobile devices. Dashboard functionalities Compliance officers use various dashboard functionalities to support compliance reporting. Compliance digitalization The impact on the Compliance function 13
Improving the compliance program through data analysis 75% Selecting the correct key data to support the compliance function is a challenge faced by many compliance officers. Different types of data are used to conduct data analysis designed to improve the compliance program. 42% As in last year s Compliance Benchmark, reported incidents are still the most common indicator of a good compliance program, with 87% of respondents stating that they use this data to improve their program. Data used to improve the compliance program Reported incidents87% 77% Training completion records Internal audit results 70% Training completion records Training results records Last year, over 80% of respondents stated that their organizations had mandatory compliance training. This year, we asked which data are used to measure the effects of training designed to improve the compliance program. Interestingly, far more respondents this year state they use training completion records (77%) rather than training results records (40%). Both answers show that training continues to play a vital role in creating solid and effective compliance programs. 67% Follow-up on incidents Employee surveys 63% 14
Compliance data and strategy Insight from key data can give companies a strategic advantage. Compliance data are seen as an important part of the information on which companies strategies are based. Over 80% of the respondents gave an affirmative answer (33% most certainly and 47% probably ) to the question whether compliance data play a role in strategic decisions made by management. The respondents are divided on the extent to which they expect compliance wishes and requirements to play a significant role in IT tenders and procurement. A total of 33% is convinced that compliance wishes and requirements most certainly will play a role, while 40% think this is probable and 27% believe it to be unlikely or even say their wishes will definitely not play a role in this. Do compliance wishes and requirements play a significant role during IT tenders or IT procurement? 23% 3% 40% 33% Most certainly Probably Unlikely Definitely not Compliance digitalization The impact on the Compliance function 15
Privacy Privacy has been an important issue in business ever since it was declared a fundamental human right in the mid-20th century. The discussions surrounding privacy have changed, however, and are becoming even more relevant in the evolving world of digitalization, with the increasing use of data and social media. Last year s respondents stated that they believed that privacy would become a top compliance theme for this year because of the expected increase in digitalization and the new General Data Protection Regulation. Privacy, innovation and big data In a world where digitalization, the use of data and all kinds of tooling are helping companies to structure and monitor their business processes and ensure compliance, where does this leave the subject of privacy? The opportunities for gathering data are almost unlimited in today s hyper-connected and ultra-transparent society. Most organizations already understand that privacy is set to become a significant aspect of the compliance program in the years to come. A total of 80% of the respondents expect digitalization to be of help in innovating compliance strategies, while 53% of this group see privacy regulations as a showstopper for compliance innovation. As Deloitte we believe that incorporating emerging privacy risks in the compliance program from the beginning is essential in today s evolving world of data and digitalization. In this way, privacy can be an enabler and strategic advantage, always staying one step ahead. We also asked participants how they feel about privacy in relation to big data. The vast majority (78%) expects privacy risks to emerge in response to the rising tide of big data. 16
Regulatory changes In two years time, the General Data Protection Regulation (GDPR), which was published on December 17, 2015, will replace all national privacy legislation in EU member states. Detecting data breaches is still a major issue, according to the respondents in the Privacy with a View research conducted by Deloitte s Privacy team in 2015. Indeed, 48% of these respondents were not confident of being able to detect personal data breaches. Even though the GDPR is significantly different from the existing data privacy legislation, 50% of respondents do not expect problems within their organization in terms of complying with the new Regulation. As many as 77% of respondents believe they are prepared for the changes in the data privacy regulation landscape. Percentage of respondents that expect problems within their organization regarding GDPR 43% 7% 10% 40% Most certainly Probably Unlikely Definitely not Laws and regulations are too slow for our compliance innovation and they delay execution. Compliance digitalization The impact on the Compliance function 17
Respondents profile A range of companies participated in Deloitte s 2016 Compliance Benchmark. This appendix outlines the profiles of the companies interviewed. Listed/non-listed 7% 22% The Compliance Benchmark covers Euronext-listed and also some large, non-listed companies. Around 30% of the companies included in this survey are currently listed in the Netherlands or abroad. The remaining 70% of the companies are large, non-listed companies based in the Netherlands. The benchmark includes companies in the Financial Services Industry (36%), Energy, Resources and Transport sector (29%), Consumer Business (18%), Telecom, Media and Technology sector (11%), Real Estate (4%) and the Public Sector (4%). The benchmark results derive from a representative group of companies in each of these sectors. Analyses of the results show some interesting differences between the different sectors. The respondents from the Financial Service Industry are strongly convinced that digitalization will be an enabler for using more adaptive and compliant policies in the future. Interestingly enough these respondents also indicate that one of the current biggest challenges is the quality of the available IT systems. 70% Abroad Netherlands Non-listed Sector 4% 4% 11% 36% 18% 29% FSI ERT CB TMT RE PS 18
Compliance digitalization The impact on the Compliance function 19
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see www.deloitte.nl/about for a more detailed description of DTTL and its member firms. Deloitte provides audit, consulting, financial advisory, risk management, tax and related services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries and territories, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte s more than 210,000 professionals are committed to becoming the standard of excellence. This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the Deloitte network ) is, by means of this communication, rendering professional advice or services. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication. 2016 Deloitte The Netherlands