PwC came out with their annual State of Compliance survey, which is always well done, and has given me lots of fodder for upcoming blogs. I found the below illustration in the accompanying “chart pack” and found it interesting. The survey respondents were asked to pick their top three areas of current perceived level of risk to their businesses (as opposed to future perceived risk which is in another question). If you look at the risks cited by the respondents in the 2013 and 2014 surveys, outside of “strategic risks” they sound like the compliance training library offered by companies like The Network.
So I wonder… Do companies align their compliance training programs to an annual ranking of risks, like these, or do they just do the same corporate compliance training program every year, regardless of changing risks?
3 Big Risks To Consider: Social Media, Data Privacy Training and Anti Bribery Training
I had a few observations. First, I’m shocked – shocked – that social media a.) has gone down from 2013 to 2014 and that b.) it was cited as a risk by such a small percentage of respondents. I was also surprised to see data privacy and confidentiality drop from the top spot in 2013 to the second spot in 2014, and to go from a full third of respondents to a quarter. Those two surprised me because we hear a lot about social media training and data privacy training from clients and prospects; they see those two risk areas as big priorities to address, particularly with training.
Another thing I thought was interesting was how far down the list third party compliance is. It’s referred to as “supplier compliance” in 2014 and is only cited by 7% of respondents, which is not that much of a change from the 10% of respondents who cited “supply chain/procurement” in 2013 – I’m assuming that’s the same thing. We compliance software providers hear A LOT about third party compliance solutions from prospects and clients. It’s quite a popular topic at all of the ethics and compliance conferences. I blogged recently about the Kroll report that was introduced at Compliance Week that revealed that 58% of organizations do not give anti bribery training to their third parties. I’m still surprised by that, but I suppose it sort of lines up with this survey result.
While we are on anti bribery training… it’s still number three. It seems like it always will be a top concern for companies, no matter how many comprehensive anti bribery training and awareness solutions are out there, no matter how many Fortune 500 companies get into trouble for violating the FCPA and end up in the national media because of it. (My colleagues in our Training & Communications department put together this very comprehensive anti bribery program checklist that you may find helpful; you can download it here.)
Let’s Not Forget Security Awareness Training and Employment Law Training Courses
I was not surprised to see money laundering climbing the list, even slightly. I do a lot of research on compliance issues and publish a little internal newsletter for my colleagues each week, so they can stay up to date on what is happening in our industry. It seems each week I see more and more stories about anti-money laundering – whether it’s about banks being in trouble for having lax controls, financial institutions implementing stronger anti-money laundering training programs or companies updating money laundering policies to be compliant with new legislation.
Employment labor compliance dropped in priority by almost one third from year to year. We do hear a fair amount about employment law topics from some clients and prospects; employment law training courses are an important part of compliance training programs. Wage and hour issues and FMLA are probably the biggest components of the employment law training courses we offer for both managers and non managerial employees.
Assuming “security” means IT security and not physical security, I would also be surprised at how low that risk falls on each year’s ranking. That’s another area compliance professionals are very concerned about – in fact, one session at the Compliance Week conference generated a vigorous discussion around the importance of bringing the chief compliance officer into the area of cyber security. Protecting company assets, securing company data, building a culture of security and ensuring employees are compliant with your security policies; that’s not just the CIO’s job… it’s also the responsibility of the CCO. At least it should be.
Interactive, engaging security awareness training is one component CCOs can use to help them build that culture of security. When I started my career several years ago (more than I care to admit), there was no such thing as “security awareness training” because it simply wasn’t necessary. But a few months ago a major research firm reached out to The Network to discuss our security awareness training because there has been such an increase in the need for it; so many companies are looking for it that they are now analyzing and producing research on that specific subset of compliance training.
And finally, fraud stood out to me because it jumped up 5% from 2013 to 2014. I guess, being in the ethics and compliance industry, I’m just still consistently surprised that with all of the corporate compliance training programs, the whistleblower hotlines, the policies, legislations and preventative measures, not to mention all of the corporate embarrassment that happens every day in the national media by those who commit misconduct… well, I’m surprised it still happens! I know I shouldn’t be, because we’re dealing with human beings. But I am.
Those are the areas that jumped out at me as I glanced through the 2013 and 2014 risk rankings. What areas jump out at you? Does your organization align its corporate compliance training program to its ranked risks or does it simply provide a cookie-cutter program each year? I’d love to hear your thoughts.