Various countries and their compliance-enforcing agencies request that companies have “adequate” compliance programs and organizations. But what does that mean? One option to determine whether a compliance program and organization is adequate is to compare the company’s own program and organization with the compliance efforts of other companies (industry standard). Nevertheless, the compliance program and organization must address both the company’s particular risk structure and its unique business culture. We have reviewed the benchmark studies listed below and summarized their results:
- SAI Global and Baker & McKenzie 2014 Global Compliance and Ethics Benchmarking Survey (350 participants from 20 countries, wide variety of industries)
- Deloitte and Compliance Week Compliance Survey 2014 (209 respondents)
- PwC Study State of Compliance 2014 Survey (cross-industry survey)
- Kroll 2014 Anti-Bribery and Corruption Benchmarking Report (close to 200 respondents; median annual revenue USD 3.5 billion and more than 9,600 employees)
- PwC Study White Collar Crime in Germany 2013 (603 companies with more than 500 employees; 22% with more than 10,000 employees)
- KPMG Analysis of the current status of Compliance Management Systems in German companies 2013 (70 German companies participated in the survey)
- AlixPartners Annual Global Anti-Corruption Survey 2014
I. Chief Compliance Officers and their position
50% of all companies reported in 2014 that they employ a stand-alone Chief Compliance Officer (CCO) in 2014; this number compares to 37% in 2013. Among those companies that generate a revenue of USD 10 billion to USD 50 billion, 57% have a stand-alone CCO in 2014. By the same token, 37% of the companies report that their CCO holds a seat on the executive management committee.[1]
II. Compliance Staffing
Most organizations have a centralized compliance function with decisions and strategy being centrally driven.[2] In 2014, more than 12% of all reporting companies employed at least 50 compliance officers; one out of four companies reported to employ more than twenty compliance officers; and another 32% of the respondents are staffed with six to twenty compliance officers. Thus, more than 50% of the reporting companies employ more than “just a handful of people” in compliance.[3] How do these observations crystallize into a solid rule of thumb? Data shows that responses accounting for five or less compliance officers per company can be attributed to smaller companies: Companies that employ 1.000 to 5.000 employees engage – on average – three compliance officers. Vice versa, large companies (i.e. more than 10.000 employees) operate with compliance departments that go beyond 25 officers. The number of compliance personnel in heavily regulated industries is higher than in less regulated industries.[4] Looking at the various ratios of compliance officers per total number of employees, the overall average is one compliance officer per 2.000 employees. Companies also report that compliance staffing was comparatively dynamic in 2014. Every second company had increased or planned to increase its compliance staffing in the course of 2014. To the contrary, merely one out of twenty respondents claimed that its compliance staffing is decreasing or is going to decrease.[5] The increases were higher in heavily regulated industries, but also in global and complex industries like retail, consumer and automotive.[6]
III. Compliance Budget
In 2014, at least 13% of the reporting companies spend more than USD 5 million on their compliance budget. To the contrary, merely 4% of them stated that they did not have an assigned compliance budget at all. A quarter (25%) of the reporting companies maintain an annual compliance budget between USD 1 million and USD 5 million. Thus, every third company in the survey spent more than USD 1 million on compliance.[7] The heavier the industry is regulated, the higher the reported compliance budget.[8] Between 33%[9] and almost 50%[10] of the companies reported that their compliance budget had increased in 2014, whereas only 6% reported a decrease.
IV. Compliance Measures
1. Risk Assessments
More than a third of the companies reported that risk assessments are a high priority and almost 50% indicated that they are medium priority in 2014.[11] Respondents include a variety of different elements and considerations in their risk assessment processes.
2. Code of Conduct
More organizations are updating their Codes of Conduct to ensure their codes are up to the highest standards (almost 50% during the past 12 months and another quarter during the past 24 months – at the time of the study).[12]
3. Training and Communication
60% of the responding companies have their employees invest between 1 – 4 hours annually to ethics and compliance related activities.[13] Respondents utilize a mix of e-learning methods, with 69% of respondents including full length courses and 54% of respondents utilizing brief refreshers and awareness messages. Online or mobile training is only offered by half of the participating companies.[14]
4. Third Parties
In 2014, the vast majority of the companies (97%) conducted due diligences on third parties.[15] Any equally high percentage of companies perform a compliance due diligence on M&A targets to identify possible corruption risks.[16] More than 50% still stop at conducting a due diligence on their business partner but do not conduct due diligences on third parties’ agents.[17] Less than 50% train third parties on anti-corruption efforts. 6 companies out of 10 include compliance clauses into their contracts with third parties and more than two thirds have anti-bribery statements in their Code of Conduct.[18]