Deloitte University


Deloitte hosts its Cross-Industry Compliance Leadership Summit

Deloitte recently held its 4ᵗʰ annual Cross-Industry Compliance Leadership Summit at the Deloitte University campus in Westlake, TX. The Summit convened over two dozen chief compliance officers (CCOs) and senior compliance leaders representing a range of industries, including health care, financial services, manufacturing, and retail.

February 6, 2018 | Cross Industry

The first night of the summit showcased emerging technologies during an interactive networking reception and allowed CCOs to see firsthand how to leverage them to enhance their corporate compliance programs. Participants spent the second day of the program with industry specialists and their peers, discussing their own experiences in operating compliance programs.

Culture is crucial

The importance of corporate culture and deep-seated ethics served as a running theme throughout the program. Chris Adkins, executive director of the Notre Dame Deloitte Center of Ethical Leadership, set the stage, emphasizing that, “one-on-one interaction makes culture—it’s not some memo.” Adkins’ talk focused on leadership’s role in fostering a culture that is capable of self-regulation, where individuals are empowered to speak out where needed, where they do not feel alone in facing ethical dilemmas, and where they actively seek ways of maintaining the integrity of their work. With company reputations now so often exposed to the whims of social media, the role of a company’s culture in identifying problems before they become unmanageable is perhaps more important than ever. In Adkins’ words, culture is so vital to compliance because “character is who you are when no one is watching, but now the assumption is that people are always watching.”

Promoting compliance is worth the effort

CCOs in attendance agreed that the best outcomes from a robust compliance program come when leadership has demonstrated its buy-in. This helps intersecting functions—including business lines, IT, and compliance—that sometimes do not speak the same language to become better aligned. Several CCOs described operating compliance programs under constrained budgets, as business pressures steer funds directed towards activities that generate revenue. Resource scarcity was most acute among CCOs who have not faced a major compliance issue, where the theme of avoiding complacency was a concern.

Tom Nicolosi, a principal within Deloitte’s Regulatory and Operational Risk practice, with extensive experience in corporate compliance, helped to underscore the value proposition case for compliance programs. Integrating compliance with larger data initiatives is key to the success of both ventures, with a compliance approach potentially playing a major role in identifying efficiencies in compliance processes. In relating the role of compliance to that of the executive and information teams, one data expert was direct in his pitch suggested that by working together, compliance functions can get the data they need while providing the data teams with control support.

Information doesn’t manage itself

Solid analytics are essential and should be a key component of a compliance program’s success and value proposition. Risk data management, cybersecurity, and a deep understanding of insider and outsider threats are all pieces of a proper digital response to compliance needs. One participant noted that the phrase “data analytics” has effectively become one word, but they are really separate disciplines. Data feeds the analytics, but active data management is indispensable for analytics to function as intended. Specialists should be involved in ensuring the accuracy of corporate data, continually seeking ways to better integrate various datasets, filling in information gaps, and recognizing potentially problematic patterns. On taking a sometimes less structured approach to analytics, one CCO remarked that when you turn the data loose, you see patterns you’ve never seen before.

In operating a data and analytics compliance program, it was generally agreed that a unified set of definitions should be a minimum business standard. One participant laid out five broad principles for data capabilities:

  1. Clear data governance: Identifying who owns what, and where it is held
  2. Data quality: Understanding data limitations and working to mitigate them where possible
  3. Mastering certain datasets: Achieving a singular view of who the data interacts with, and how
  4. Physical infrastructure: The mechanical processes that store and move data
  5. Information lifecycle management: Assessing data’s ongoing value, to archive, purge, and understand its potential

The work continues

The summit concluded with breakout sessions on three topics: Insider Threats, Financial Technology (FinTech), and Financial Crimes.

Participants at the Insider Threats breakout discussed how insider threats are more than a cybersecurity challenge, and that organizations can more effectively address insider threats as part of a holistic and risk-based program. Two main themes emerged from the discussion:

  1. An effective insider threat program monitors for anomalous behavior that breaks away from the norm, and
  2. The paradigm switch from work-life balance to work-life integration adds additional risks that are more difficult to manage, such as a bring your own device program.

In the FinTech breakout, the takeaway theme for established industry players was “disrupt or be disrupted.” Four areas of technology are driving disruption: Marketplace lending, mobile payments, distributed ledger technology (also known as blockchain), and automated wealth management platforms (also known as “robo-advice”). In looking at these emerging business areas, participants identified that new and established institutions could consider how to forge strategic partnerships while remaining aware of the associated risks.

Coming full-circle, culture reemerged in the Financial Crimes breakout. Participants spoke about the importance of speaking up, whereby employees use helplines or other tools to directly report misconduct or call out major issues. Participants generally agreed that when someone raises an issue individually, there is less chance of a false positive than when an algorithm does so. There was also agreement that organizations should communicate to their employees, to the extent possible, the compliance issues reported and associated remediation. This disclosure can help encourage a sense among employees that in the end, people contribute to compliance just as much as the process.

This article contains general information only and Deloitte is not, by means of this article, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This article is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this article.

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Site-within-site Navigation. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Did you find this useful?