2023 (and beyond) compliance trends

Like in 2020 , I took some time over the holidays to identify some trends shaping the evolution of the compliance function for the years to come. And like last year, it is your valuable feedback that will make this post resonate.

So here we go. This list is not exhaustive, and I had to make choices. First, I have limited myself to the EU regulatory landscape, and furthermore I am convinced these observations stand true beyond the EU. I also could have spoken about the rise of personal accountability/liability, the specialisation of regulatory agencies and other subjects but I had to make choices and decided to focus on the five following trends:

-?????????Data in all its shapes (Dec 2022),

-?????????Compliance embedding as the next frontier (Jan 2023),

-?????????From compliance to ethics (Feb 2023),

-?????????Extension of scope for compliance and skills crunch,

-??????? Compliance outreach.

1) Data in all its shapes

Our society is increasingly driven and built upon data, and this data will be at the heart of the compliance functions. It will be driving the efforts of the compliance community in various ways?:

• First, because after GDPR and the regulation on the free flow of non-personal data , EU authorities, as part of their European strategy for data , are in the process of adopting several other data-related texts (EU Data act , EU Data governance act , EU AI act ) that firms will have to comply with. And traditionally, compliance teams will have to support the business in getting compliant before transitioning into its second line monitoring role, ?
• The usage of data in the AI and ESG context will also drive the need for compliance officers to look beyond the strict compliance with applicable requirements, to also focus on the ethical usage of data. With regards to the use of AI, this might require compliance officers to develop policies dictating an accountable and ethically correct usage of data. How? To construct training materials for developers aiming at raising their awareness on the concept of biases and how those should be handled. And lastly, compliance teams should be able to oversee how AI has eventually been used, possibly going as far as getting an understanding of the algorithms that have been used….be it in the way algorithm are using data. Similarly, for what concerns Environmental, Social and Governance (ESG) issues, one of expectations will be for Compliance to understand the data at the source of any ESG reporting. Why? This will help disclosing firms avoid “greenwashing”.
• As a direct consequence of the previous point, another impact of this focus on data is the continuation of a trend that was already visible at the occasion of the introduction of EU GDPR, namely the need for compliance officers to develop new skills, that go beyond the traditionally required regulatory skills any compliance officer had to demonstrate. Nowadays, compliance teams must exhibit not only these regulatory skills, but also many others and increasingly so technical skills that will allow compliance team members to make sense of the way data are being utilised by the firm but also to enter the sometimes obscure IT world to which more and more requirements are applicable.
• Data will also continue changing ways compliance teams perform some of their activities. Regarding their second line monitoring activities, Compliance will exponentially rely on a live feed of data, supporting the transition from a cycle-based or one off control testing towards the embedding of a continuous monitoring scheme that hopefully will allow compliance teams to be more proactive in the identification of compliance risks or breaches. Data will also be a game changer for the internal processes run by compliance teams themselves that will gradually be more automated and will allow management teams to rely on a management cockpit to assess the efficiency of the job they perform.

2) Compliance embedding as the next frontier

The mindset of solely relying on compliance staff to ensure the firm will comply with applicable requirements is hopefully long gone for many organisation - but not everywhere.... This does not mean yet that Compliance is systematically constructed as an integral part of a firm’s business. This should however be the holy grail: ensuring first line business owners and management take full accountability to identify, manage and mitigate the compliance risks they are confronted with, relying on the compliance function for expert advice, and to conduct second line oversight.

What we frequently can observe though is that efforts will have to be continued in a variety of areas. Here are 3 (and they are several others) to illustrate my point:

• Firms must be better at involving Compliance as from the outset when defining a new strategy or taking significant decisions such as launching partnerships or M&As, entering a new market, thinking about a new service.... Compliance branding has gradually evolved over the years from a "blocker" to an "enabler". And it is clearly with that in mind that management should be thinking about involving compliance officers before taking a decision that might influence the risk exposure of the firm. Compliance officers should ensure potential compliance (and reputational) risks or concerns are timely identified...and propose ways to mitigate them. An early involvement also demonstrates a compliance (and integrity) culture that can be used to build trust towards all the firm's stakeholders, be it regulators, clients, providers and employees that will be re-assured to see independent functions (this also goes for Risk Management, e.g.) being visibly involved.
• Accountability comes after understanding and if we want business owners to be accountable for their compliance risks exposure, we need to indicate clearly what's in it for them....and what we expect from them. The thing is that reaching that optimal stage of awareness now requires to be more creative than ever. The current way of doing, mainly using traditional policies and (e-)trainings, has reached its limits. It is "passé". Too many functions are now issuing policies or trainings to the point that first line staff are gradually losing interest and demonstrating a policies or (e-)training fatigue or boredom. It is therefore key for compliance teams to think out of the box and define a renewed awareness strategy that will maximise the impact of the compliance massaging. ?A 2019 article from HBS contained staggering figures: 70% of surveyed employees report that they don’t have mastery of the skills needed to do their jobs; 12% of them?apply new skills learned in learning and development programs to their jobs while only 25% believe that training measurably improved performance..... And I am obviously not the only one to think that way, look at this post "the design of classic compliance training s*kcs" by Jochen Vankerckhoven . Nothing different for what concerns policies that are usually quite, let's say, boring. See in this respect the view of Adam Balfour on how to launch new compliance policies. It's therefore an understatement to say that we must do things differently. Some areas of improvement might be the use of innovative technology (VR), peer-learning, the use of story-telling and actual examples, focusing more on accessibility and user-friendliness, diversifying the communication modes (desktop, mobile, podcasts…), introducing gamification, encouraging active and two-way communication to also collect user feedbacks and possibly even incorporate incentives rewarding staff demonstrating a heightened sense of responsibility etc.... For some other tips, see Thomas Fox 's Innovation in Compliance Podcast . An important element to consider as well is how the training efforts will influence the behavior of employees...and that's where behavioral science and (amongst others) its nudge theory enter into the game. In this article from the elearning industry , they summarize easily how small nudges could have significant impact on learners. Finally, a strong consequence management mechanism should be established, holding employees personally accountable to be serious when applying policies or taking trainings. This all makes it an exciting area to be working on and I'm personally interested by any new idea you might have in this field.
• Pushing for a stronger articulation of Compliance as part of a firm integrated risk management (IRM) approach. 1st line business owners and control teams, Risk Management, Compliance, Internal Audit still too frequently work in silos, sometimes using different risk and control libraries, heatmaps, reporting templates ...making it quite challenging for management and the board to compare and align information and to ultimately have a good transversal grasp about the actual risk exposure of the firm. In this article , AuditBoard defines IRM as a "strategic and collaborative way for organizations to manage risk across their entire group". With this approach, all relevant stakeholders should ideally all rely on one single version of the truth with unique risk and control methodologies with the aim to ultimately build one single risk and control library and inherent and residual risks dashboard allowing management (from front line management to the board) to adequately assess its risks exposure but also the maturity of its control environment. This is no small task and aligning those teams that have previously worked in isolation won't happen smoothly. This is why handling such a change as a transversal program steered by the senior managers of the most impacted areas of the firm is key to make it a success. This also requires Compliance to continue its efforts to closely cooperate with teams like Legal, HR, Supply chain, Corporate Secretariat, IT or Risk Management that all have an important role to play in the management of the firm’s compliance risks so that they all can speak with one voice. And let's not forget to correctly onboard those that will ultimately be the main users of the tool, I mean the 1st line business owners. Too often, such a change is driven more as a control function initiative, without giving enough importance to the voice of the customer....

3) From Compliance to Ethics

In a world where the moral norm is evolving, where scandals a regular front news, where the new generations place values and ethics higher on their priorities list, it is important for firms to progress from embedding a regulatory compliance culture to making sure ethical considerations are part of the firm’s day-to-day decision making process. And it’s easier said than done. I’m quoting Nicholas Epley in the Harvard Business Review :?“ Compliance programs?increasingly take a legalistic approach to ethics that focuses on individual accountability. They’re designed to educate employees and then punish wrongdoing among the “bad apples” who misbehave. Yet a large body of behavioral science research suggests that even well-meaning and well-informed people are more ethically malleable than one might guess.”

That’s where the concept of ethics by design comes into the discussion and where compliance officers have a role to play in making sure ethical considerations and values are duly considered to steer management and business decisions at the outset. Still quoting the same article, “organisations should aim to design a system that makes being good as easy as possible. (…) That means making ethical principles foundational in strategies and policies, keeping ethics top of mind, rewarding ethical behavior through a variety of incentives, and encouraging ethical norms in day-to-day practices.”. Here again compliance officers, as guardians of company policies and ethical awareness-raising have a key role to play.

And we are not there yet. In their most recent survey , the Ethics & Compliance Initiative reveals a few worrying trends: only 14% of employees work in organisations with a strong ethical culture whilst almost 30% of employees have reported pressure to compromise standards (an increase of 20% since 2019…). ?

Ethics and culture must therefore take a more prominent role, also because stakeholders are increasingly expecting firms not only to comply with regulations but also to demonstrate a healthy company culture. The management of these risks will become mainstream, with all the complexity this entails. Developing and embedding an empirical approach for these risks that by definition are less quantifiable will also require out-of-the-box thinking. It is not like managing operational or prudential risks, which by nature can be more “easily” quantified. Luckily, some excellent work has already been done by organisations like the Institute of Business Ethics that recently published a guide supporting companies in measuring their ethical culture, referring to many types of KPIs to be monitored in this context (employee wellbeing, D&I, pay structure, engagement with society, supply chain etc). Compiling these KPIs with some good old human judgement will be needed to build up a coherent message to management and the board on how ethical your firm is. The importance being actually a bit less the figures themselves than the opportunity to engage with such a senior audience on this crucial topic. ?

Interestingly, a key component of an ethical culture, one thanks to which firms are creating a safe space for employees to raise their concerns, is the existence and functioning of whistleblowing schemes. Such schemes are fundamental to fight fraud. Let’s not forget this key stat from the Association of Certified Fraud Examiners according to which 43% of fraud cases have been detected by a tip… Back to the same ECI survey, we can again raise some eyebrows: even if an astonishing 8 out of 10 employees have reported misconducts, 61% have also experienced retaliation. According to Mary Inman in an article for Business Insider (“The age of the work-from-home whistleblower ”) this surge in whistleblowing calls might have been driven by the remote working policy established in many firms. The (physical) space between employees and their work environment and colleagues and the lower loyalty of newcomers have likely encouraged whistleblowing because the risk of making such a call seems more remote.

It is key for compliance officers, usually driving the set-up of such schemes, to take these evolutions into consideration. The new EU whistleblowing directive that had to be transposed in national law by December 2021 (see here for an interesting implementation tracker painting a quite sad picture) is also a key development to consider when positioning such a scheme in a way that it encourages employees to report misconduct whilst avoiding both retaliation against whistleblowers but also abusive usage of such a scheme. Compliance officers, whenever designing such a policy and mechanism will have a key role to play in shaping their firm’s culture.?Will we observe an increase in the reporting of such cases? How will companies create a safe space to ensure employees will feel comfortable to report? How will the reported instances inform the company culture and drive remedial actions? All these questions are certainly key in shaping the integrity culture a firm wants to demonstrate.

Having a traditional compliance programme in place won’t be enough anymore to prevent compliance breaches. It will also be important to put more emphasis on building a strong culture of ethics and integrity ensuring that individual behaviours do not harm a firm’s reputation or its bottom line. This will only be possible if Compliance, HR and management cooperate closely together to define the right company purpose and values, to measure how the organisation fits vs these newly defined norms and to collaborate in case of investigation.

I intend to elaborate on the 2 other priorities in the coming days and weeks.