Tue, May 20, 2014

New Anti-Bribery and Corruption Benchmarking Report Finds Most Compliance Officers Play Little Role in Cyber Security

Seventy-five percent of compliance officers are not involved in managing cyber security risk according to a new report from Kroll and Compliance Week. In a survey of senior-level compliance professionals, nearly 44 percent of respondents also said the chief compliance officer (CCO) is only responsible for privacy compliance and breach disclosure after an incident, but has no role in addressing cyber security risks before one.

These statistics draw attention to a gap in responsibilities as cyber security lapses can often involve hefty penalties or sanctions, civil litigation and compliance issues. Alan Brill, Senior Managing Director for Kroll, says compliance officers should have a strong enough grasp of cyber security to know when they should be involved in a problem—and, he stresses, other parts of the corporate enterprise need to recognize that compliance has a role to play from the beginning.

“Every compliance officer needs to decide whether it’s time for them to be Captain Kirk and boldly go into cyber,” says Brill, “and to do it by forging a partnership with the IT director, with the general counsel, with the internal auditor—so that the cyber elements of compliance are just the everyday part of your work.”

Third-Party Relationships Are Still the Big Weakness in Anti-Corruption Programs
The 2014 Anti-Bribery and Corruption Benchmarking Report from Kroll and Compliance Week (ABC Report) also addresses the big issue that continues to keep CCOs up at night: third parties. Survey respondents this year reported an average of 3,868 third parties, and yet 58 percent of respondents said they never train third parties on anti-corruption efforts. That number is even higher than reported in last year’s ABC Report, when 47 percent of respondents said they do not educate third parties on anti-corruption policies.

Lonnie Keene, Managing Director for Kroll’s compliance practice in New York, minces no words about that figure: “It’s amazing in this day and age, given the importance and the focus on anti-bribery and anti-corruption, that 58 percent would say they never train their third parties.” He notes that of those who do train their third parties, more than a quarter fail to do so in local languages.

Don’t “Vet It and Forget It”: Ideal Compliance Programs Include Ongoing Third-Party Monitoring
The number of companies that report conducting due diligence on third parties has increased, from 87 percent in 2013 to 97 percent this year. But the follow-through is a bit lacking. While 57 percent of respondents rated their vetting procedures as effective or very effective, confidence in monitoring compliance after a relationship starts was only at 43 percent.

Melvin Glapion, Managing Director at Kroll, senses a “vet it and forget it” mentality where companies rarely revisit their existing third parties. Glapion recommends that companies group their third parties into low-, medium-, and high-risk partners, and re-evaluate all of them on a four-year cycle. He admits this could result in a relatively expensive program that could be a tough sell; however, he argues the investment would pale in comparison to regulatory fines that can hit hundreds of millions of dollars should a bribery offense go undiscovered.

About Kroll
Kroll is the leading global provider of risk solutions. For over 40 years, Kroll has helped clients make confident risk management decisions about people, assets, operations, and security through a wide range of investigations, due diligence and compliance, cyber security, physical and operational security, and data and information management services. Headquartered in New York with more than 55 offices across 26 countries, Kroll has a multidisciplinary team of nearly 2,300 employees and serves a global clientele of law firms, financial institutions, corporations, non-profit institutions, government agencies, and individuals.

About Compliance Week
Compliance Week, published by Wilmington Group plc, is an information service on corporate governance, risk, and compliance that features a weekly electronic newsletter, a monthly print magazine, proprietary databases, industry-leading events, and a variety of interactive features and forums. It reaches more than 26,000 financial, legal, audit, risk, and compliance executives, and is based in Boston, Mass.

Media Contact:

Cathy Johnson | +1 571.521.6182 | [email protected]