2022GLOBALESG,COMPLIANCE&RISKREPORTValuecreationamidrisingglobaluncertaintyJEANNEKWONGBICKFORDMANAGINGDIRECTORANDSENIORPARTNERBICKFORD.JEANNE@BCG.COMDR.KATHARINAHEFTERMANAGINGDIRECTORANDPARTNERHEFTER.KATHARINA@BCG.COMPIERREROUSSELMANAGINGDIRECTORANDPARTNERROUSSEL.PIERRE@BCG.COMMATTEOCOPPOLAMANAGINGDIRECTORANDSENIORPARTNERCOPPOLA.MATTEO@BCG.COMPAULO’ROURKEMANAGINGDIRECTORANDPARTNERO’ROURKE.PAUL@BCG.COMJULIANEBUTTERSPROJECTLEADERBUTTERS.JULIANE@BCG.COMKENCARLSTEDTASSOCIATEDIRECTOR,GLOBALTRADE&INVESTMENTCARLSTEDT.KEN@BCG.COMELISABETHBENAZIRLIPPERTSENIORKNOWLEDGEANALYSTLIPPERT.ELISABETH@BCG.COMNICOLANICOLMANAGINGDIRECTORANDPARTNERNICOL.NICOLA@BCG.COMLORENZOFANTINIMANAGINGDIRECTORANDPARTNERFANTINI.LORENZO@BCG.COMHANJOSEIBERTMANAGINGDIRECTORANDPARTNERSEIBERT.HANJO@BCG.COMDR.BERNHARDGEHRAMANAGINGDIRECTORANDSENIORPARTNERGEHRA.BERNHARD@BCG.COMDR.JULIAGEBHARDTMANAGINGDIRECTORANDPARTNERGEBHARDT.JULIA@BCG.COMREITANAKAMANAGINGDIRECTORANDPARTNERTANAKA.REI@BCG.COMTADROSELUNDMANAGINGDIRECTORANDSENIORPARTNERROSELUND.TAD@BCG.COMJANNIKLEIENDECKERPARTNERANDASSOCIATEDIRECTORLEIENDECKER.JANNIK@BCG.COM0302THEAUTHORSTheglobalregulatoryenvironmenthasgrownincreasinglycomplex,andnowspansafarbroaderrangeofissuesthaninthepast.Compliancefunctionshavebeenheavilyaffectedasaconsequence.Theymustdealwithmultiplegrowingchallenges,suchassanctionsandtradecomplianceandsupplychainrisks,aswellasageneralriseinregulationandregulatoryenforcement,especiallyintheenvironmental,socialandgovernance(ESG)area.Tocompoundmattersfurther,thepaceofchangewillonlyaccelerateinahighlynetworkedanddigitizedworld.However,thisnewworldshouldnotonlybeseenasachallengetoovercome,butalsoasanopportunitytocreatevalueforthecompanyandforgeaheadofrivals.Asregulatorsraisethebarforallkindsofrisks,thecompliancefunctionissettoplayapivotalroleinmanagingtheseregulatorydevelopmentssuccessfullyandsteeringorganizationsthroughcrises.Forexample,theproliferationofsanctionsoverthepastyearhasshoneanewlightonthecrucialroleofcompliancedepartmentsinallindustries.Similarly,headlinesexposinggreenwashingclearlydemonstratehowimportantcompliancedepartmentsareinguidingimplementationoftherelevantrequirements.Inthesedemandingconditions,companiesneedtodefinethetermsoftheircompliancemandatefortheirrelevantrisks,determinetheroleoftheircompliancefunctionfortheserisks,andthenoptimizethefunctionsothatitlivesuptothemandate.Tocreatevalue,thecompliancefunctionneedstofulfilldifferentroles,accordingtotheparticulartopicandspecificrisk.Companiesthatsucceedinthisendeavorwillgainsustainablecompetitiveadvantage,boostcustomerloyaltyandtrust,attractandretaintalent,andenhancetheirreputationforactingresponsiblyinatestingbusinessenvironment.ButexactlyhowarecompaniesreactingtothechangingcompliancelandscapeinordertogainanadvantageandgetclosertotheirTargetOperatingModel(TOM)?FollowingourfirstRISKANDCOMPLIANCESURVEYFROM2021,werepeatedtheexerciseinMayandJune2022,thistimewiththegoalofidentifyingandthenanalyzingthecoreissuesrelatingtoriskandcompliance.Weinterviewed250complianceprofessionalsfromcompaniesacrossvariousindustriesaroundtheworld,andaskedthemtonametheforemostissuesandchallengesfacedbycomplianceorganizations,andhowaretheyfulfillingtheircompliancemandates.Inaskingthesequestions,wewantedtobuildacompletepictureoftheriskandcompliancefunction,andhowcompaniesingeneralarecopingwithvarioustypesofriskandthemyriadgrowinguncertaintiesinthegloballandscape.Inamorecomplexworld,simplywritingpolicyguidelinesandinstructingemployeestofollowtheruleswillnotbeenoughtostayaheadofthegame.Everycompanyneedsastrategynotjusttomanagecurrentrisksbutalsotoadaptquicklyascircumstances,rules,regulations,andexpectationsdevelop.Thegoalofthisstudyistoprovidecompanieswiththeperspectiveandtoolstheyneedtodeveloptheircompliancestrategy,andthenimplementitsuccessfullyinthefaceofdiverseandevolvingcompliancerisks.COMPLIANCEMANDATETheclearerthemandateofthecompliancefunction,themoreitcancreatevalueforthecompany.GEOPOLITICSIfacompanyisequippedwithcrisisresponseplans,andwithproceduresforswiftactioninresponsetovolatiledevelopmentsinsupplychainsandsanctions,thecompanywillprovemoreresilientduringtimesofgeopoliticaltension.ESGCOMPLIANCETakingconcertedactiontomitigateriskofESGregulationenforcementonlyworksifthegapsbetweenESGexpectationsandtherealityaresignificantlynarrowed.DIGITIZATIONAdequateoperatingmodelsenablecompaniestomeetfuturechallengesandseizetheopportunitytoreducethecostofcompliance.CYBERSECURITYInsufficientinvestmentincybersecurity,resilienceandtesting,resultinginafailuretokeeppacewithdigitizationorrespondtoescalatingcyberthreats,couldhaveasignificantimpactonbusinessperformanceandleadtoanerosionofcustomertrust.BUSINESSETHICSConsequentimplementationofadefinedethicalcultureisthecrucialsteptoestablishasustainablecomplianceawarenessacrosstheorganization.WORKFORCEAstrongworkforcestrategy,involvingcarefullyconsideredrecruitment,training,andretention,isessentialinunleashingthepotentialforcomplianceasacompetitiveadvantage.04INTRODUCTION05Ouranalysisrevealedthefollowingsevencoretopicsandconclusions:1.2.3.4.5.6.7.Againstabackgroundofdiverseandevolvingcompliancerisksandrisinguncertainties,settingoutthecompliancemandateandtheroleofthecompliancefunctionfordifferenttypesofriskiscritical.Thesurveyrevealsthatcomplianceorganizationsarealreadydealingwithawiderangeofriskcategories:fraudandfinancialcrimerisk,competitionrisk,informationsecurity/informationtechnologyrisk,corporateandcapitalmarketrisk,andemployeerisk.Interestingly,ouranalysisrevealsthatkeyESG-relatedtopics,suchassustainability,environmentallawandhumanrights,areonaverageonlyincludedinthecompliancemandatesofaroundhalftotwothirdsoforganizations.FIGURE1:OURFINDINGSAREBASEDONFEEDBACKFROM250COMPANIES…INDUSTRIESCOMPANYSIZE(#FTE)PARTICIPANTSCOMPANYREVENUE32%5%13%33%17%REGIONSFIGURE2:KEYRISKSUNDERCOMPLIANCEMANDATE(IN%)Thispointhighlightsacrucialthemewhenitcomestothevaluecreationambitionsofacompliancefunction-theimportanceofcross-collaborationinESG,riskandcompliancemanagement.Themanagementofriskisnotthesolepreserveofthecomplianceandriskfunctions.Individualdepartmentshaveinthepastoftenusedtheirownpiecemealriskmanagementmethodstokeepupwithregulations.Onefrequentexampleistheprocurementdepartment.Thissiloedresponsefailstoprotectthebusinessfromfinancialpenaltiesandnegativepublicopinion.Asmanyrisksaffectavarietyofdepartmentsandprocesseswithinanorganization,effectivecollaborationisvital.Thekeytocreatingtruevaluefromthesecross-functionalcollaborationsisacleardelineationofroles,settingoutwhichfunctionhasoverallownershipofaparticulararea,andwhichisresponsibleforeachpartoftheprocess.Theroleofthecompliancefunctioncanrangefromadvisortocentraloversight.Onereal-worldexamplewouldinvolvecompliancedepartmentscollaboratingcloselywiththeircolleaguesinsoftwareandproductdevelopmentduringagiledevelopmentphases,makingsurethattheyareinvolvedearlyintheprocessandachievingspeedtooutput.DATAPROTECTIONLAWMONEYLAUNDERING/TERRORISTFINANCINGCYBERSECURITYREGULATIONSINTERNALTHEFTANDFRAUDTRADELAW(IMPORT/EXPORT)SUSTAINABILITYOTHERCOMMERCIALCRIMINALLAWHUMANRIGHTSCORPORATEGOVERNANCERULESDIVERSITY&DISCRIMINATIONSTANDARDSEXTERNALTHEFTANDFRAUDBRIBERY/CORRUPTIONANTITRUSTLAWENVIRONMENTALLAWEMBEZZLEMENT1ComplianceMandate/2Geopolitics/3ESGCompliance/4Digitization/5Cybersecurity/6BusinessEthics/7Workforce94%93%89%87%79%75%74%66%65%64%62%56%54%52%49%06COMPLIANCEMANDATE:Emphasizingvaluecreation1.07SURVEYPARTICIPANTSMuchoftheeverydayworkofcompliancefunctionsiscurrentlytakenupwithrespondingtotherequirementsofeconomicandtradesanctionsduringgeopoliticaltensions,andwiththehandlingofglobalcrisessuchasthepandemic.Asthesanctionslandscapebecomesmorecomplexanddynamic,sanctionscompliancesystemsmustbecomemoresophisticatedinresponse,andmustinterfaceseamlesslywithbroadertradecompliancecapabilities.Resoluteconsensusamonggovernmentsisforcingcompaniestotakeapoliticalstance,willinglyornot.Thishasbecomeparticularlytruewitheconomicflowsbeingincreasinglyusedasastrategicweaponinforeignandsecuritypolicy.Companiesneedtobecarefulnottocircumventthegrowingnumberoffinancialandtradesanctions,includingtherecentwaveofexportcontrolsrelatedtohigh-endsemiconductors.Theyneedtodevelopacomprehensiveorganizationalstrategythatallowsthemtomonitorthedetailsofanavalancheofnewlyintroducedsanctionsandrespondaccordinglyinatimelymanner.Thelimitedambitionsimplytofollowruleswillnotbesufficientinaworldthatismovingsoquickly.Thisyear’ssurveyshowsthatsanctionsandtradecompliancehavebecomeevenmoreimportanttocomplianceorganizations,andnowranksamongthetopfivekeytopics.Thisisajumpof15placesfromourprevioussurveyin2021.Evenwithoutchangesinregulatoryorgovernmentalrequirements,anykindofupheavalcandestabilizetheenvironmentinwhichthecompaniesareoperating.Theglobalpandemicissuchanexample,anditshowshowdisruptionsinsupplychainscanposeamajorthreattomultinationalcompanies.Decisionshadtobetakeninashortertimespan,whilenewbusinesspartnershadtobeonboardedornewtraderoutesidentified.Regularprocesseshadtobeexpeditedanddifferentprocessesimplemented.Allthesechangesincreasedtheriskofinsufficientduediligenceorofoverlookingrequirements.Reactiontotheseglobalcrisesinmanycompanieshasoftenbeentooslow.Acompany’spreviousworktoestablishtransparencyontheserisksaswellasitspreventivemeasureswerebothcrucialduringthesetimesandhavecertainlypaidoff.Thereisclearlyaneedforcrisisresponseplanswhichfacilitateswiftdecisionmakinginrelationtovolatiledevelopmentsinsupplychainsandgovernmentsanctions,asnumerousjurisdictionscontinuetoimplementandenforcelocalregulations.Unsurprisingly,givendevelopmentsinEuropeoverrecentmonths,surveyparticipantsforthefirsttimerankgeopoliticaltensionsasakeytopicforcomplianceorganizations(itisrankedatnumber11).Thiscorrelatestotheupwardjumpinsanctionsandtradecompliance,asgeopoliticaltensionsleadtoexpandedtraderegulationsandretaliations.Arobustcomplianceoperatingmodelensuresresilienceagainstexternalshocksanduncertaintiesandstrengthenscrisismanagement.Themajorchallengeincrisismanagementissimultaneouslyhandlingamultitudeofissuesthatdemandabroadrangeofskillsandcapabilities.FIGURE3:KEYTOPICSFORCOMPLIANCEORGANIZATIONS1ComplianceMandate/2Geopolitics/3ESGCompliance/4Digitization/5Cybersecurity/6BusinessEthics/7Workforce08GEOPOLITICS:Respondingtoglobalevents2.09CYBERSECURITY(incl.Datasecurity)62%BUSINESSETHICS52%DIGITIZATION&DATAANALYTICS42%ESG(Environmental,socialandgovernance)42%SANCTIONS/TRADECOMPLIANCE36%DIVERSITY&RACIALEQUITY34%M&A(incl.duediligenceoftarget’sbusinesspartners)30%Newbusinessmodels26%Globalharmonizationofstandards/regulation23%EUDirectiveonCorporateSustainabilityDueDiligence,GermanSupplyChainDueDiligenceAct22%Needforefficiencygains20%GEOPOLITICALTENSIONS17%DigitalMarketsAct(DMA)16%EUWhistleblowerProtectionDirective(2019/1937)15%EUDigitalServicesAct(DSA)14%EUAMLActionPlan14%EUTaxonomyforsustainableactivities("Greentaxonomy")13%Adversemediacoverage(e.g.InfluencerMarketing)12%EUArtificialIntelligenceAct(Draft)10%Environmental,socialandgovernance(ESG)issueshavebecomeacriticalcomponentofmodernbusinesspractices.Thereasonsareclear–risingregulatoryexpectations,anincreasingawarenessofthethreatofglobalwarming,andmoreconcernabouttheimpactofcompanyoperationsontheworldaroundthem.Since2018,authoritiesworldwidehaveissuedmorethan170neworamendedESGregulations.GuidelinessuchastheEUCorporateSustainabilityReportingDirective(CSRD)aresettobefurthercodifiedbyclearstandardscurrentlybeingdevelopedbytheEuropeanFinancialReportingAdvisoryGroup(EFRAG)(seetherecentlypublishedBCGpaper“ESGCOMPLIANCEINANERAOFTIGHTERREGULATIONS”).CompaniesmusthandlechangingESGregulationsontopicssuchasclimatechange,humanrights,anddiversity.Giventhemajorgapbetweenexpectationsandcurrentreality,ESGcompliancehasplacedcompaniesunderconsiderablepressure.Whilecross-divisionalcollaborationcanhelptoaccelerateactionandmitigatetheriskofregulatoryenforcementorlosinginvestorsandclients,breachesofso-calledsocialcomplianceleadtosignificantreputationalrisks.TheincreasingimportanceofESGisclearlyreflectedinoursurveyresults,irrespectiveoftheparticularcompany’sregion,industryorsize.Asignificantproportion(43%)ofrespondentsselectedESGasoneofthetopfivetrendsortopicsthataremostrelevantfortheircomplianceorganization.Moreover,alargemajority(79%)reportedthattheircommitmenttoESGhasintensifiedoverthepasttwoyears.ThisisinpartbecausetheyseeanotableincreaseintheamountofESGregulation,andgreaterenforcementoftheseregulationsforcompanieswhichengageingreenwashingorhavenotimplementedtherequiredchangestotheirproducts,services,reportingmechanismsororganizationalstructure.Indeed,approximately60%ofrespondentssaythatregulatorsarehavingthegreatestimpactontheirESGefforts.Afterregulatorsintherankingcomecustomers(48%),andemployees(47%).Respondentsarefullyawarethatincreasingregulatorydemandsthreatenacompany’ssurvival.IfitspursuitofESGislessthancomprehensive,itwillbuckleundertheweightofsanctionsandaworseningreputation.DEEPDIVE:THENEEDFORANHOLISTICAPPROACHInFebruary2022,theEUCommissionadoptedaproposalforadirectiveoncorporatesustainabilityduediligence.Theaimofthisdirectiveistofostersustainableandresponsiblecorporatebehavior,andtoanchorhumanrightsandenvironmentalconsiderationsincompanies’operationsandcorporategovernance.ThedraftregulationrequireslargeEUcompanies,andsomenon-EuropeancompanieswithsignificantbusinessoperationsinEurope,toassesstheiractualandpotentialhumanrightsandenvironmentalimpactthroughouttheiroperationsandtheirsupplychains,andtotakeactiontoprevent,mitigate,andremedytheharmstohumanrightsandtheenvironmentthathavebeenidentified.Similarly,thesoon-to-be-implementedGermanSupplyChainDueDiligenceActisdesignedtoprotecthumanrightsandtheenvironmentinsupplychainoperations.Companiesneedtorespondwithaholisticratherthanasiloedapproach.Indeed,agovernancetriangleshouldbeformed:theprocurementfunctionshouldexaminevendorsindetail;thehumanresourcesfunctionshouldlookathowemployeesaretreatedinthesupplychain;andahumanrightsdepartmentcanbeintroducedtoconsolidatethecompany’soverallapproachandmanagereporting(seerecentlypublishedBCGpaper“MANAGINGSUPPLYCHAINRISK–ANUPDATEONLEGALANDSTRATEGICREQUIREMENTS”).Somejurisdictions,suchasAustralia,actuallyhavearegulatoryrequirementtonominateahumanrightsofficer.AholisticprocessisalsonecessaryforESGmeasurement,steeringandreporting,wheresimilarmethodologiesshouldbeusedthroughouttheorganization.Thesurveyrevealsthattheroleofthecompliancefunctiondiffersfromcompanytocompany.ItcanrangefromoversightoverallESGtopicstoresponsibilityforcertainselectedareas.TheroleofthecompliancefunctionforESGineachcompanyshouldbeappropriatefortherelevantbusiness,operatingmodelandESGfactors.However,giventhatESGspansseveralexistingriskcategoriesthattypicallyfallwithinthecompliancemandate,thecompliancefunctionusuallyplaysanimportantroleinESGmanagement.Inparticular,itsexperienceofriskmanagementsystemsshouldbesoughtwhensettingupgovernance,standardsandreportinglinessothatthecompliancefunctioncancreatethegreatestpossiblevalueinagivenarea.1ComplianceMandate/2Geopolitics/3ESGCompliance/4Digitization/5Cybersecurity/6BusinessEthics/7WorkforceFIGURE4:MAINDRIVERSFORESGEFFORTS020406022%26%47%48%58%10ENVIRONMENTAL,SOCIALANDGOVERNANCE(ESG):Meetingstakeholderexpectations3.11Dealingwithburgeoningregulationcaneasilyleadtospiralingcosts.Sohowthendocompaniesandtheircompliancefunctionsmanagetoinjectefficiencyintothisprocesswhilestilloperatinginthemosteffectivewaypossible?Digitizationisthemostcommonanswertothisquestion.However,itisimportanttohaveacleardefinitionofwhatthisentails.Companiesneedtounderstandwhattheirproblemsare,whatneedstobedoneandhowdigitizationcanhelptoreachtheseobjectives.Upgradingthefrontendwhiletheback-endprocessesarestillmanualandinefficientdoesnotadduptogenuinedigitization.Cross-divisionalcollaborationforrethinkingtheend-toendclientjourneysisnecessary,focusingatalltimesonwhatbenefitstheclientexperience.Inthatregard,digitizationcancertainlycontributegreatlytoraisingefficiency,forexamplebystreamlininglabor-intensiveprocessessuchasKnowYourCustomer(KYC),transactionmonitoring,screeningandriskassessments,makingcontrolsmoreautomatedanddata-driven,andreporting.Automateddocumentcaptureandread-outofrelevantdatasuchas“useofgoods”canreducethecostofcomplianceanderrorrates(see,forexample,theBCGLinkedInarticle“FUTUREPROOFINGCOMPLIANCEWITHTECHNOLOGY&DIGITAL”).Despitedigitization’spotential,manycompaniesarenotproperlypreparingtheiroperatingmodeltomeetfuturechallenges,andaremissingtheopportunitytoreducethecostofcompliance.Indeed,aTOMandanintegratedarchitecture(processes,data,applications,andtools)areoftenlacking,despitethefactthatdigitizationrequiresanoverarchingstrategyandclearobjectives.Forexample,universalbankshaveofteninvestedintoolswhichcomefromvarioussourcesandaredisconnectedfromeachother.Asaresult,businessesoftenlacksupportwhenitcomestodata,artificialintelligence,anti-financialcrimeandfraudefforts,andgettingaheadinthewarfortalent.Respondentstooursurveycertainlyseetheimportanceofdigitization.Theyciteddigitizationanddataanalyticsasoneofthetopfivetrendsincompliance,andonethirdofrespondentspointedtoitasakeychallengefortheircomplianceorganization.Moreover,theintegrationofbusinessanddigitalgoalsisseenasamajorchallengeamongtheparticipants.Morethanhalf(54%)claimtheyarewellorverywellpositionedtoadapttothedigitizationtrend.However,moredetailedquestionsondigitizationmaturityshowthereismuchworkstilltobedone.Althoughthemajoritysaytheyarewellorverywellpositionedtoadapttothedigitizationtrend,morethanhalfofrespondents(52%)statethattheyhavenotadvancedveryfaralongthisroad.Theyareonlyjuststartingtoairideasandintroducepilotsforone-offdigitalinitiativeswithinselectedpartsoftheircomplianceorganization,butarenotfullyawareofthedigitalusecasesthatexist.CompanieswithamoreadvancedComplianceTOMappeartohavestartedthedigitizationjourneyearlier.Theyaremoreawareoftheroledigitalcanplay,andunderstanddatastrategy.ThosewhosaytheyhavemadeconsiderableprogressattributetheirsuccesstomakingdigitalcompliancetheirtoppriorityandanintegralpartoftheCEOagenda.ThisfindingreaffirmsthehypothesesreachedintheBCGESG,COMPLIANCEANDRISKREPORT2021.Attheotherendofthescale,24%ofrespondentsadmittedtheyaredealingwiththedevelopmentofdigitalcompliancestrategyeitherpoorlyorverypoorly.Indeed,respondentsateverylevelofcompliancematuritysaidtheyarestillworkingonthedevelopmentofafullydigitizedcompliancefunction.FIGURE5:DIGITIZATIONREADINESSFIGURE6:DIGITIZATIONREADINESS1ComplianceMandate/2Geopolitics/3ESGCompliance/4Digitization/5Cybersecurity/6BusinessEthics/7Workforce6%35%31%10%0204018%020406012DIGITIZATION:Makingupforlosttime4.13Theeffectiveapplicationoftechnologyincompliancerequiresexcellentplanningandcarefulorchestrationofmanydifferentelements.Companiesneedtobeabletoanalyzethevendorlandscape,andensurethattheselectedcompliancetechnologyfitsneatlywithoperationalneeds.Thisinturnrequiresdeepknowledgeofdataprotectionregulationindifferentjurisdictions,andaninnovative,digitallyorientedmindset.Aswithcybersecurity,thecomplianceworkforcemustcompriseadiverserangeofsubjectmatterexpertsifitistoimplementasuccessfuldigitalcompliancestrategy.Thereisagrowingdemandforcyberriskprofessionals,whocanbringriskdomainexpertisetoaddresstheincreasingrisksofcyberattacksandcompromise.Indeed,theslowpaceofdigitizationwithinthecompliancefunctioncanbemainlyputdowntoalackofsufficientknow-howandtools.Manycompaniesarekeentotackletheknow-howgapbydevelopingacomprehensivepeoplestrategytoattracttalentwiththerequiredexpertisetoexploitthepotentialofdigitalacrossthecomplianceunit.Agoodexampleofsuchupskillingeffortswouldinvolvebuildingupahubteam,staffedwithdatascientistsandengineers,aswellasaspoketeam,comprisingdatascientistsandengineerswhoonlyworkwithcompliance-relatedprojectsandhencebuildsubjectmatterexpertise.AscompaniesdeploytransformativeArtificialIntelligence(AI)tools,theymustensurethattheyintroducethesesolutionsinaresponsibleway,mitigatinganypotentialriskstotheirbusinessandprotectingconsumers.WiththeimminentarrivaloftheEuropeanUnion’sAIAct,oneofthefirstbroad-rangingregulatoryframeworksonAI,thefailuretoimplementResponsibleAIsuccessfullywillleadtoseriousimplications(seeBCGpaper“RESPONSIBLEAIFORANERAOFTIGHTERREGULATIONS”).TohavepeoplewhoarecarefullyanddiligentlyworkingonandlearningfromthesetechnologiesisofcriticalimportancefororganizationsandforthepeoplewhowillsuffertheconsequencesofAIsystemsthatarenotequippedwithethicalguardrails.Increasingimpactsfromcyberandprivacyattackscontinuetoescalateinprominenceandfrequency.Ascompaniesoperateinanincreasinglydigitizedway,themoretheywillneedtoassessandenhancetheircyber-resilience.Whenaskedwhichtopicwasmostrelevantfortheircomplianceorganizations,theclearwinnerwascybersecurity.Indeed,thetopicwascitedby62%ofrespondents,10percentagepointsmorethanbusinessethics,thenextmostcitedtopic.Thiscomesasnosurprise,giventheconsiderablerisks—tothebusiness,customers,andreputation—inneglectingcybersecurity.Cyberthreatactorsarebecomingmoreaggressive,moresophisticated,morepersistentandmoresuccessful.Companieshavethereforebeenstrengtheningtheircommitmenttocybersecurity,especiallyamidheightenedgeopoliticaltensions.Manycompaniesdonotyethaveadequatecybersecuritycapabilities,managementandgovernanceprocesses,withinsufficientinvestmentinsecurity,resilienceandtesting.Theycurrentlylacktherightmonitoring,controlsandwarningindicatorstobothprevent,respondtoandrecoverfromcyberthreats.Lackofsecurityinvestment,resultinginafailuretokeeppacewithdigitalinvestment,canexactahighpriceatanunknownlaterdate.Regulationistighteninginthisspheretoo,forexamplewiththeCyberIncidentReportingforCriticalInfrastructureAct,signedintolawintheUnitedStatesin2022.ThelawsoughttoensurethatcriticalprivatesectorentitiesreportcyberincidentsandransomwarepaymentstotheUSgovernment.Itisthereforeencouragingthat73%ofrespondentssaytheyarealreadywellorverywellpositionedtoimproveperformanceinthisregard,thankslargelytothefactthattheircompliancemandatesincludecybersecurityregulationsanddataprotectionlaws.FIGURE7:CYBERSECURITYREADINESS1ComplianceMandate/2Geopolitics/3ESGCompliance/4Digitization/5Cybersecurity/6BusinessEthics/7Workforce1%3%23%43%30%02040601415CYBERSECURITY:Addressingcriticalgaps5.StrongcybersecurityalsorequiresgoodITinfrastructuremanagement.However,morethanathird(38%)ofrespondentssaythatadequateITinfrastructureremainsoneoftheirthreebiggestchallenges,and27%saytheyarenotwellequippedtodealwithit.Toovercomethesechallengesandrapidlyimprovecybersecurity,acommittedseniormanagementmustimplementatop-downstrategywithapersistentemphasisonidentifyingandprotectingtheirhighestriskassets,whilethecompliancedepartmentsshouldalwaysbecloselyinvolvedtoensurethatkeyregulatorydevelopmentsaremanagedandgovernedeffectively.Companieswillneedtointroducearangeofcross-functionalinitiatives,designedtoencouragecollaboration,andspreaddiversesubjectmatterexpertiseamongbusinessunitsandcorporatefunctions.Suchcollaborationiscritical,withthegoalofestablishingresilientcybersecurityprocessescomprisingvariouselements,suchasIT,operationalrisk,businesscontinuity,anti-fraudanddataprotection.Acriticalelementofcybersecurityiseffectivestaffeducationandawarenessoftherequiredcyberpractices.Stolencredentialsareresponsibleformorethanhalfofransomwareattacks,notleastbecausepasswordssuchas“123456”or“qwerty”arestillverycommonlyused.Enforcingpasswordrequirements,multi-factorauthenticationandapplyingsecuritypatchesareimportantcontributoryfactorstotheeffectivepreventionofattacks.Threatsandriskswillstillflourishifcompaniescontinuetooverlookthehumanelementofcybersecurity,nomatterhowsubstantialtheinvestmentinsecuritytoolsandnetworkdefense.Thefirst,andinthiscontextthelast,lineofdefenseagainstcyberattacksneedstobeenabledinordertoensuresecureoperations.Organizationsshouldprovideemployeeswithtime,education,andresourcestolearnmoreaboutcybersecurity,andtakeahuman-centricapproachtodesigningtraining,cyberpracticesandincidentresponsesintheeventofattacks.Aboveall,companiesneedtoknowwhatcyber-riskprofiletheyareaimingtoachieve,andwherethemostimportantgapsremain.Scenario-drivenexercisesthatsimulatecyberattacksassistteamstobuildanddevelopthecriticalskillsandexperienceneededforeffectiveincidentresponse.Acomprehensivecybersecuritystrategyisnecessary.Itshouldbesupportedbymanagementandreceivetherequiredlevelofinvestmenttomaintaintheorganization’scyber-riskprofilewithinitsriskappetite.Aninnovativeapproachwouldbetobringcustomersandotherstakeholdersonboardinstrivingtoboostcybersecurity.Atrendexistsatthemomenttoofferhackersabonus(bugbounties)iftheymanagetoentertherelevantcompany’ssystemandthenlogandreporttheiractivity.Moreover,thereisanincreasingfocusoncollaborationandinformationsharingbetweenorganizations,industrysectors,governmentsandconsumers.Cyberisacollectiveproblem,requiringacollectiveresponse.StrongcybersecurityalsorequiresgoodITinfrastructuremanagement.However,morethanathird(38%)ofrespondentssaythatadequateITinfrastructureremainsoneoftheirthreebiggestchallenges,and27%saytheyarenotwellequippedtodealwithit.Acultureofintegrity,whereemployeesactuallypracticewhatthecompanypreachesonethicalbusinessbehavior,nurturesprudentdecisionmakingindifficultsituationsandelevatescompliancedepartmentstothepositionofinfluentialandsought-afteradvisor.Theimportanceofthistopicwasclearlyreflectedinoursurvey.Morethanhalfofallrespondents-regardlessofindustryandregionormaturitystage-includedbusinessethicsamongthetopfivetopicsmostrelevanttotheircomplianceorganizations.Allrespondentssaidthatbusinessethicsisakeycomponentofpropergovernance.Giventhesignificanceattachedtothisarea,companiesarekeentopromoteethicalbehaviorintheirbusinesspractices.Ahighpercentage(79%)rankthemselvesaseitherwellorverywellpositionedinthisregard,whilejust4%saytheyarepoorlyorverypoorlyprepared.Respondentsgenerallyagreethattheirwrittencodesofconductarenowwellestablished,andhavebeenclearlycommunicatedtoallemployees(70%).Moreover,amajorityreportthattheircompliancemandatesincludespecificrisksrelatedtobusinessethics.FIGURE8:TRENDADAPTIONBUSINESSETHICSHowever,oursurveysuggeststhatmanycompaniesstillstruggletocreateeffectivewhistleblowingsystemsthatpromoteacultureofspeakingoutinresponsetonon-compliantbehavior.1ComplianceMandate/2Geopolitics/3ESGCompliance/4Digitization/5Cybersecurity/6BusinessEthics/7Workforce161%3%18%31%48%17BUSINESSETHICS:Establishingacultureofintegrity6.0204060Givenitsimportanceintheeffectivenessofwhistleblowing,itisperhapsnotsurprisingthatasignificantnumberofparticipants(30%)statethatcultureisoneoftheirtopfiveoverallcompliancechallenges.Asustainableethicalculturewithrobustcomplianceandastrongsenseofintegrityleadstothreemajorcommercialbenefits:itcreateseconomicadvantageforcompanies,preventssubstantialfinesandreputationaldamage,andhelpstoattractandretainkeytalent.Butwhatarethenecessaryelementsthatcombinetocreatesuchasustainablecomplianceculture?Oneimportantsuccessfactor,widelyacceptedinthecompliancecommunity,isclearleadershipbehavior.Thesuccessofanethicalculturegreatlydependsonexecutivessettingthetonefromthetop,actingasrolemodelsinlivinguptoculturalstandards.Onequarterofourrespondentssaythatestablishinga“senseofurgencyfromseniormanagement”isamongthetopfivechallengesfortheircomplianceorganization.Everyemployeeshouldbefullyawarethatcompliantbehaviorisvitallyimportantforthewholeorganizationandthatseniormanagementwillbeheldaccountableforanymisconduct.Companiescanfinditdifficulttoestablishacomplianceculturethatincentivizesemployeestoliveacultureofintegrityandindulgeintherightbehaviors.Makingguidelinessimplerforemployeeswouldcertainlyhelp.Anunwieldynumberofrulesthataredifficulttoputintopracticehinderseffectiveandsuccessfulcompliance.Makingtheprocessesuser-friendly,ontheotherhand,willboostcompliancewithstandardsandfosteranethicalculture.Thetargetcultureshouldbearticulatedclearly,providingenoughusecasestodemonstratetheconnectionbetweenconceptandbusinesspractice,sothatemployeesallimmediatelyrecognizewhatcorrectbehaviorlookslikeandcanreportthingstheybelievearenotright.Certainfactorsthatarevitalinbuildingtherightculture-thetonefromthetop,accountability,incentivesandcommunication-canbemeasuredandcontrolled.Indeed,dataandtechnologycanbeputtogoodusehere.Digitizationcancertainlyalsomakeitmorestraightforwardforemployeestobecompliantduetothegreatereaseofcommunicatingandfollowingdueprocess.SeealsotheBCGpublicationPERSPECTIVESONMONITORSHIPSANDSUCCESSFULCOMPLIANCETRANSFORMATION–ABCGCOMPLIANCEMAGAZINESPECIALISSUE.DEEP-DIVE:WHISTLEBLOWINGRecentregulatoryactionhasmadewhistleblowingaclearpriorityforallcompliancedepartments.In2019,forexample,theEuropeanUnion(EU)passedtheirWhistleblowerDirective,aimedatprotectingwhistleblowers.By2023,companieswithmorethan250employeesinscopeoftheGermanSupplyChainDueDiligenceActmustimplementasysteminwhichemployeesandexternalthirdpartiescanreportpotentialmisbehavior.In2019,theEUpassedtheEUWhistleblowerDirective,aimedattheprotectionofwhistleblowers.FromDecember2021,companieswithmorethan250employeeshaveneededtoimplementasystemwhereemployeesandthirdpartiescanreportpotentialmisbehaviorTheseorganizationsthereforeneedtoputinplaceacomplaintsmechanismwhereallpeople,regardlessoftheirconnectiontothecompany,canreportincidentsrelatingtoviolationofhumanrightsandcertainenvironmentalprotectionlaws.Whistleblowerscanchoosetoreporttheirconcernseitherinternallyortoexternalauthorities.Inspecificcircumstances,theycanevenreporttheirconcernspublicly,throughsocialmediaforexample,leadingtoreputationaldamage.Theidentityofwhistleblowersandanythirdpartiesmentionedmustalwaysremainconfidential.BecauseESG,riskandcompliancehavebecomemorecomplex,andthedemandsofagile,customizablecollaborationmodelshavegrown,thecomplianceteamneedstoincorporateamorediverseskillset,involvingarangeoftechnicalknow-how,subjectmatterexpertsandtakeonvariousroles.Thisincreaseindemandsforcomplianceworkforcecoincideswithatenselabormarketwherefindingcandidatesisachallengealready.QualifiedemployeeshavemoredemandsandexpectationstowardsethicsandESG.Morethananythingelse,itisnowthequalityoftheworkforcethatdeterminesthesuccessofacompany’scompliancemanagement.Astrongworkforcestrategy–involvingrecruitingnewpeopleandupskillingcurrentemployees-isthereforeessentialinunlockingthepotentialforcomplianceasacompetitiveadvantage.Ahumanresourcesdepartmentthateffectivelymanagesthisstrategyandmitigatesriskswillraiseacompany’sstandinginthemarket.Attractingnewtalent,devisinghiringstrategy,ensuringtheavailabilityandcapacityoftraining,andretainingemployeesinthemidstoftheEraofGreatResignation,areallissuesfacedbycompaniesacrossallindustriesinoursurvey.Whenaskedaboutthechallengestheyforesawfortheircomplianceorganization,almost70%ofrespondentspointedto“attractingtalent,”afarhigherproportionthanforanyotheroption.Moreover,thesurveyrevealsthatallcompaniesregardlessofindustryhaveyettofindtheidealstrategyinresponse,sayingthattheyaremerelyadequately,orevenpoorly,positionedforthischallenge.Moreover,attractingtalentisunlikelytogetanyeasier,giventhat68%ofrespondentssaytherequiredrangeofqualificationsforrolesintheircomplianceorganizations-comprisingskillsets,expertise,andtechnicalqualifications-isonlylikelytoexpand,andafurther18%sayitwillexpandsignificantly.Thegrowingimportanceofcybersecurityandthedigitizationofcomplianceactivitiesareamajorconcernamongrespondentswhenconsideringthefutureoftheworkforce.Subjectmatterexpertise,cross-functionalcollaboration,andanawarenessoftheever-growinginventivenessofhackersandcybercriminalswillbeessential.Theworkforceofthefuturewillneedtostayuptodatetechnologicallyandadaptquicklytochangingrisksandregulations.Aswasreflectedinrespondents’concerns,therequirementsforthefutureworkforceextendwellbeyondtechnicalknow-how.Astheriskandcomplianceenvironmentgrowsincreasinglycomplex,theemphasisonstrongbusinessethicswillonlyincrease,encouragingemployeestomaketheirownethicalassessmentsofwhatisrightandwrong.Simplytickingboxesindicatingcompliancewithvariousregulationswillnolongersuffice.ThegrowingemphasisonESGandothertopicsobligesthecomplianceworkforcetokeepabreastofdevelopments,seethebiggerpicture,applytheirexpertisetonewareasandthinkalongmoregloballines,whilekeepingpacewiththerequirednewcollaborationmodeltomanageriskcross-departments.AsthesocialcomponentofESGgrowsinimportance,companieswillneedtobesensitivetothehumanrightsrisksthatflowfromworkingwithmultiplesuppliersandglobalsources.1ComplianceMandate/2Geopolitics/3ESGCompliance/4Digitization/5Cybersecurity/6BusinessEthics/7Workforce1819WORKFORCE:Securingtherightskills7.FIGURE9:CORECHALLENGESFORCOMPLIANCEORGANIZATIONSINTHEFUTUREPoliticalissuesareencroachingmorethaneverontheglobaleconomy.Complianceprofessionalsmustthereforebeabletoidentifyandanalyzecomplexscenarios,andconsiderbothpoliticalandeconomicfactors.Thiswillhelptoensurethattheircompany’scompliancestrategies,andhowtheyareimplemented,areflexibleenoughnotjusttoreacttoeventsbuttoanticipatethemandprepareaccordingly.Theattitudesofemployeesarealsochanging,andcompaniesmustadaptaccordinglytoattractthemandkeepthemonboard.MembersofGenerationZinparticular—thosebornbetween1995and2010—saytheywanttheirworktoaddvaluetosociety,andcaremoreaboutESGwhenchoosingtheiremployer.Moreover,newemployeesexpectcompaniestoallowforremoteworkingandofferstate-of-the-artdigitaltechnologiesandworkprocesses.Asthetalentwarintensifies,companiesthereforeneedtomanagetheirESG-relatedreputationswithcare,andthinkdifferentlyabouttheirworkingpracticesandtheirimpactonriskandcompliance.Insomesectorsinparticular,companiesareheavilyburdenedbytheeffortrequiredtopreventESGviolationsandimplementsocialcompliancethroughouttheirsupplychains,andbytheconstantthreatofregulatoryretaliationandreputationaldamage.Thisisparticularlytrueforindustrialgoodsandhealthcarecompanies.Theimplementationofduediligencein3TG(tin,tungsten,tantalumandgold)supplychainsenablesresponsiblesourcingof3TGfromcountrieslikeNigeria.Newregulationsandcampaignsagainstbriberyandcorruptioninmanycountrieshaveraisedthebarforsupplychaincomplianceriskmanagementinallindustries.Thegeneralpopulationsetshigherstandardsforpublicorprivatesectorentitiesinhealthcareinparticular.Manyoftheseorganizationsneedtomakesignificantenhancementstothecurrentrelevantsupplychainandbusinesspartnerduediligenceprocesses,e.g.byraisingthelevelofautomation.Inthisway,theycanavoidregulatoryscrutiny,negativeheadlinesandlossoffacewiththeirownworkforce.Simplyadvertisingforapositionwillnotachievetherequisiteresults.Companiesneedtobemoreimaginativeintheirtalentstrategies,moreawareofdiversityandinclusion,andreadytorespondtothedemandforamoreflexibleworkplace.Theyalsoneedtobecarefulthattherapidexpansionofcomplianceorganizations-57%expectthemtoincreaseinsize–doesnotdamageeffortstoestablishtherightculture,giventhedifficultyoftransmittingcompanyvaluestomanynewjoinersatthesametime.Recruitingnewpeoplealonewillnotbesufficientinbuildingtherightworkforce.Astechnologyadvancesandworkplacestrategiesevolve,existingemployeeswillneedtobetrainedinrelevantnewknowledgeandskills.Trainingcapacity,includingsubstantialrampingupofrelevantITcapabilities,shouldthereforebegreatlyexpanded.Indeed,companiesneedtodevelopaclearandcomprehensiveworkforcestrategythatdoesnotleavethecompanyvulnerabletoskillsdeficienciesatanygiventime.Oursurveymakesclearthatcomplianceorganizationsshouldbeequippedwithadiverseskillsetthatcandealwithallrelevanttypesandareasofrisk,andcanfulfillthevariousrolesrequiredwithinflexiblecollaborationmodels.Inamorecompetitiveworld,companiesshouldpinpointexactlywhatskillstheymostneed,wheretheycanbefoundandhowtheycanbedeveloped.Itisnotfeasibletofightfortalentonallfronts,andcompaniesmustthereforefocusontheirpriorityareas.ATTRACTINGTALENT68%ORGANIZATIONALCOMPLEXITY(e.g.betweenbusinessunits)43%SufficientIT-infrastructure38%Overallrisingcostsforcompliance37%Risingregulatoryscrutiny36%Sufficientworkforcecapacityforimplementation33%Developmentofadigitalcompliancestrategy32%Supportiveoverallculture32%Sufficientbudgetforimplementation32%Costcutting30%Leveraginginternalknowledge28%Integratingbusinessgoalsanddigitizationgoals26%"Senseofurgency"fromseniormanagement25%Improvingefficiencyoffirstlineofdefense25%Leveragingexternalknowledge15%2021BostonConsultingGroup(BCG)partnerswithleadersinbusinessandsocietytotackletheirmostimportantchallengesandcapturetheirgreatestopportunities.BCGwasthepioneerinbusinessstrategywhenitwasfoundedin1963.Today,weworkcloselywithclientstoembraceatransformationalapproachaimedatbenefitingallstakeholders—empoweringorganizationstogrow,buildsustainablecompetitiveadvantage,anddrivepositivesocietalimpact.Ourdiverse,globalteamsarepassionateaboutunlockingpotentialandmakingchangehappen,deliveringintegratedsolutionsthroughleading-edgemanagementconsulting,technologyanddesign,andcorporateanddigitalventures.Whetheryouwanttoadvanceanidea,acapability,ortheworldatlarge,BCGiswithyoueverystepoftheway.Weexcelinthebusinessofhumanpotential,andbelieveinitspowertoshapestrategic,organizational,economic,andsocietalchange.—Companiesneedtotakeactioninvariousareasinordermaximizethevaluecreationoftheircomplianceorganizations.Theyneedtodefinetheprecisemandateofthecompliancefunctionforeachtypeofrisk,defineanadequateapproachofitsroletoaddressthedifferentdemands,andclearlyallocateotherrelevantresponsibilitiesacrossdifferentdepartments.Plansforswifterandnimblercrisisresponsecanminimizetheimpactofmajorgeopoliticaleventsthathavebedeviledbusinessesinrecentyears.Onenvironmental,socialandgovernanceissues,theyhavetobridgethegapbetweentheircommunicatedambitionandtheoftenmuchmoremodestreality.Manycompanieshavefallendangerouslybehindinthedigitizationjourney.Astheyhurrytorectifythissituation,theyneedtomaintaintheirfocusonwhattheclientswantandwhattheirbusinessneeds.Oncybersecuritytoo,theyoftenhavemuchgroundtomakeup,andseniormanagementshouldurgentlyimplementacomprehensivevalue-for-moneystrategyandarangeofcross-functionalinitiatives.Tofosterethicalbehavior,companiesmusttakethenecessarystepstochangetheculture,andmakeitsimplerforemployeestovoiceanyconcerns.Regulators,investors,customersandemployeesareprobingthisgapwithincreasingenergyandconcern.Butofallthefactorsthatmakeforasuccessfulcomplianceorganization,therightworkforceisessential.Nosuchorganizationcanprosper,therefore,withoutaprudentworkforcestrategythatconsidershowbesttoattract,retain,motivate,andtraintheirpeople.Giventheclearneedforamorediverseskillsetaddressingthefunctionaldemandaswellastheroleflexibility,thedefinitionofanappropriatepeoplestrategyiskey.FORFURTHERCONTACTIfyouwouldliketodiscussthisreport,pleasecontactoneoftheauthors.Forinformationorpermissiontoreprint,pleasecontactBCGatpermissions@bcg.com.Seebcg.comforBCG’slatestcontent.There,youcanalsoregistertoreceivee‑alertsaboutthisorothertopics.FollowBostonConsultingGrouponFacebookandTwitter.©BostonConsultingGroup2021.Allrightsreserved.11/2022CONCLUSIONABOUTBCGBostonConsultingGroup(BCG)partnerswithleadersinbusinessandsocietytotackletheirmostimportantchallengesandcapturetheirgreatestopportunities.BCGwasthepioneerinbusinessstrategywhenitwasfoundedin1963.Today,weworkcloselywithclientstoembraceatransformationalapproachaimedatbenefitingallstakeholders—empoweringorganizationstogrow,buildsustainablecompetitiveadvantage,anddrivepositivesocietalimpact.Ourdiverse,globalteamsarepassionateaboutunlockingpotentialandmakingchangehappen,deliveringintegratedsolutionsthroughleading-edgemanagementconsulting,technologyanddesign,andcorporateanddigitalventures.Whetheryouwanttoadvanceanidea,acapability,ortheworldatlarge,BCGiswithyoueverystepoftheway.Weexcelinthebusinessofhumanpotential,andbelieveinitspowertoshapestrategic,organizational,economic,andsocietalchange.—ABOUTBCGwww.bcg.com