Compliance modernization

is no longer optional
How evolved is your approach?
Compliance modernization is a
broad mandate that spans the
way the function is governed; the
tools, technology, and analytics
it uses; the number and nature
of its connections to other parts
of the business; the expectations
assigned to it; and more.
 Compliance modernization is no longer optional | How evolved is your approach?

Staying ahead:
Modernizing the Compliance
Risk Management program
From value protection to More than just a cost of doing business. To Chief Compliance
value creation is a familiar Officers, it’s a refrain they’ve heard for years: a challenge,
claim. A strategic roadmap an ambition, and perhaps a sliver of veiled insult. Few
can help make it a reality. dispute that the resources an organization devotes to
keeping out of trouble have the potential to contribute far
more than they traditionally have.

But what does such an evolution look like Executing on day-to-day compliance
when it leaps off the drawing board and activities is a struggle because reactive
takes hold in real life? To find the answer, issues eat up time that might otherwise
organizations need more than just a be used toward forward-looking risk
fresh view of the Compliance function. mitigation. The evolution of business adds
Compliance modernization is a broad new pressures for Chief Compliance Officers
mandate that spans the way the function (CCOs) and their teams. At the same time,
is governed; the tools, technology, and new capabilities emerge that can help these
analytics it uses; the number and nature teams do more. For some organizations,
of its connections to other parts of the across-the-board change is in order. Others
business; the expectations assigned to it; may have evolved their programs already
and more. but stand to benefit from a corresponding
update to discrete capabilities.

Figure 1:
Survey responses regarding total budget for 2016 and beyond

50 49%

40

30 29%

20

10 8% 8% 4%
1% 1%
0
Increase Do not Increase Decrease Increase Decrease Decrease
by 0–10% know/not by 11–20% by 0–10% by more by 11–20% by more
applicable than 20% than 20%

Source: Deloitte Compliance Trends Survey 2016

3
Compliance modernization is no longer optional | How evolved is your approach?

“61 percent of a compliance officer’s time is spent on

‘other compliance tasks’ such as management of regulatory
implementation projects… A full 69 percent of firms are
expecting regulators to propose even more rules in the
coming year, with 26 percent expecting significantly more.”
—Thomson Reuters, Cost of Compliance 2016, p. 12

For certain, the status quo is not an option. The demands on businesses and Compliance For too long, many Compliance
programs are ever more heightened, complex, rapid, and costly. For instance, consider professionals have been focusing on
the following: point solutions and analyzing tactical,
transactional data in search of what
•• Regulators expect more, and in many •• Competition pushes organizations
went wrong. It is time for the Compliance
industries they have more powerful to seek every source of advantage.
function to change its focus from hindsight
analytical tools and practices to measure Compliance can be one if it evolves
to foresight and driving insight, teaming
and identify compliance-related risks as to become capable of supporting or
with the business to enable growth while
well as bad behaviors and practices. enabling value creation and seeing
at the same time mitigating risks. This will
around the corner to anticipate
•• In parallel, managers and boards require investment in technology, adoption
compliance threats.
push from within the organization of improved processes, and deliberate
for cost reductions, elimination •• The demands Compliance and other focus on what data the Business, Risk, and
of redundancies, and creation of risk management functions place on the Operations can contribute to develop more
valuable insights—and for people to business continue to increase, and these predictive insights [Figure 1]. This is not
accomplish more with less. demands cause “risk fatigue” due to the about building more but rather taking
inefficient implementation of compliance a critical review of what exists and
•• Silos are out of vogue, including the silos
requirements and responsibilities. rightsizing administrative practices or bolt-
that may have kept the three lines of
on solutions in favor of a more strategic and
defense operating without regard to •• Technology can be a double-edged
rationalized approach.
what each was mandated with doing. sword. Digital and mobile tools help
Managing compliance risk is more realize an organization’s strategic
effective when execution and oversight objectives by facilitating collaboration
activities can be integrated among all among employees and communication
three lines. with customers, but these same
real-time technologies also present
•• Cultural pressures raise the bar for
compliance risk, because they can
compliance as well, as organizations
be difficult to control and people feel
respond to pressures from both
overwhelmed with data.
regulators and customers who demand
a higher standard of daily performance.
Complex organizations require a shared
sense of ethics to complement hard and
fast rules.

4
 Compliance modernization is no longer optional | How evolved is your approach?

Tech

What does it look like?

Regulatory Technology Innovation

It probably happened before your time: Automation (RPA). Imagine an automated

The first day someone saw a digital “bot” tasked with sifting through data and
spreadsheet on a screen instead of a various systems for risk-related patterns
paper ledger. To you, it’s old technology. based on established rules to execute the
What will the person who has your job five routine testing processes in less than an
or 10 years from now think about the tools hour, something that may take a human
and systems you use today? 15 hours to complete. But speed is only
the first of many advantages the RPA tools
Since the time Silicon Valley started to can offer. There is potential the RPA tool
incubate start-ups, organizations have can find things people might miss, work
sought to increase efficiency and continuously over the course of a 24-hour
transparency through the use of day, increase overall quality in execution,
technology. However, what are the right extrapolate trends, test a full population
technologies for your organization and the of data, and create visualized outputs.
challenges you face? Are you looking to be
more automated with routine and The benefits gained from these types of
repeatable compliance processes? Are you technology are not limited to the efficiency
looking to more effectively capture of process optimization, but most
customer sentiment in customer service importantly the people. By using RPA to
processes? Or are you trying to create perform tasks that once were consuming
capacity in your team to allow for a focus countless hours of your team members’
on risk-prioritized activities? time, you can now focus those people on
more strategic, value-creating efforts such
As an example, let’s consider a routine as issue remediation and escalation, root
compliance testing process—one that is cause analysis, investigations, and overall
binary, rules-based, and fit for automation, business advisory.
thereby reducing the human element
through the use of Robotic Process

5
Compliance modernization is no longer optional | How evolved is your approach?

Beyond the basics:

Moving toward modernization
The foundation of Compliance is to prevent, detect,
respond, and remediate risk. What lies beyond that?
On a spectrum that leads to modernized and ultimately
value-creating compliance approaches, an organization
must find its sweet spot and put theory into practice.
A traditional Compliance function might modernized state that uses enhancements changes and make them happen. Each
expect to receive credit just for treading in tools, technology, and execution organization can determine how far it needs
water. How can it reach the next stage and practices to amplify the delivery of those to evolve—whether it wishes, in effect, to
begin creating value? The first step is to traditional tasks. Finally, the most advanced have in place a reliable compliance vehicle or
recognize that the Compliance function Compliance functions reach a state at which a top-fuel racing model. As an organization
in an organization progresses through they contribute new value to the enterprise. moves along the continuum, much more
different levels of evolution: At one end An organization must thoughtfully decide becomes possible. But to enter the realm of
there is a foundational state that makes where it wants to be across that maturity value creation, few organizations can stick
traditional Compliance functions work. As continuum and then develop a defined with the status quo [Figure 2].
organizations add capabilities, they reach a roadmap to break down the necessary

Figure 2:
A look at the Compliance function maturity continuum
Robotics and Talent ROI and value
Organizations have a choice: how advanced do they want their use of tech management creation
Compliance functions to be, and what return do they expect for the
investments it takes to get them there?

Basic Better More Predictive

compliance Analytics integration strategic analytics

Foundation Modernization Value creation

Core Compliance requirements and Enhanced synergies between first and Optimized oversight and execution processes;
expectations are met second lines of defense (LoD) to improve defined LoD reliance models
efficiencies and rationalize oversight and
Basic Compliance operating model in place Fully populated, linked, and implemented
execution processes
with identified roles and responsibilities Governance, Risk, and Compliance technology
Defined end-to-end technology architecture platform
Methodologies in place to evaluate, remediate,
for sourcing, aggregation, and analytics of
and stabilize the basic Compliance structure; Broad usage of predictive analytics and
Compliance data to enable less reactive and
traditional requirement inventories, risk process automation (i.e., robotics) for
more proactive Compliance management
assessment and training programs gained efficiencies
Compliance role is elevated and pronounced
Basic data technology capabilities in place Proactive talent management/capacity
in strategic and business line planning
to support Compliance reporting planning and scalable resource deployment
Framework in place to monitor Compliance
Alignment of Compliance and overall business
resource allocation
strategy; value articulated through measurable
Clear Compliance vision and strategy KRI results (ROI)
embedded across the organization
6
 Compliance modernization is no longer optional | How evolved is your approach?

Enhancing the basics •• It generates measurable results—not

A modernized Compliance program takes only avoided fines and penalties but Drivers of change:
the foundational activities and enhances
them:
also possible process efficiencies or new
market opportunities instead of being only
Why invest in a more
•• It builds culture, ethics, and appropriate
a cost center. advanced level of
incentives into compliance, and vice •• It catalyzes growth instead of Compliance risk
versa; because while written rules can gatekeeping the things people can and management?
govern transactions, it takes a deeper cannot do.
understanding to instill a sense of Each organization has an implicit
•• It contributes predictive intelligence
appropriate behavior. challenge: How does your
in addition to backward-looking analysis
organization measure up? The
•• Instead of merely identifying roles, a and reporting.
descriptions that accompany the
modernized program seeks a more
•• It helps shape the strategic future of foundational, modernized, and
insights-focused, process-oriented talent
the enterprise, or at least works in lock- value-creating stages (see Figure 2)
base and cultivates the people across
step with an established future vision, are a useful way to begin answering
the organization who fit the new normal.
instead of merely marking the trail it has that question. It’s also helpful to
•• Oversight and execution processes already followed. examine the factors that are driving
start to be rationalized to drive better compliance in this direction:
•• It cultivates and benefits from an
coverage and reliance across the three
organization-wide ethical culture that
lines of defense and other risk disciplines. Tighter, faster competition
makes compliance more of a built-in
When every tenth of a
•• To the three classical operating model and behavior.
percentage point counts, the
capability areas of “people, process, and
•• It uses leading business practices value that organizations can
technology,” modernized Compliance adds
to improve the compliance derive from the Compliance
a fourth: analytics.
infrastructure and control environment. function is no longer optional.
•• The reach of and reliance on its technology
and analytics capabilities is wider and Everything you’ve heard about the Increased need for coordination
more comprehensive. Compliance function as a fully vested Instead of yesterday’s silos, modern
business partner unfolds when the enterprises need top-of-house
Delivering benefits Compliance program reaches value creation strategies and reliance models,
At the next step, a value-creating segment of this evolutionary continuum. fueled by data that keep their risk
Compliance program stands out by But Deloitte’s Compliance Trends survey management functions on the
delivering a fully mature set of benefits found only about one-third of Compliance same page.
to the organization because: leaders feel their organizations see them as
a business partner, and slightly more than Holistic view of risk and compliance
•• It drives a meaningful reduction in
half feel Compliance is a business partner From predicting and sensing to acting
fines and penalties and compliance
in “some respects.” Only about half of and monitoring, the lines between
issues and findings.
organizations say their CCOs hold a seat on these formerly separate realms are
•• It is viewed as a partner that provides the executive management committee, and disappearing quickly.
meaningful insights to the business at more than one-third say their compliance
the intersection of risk management and risk assessments stand alone, without any Increasing liability
control efficiency. coordination with the enterprise-level or Organizations are subject to more
internal audit risk assessment processes. rigorous examinations and steeper
fines, and corporate officers are
facing individual responsibility and
liability as well.
“Several senior bankers say they believe that the fact
Cost-efficiency
they had spent massively on compliance would serve as Organizations are seeking ways to
a defense if any compliance issues arise—regardless of reduce costs while simultaneously
whether their spending was efficient or effective.” seeking ways to be more effective
with increased capacity.
—Financial Times, Banks face pushback over surging compliance and regulatory costs
7
Compliance modernization is no longer optional | How evolved is your approach?

8
 Compliance modernization is no longer optional | How evolved is your approach?

Opportunities of modernization
A modernized compliance program that combines With new capabilities, the Compliance
function can claim a renewed business
new technologies and new approaches, keeping case [Figure 3]. It can generate a positive
both in alignment with enterprise goals, can generate return on investment (ROI) rather than
merely justify itself as an expense of
a measurable value proposition for the Compliance doing business. But to make this happen,
function and turn the CCO into a strategic partner in Compliance’s strategy should be integrated
and aligned with the overall business
top-level decision-making. It can take Compliance out planning and strategic process. This is a
of a reactive, close-the-barn-door stance and allow it way to make sure that the value Compliance
generates is consistent with the value goals
to predict, and therefore help shape and prepare for, the organization is pursuing.
the future.
What does Compliance ROI look like?
A large part of this move to a more efficient
It emerges from an organization’s newly
and proactive Compliance Risk Management
enhanced ability to predict issues before
Framework will rely on the disruptive power
they become problems, to preserve value
of technology and analytics. Does this mean
from fines and disruption, and to respond
that the road ahead starts with a large-scale
effectively when action is required. For
investment to replace existing platforms? In
example, a Compliance function that once
most cases, no. Most enterprises will find
kept regulators at bay can now proactively
the answer lies in strategic efficiencies
call areas of concern to the board and
that let them do more with less. This
senior management’s attention while
includes making better use of existing data
discussions remain strictly internal, allowing
that many organizations already capture.
the organization to make value-enhancing
course corrections.

Figure 3:
ROI: The evolving value proposition of Compliance

Today Tomorrow

Qualitative •• Steward of reputation •• Investment in the organization’s

reputational capital
•• “Regulator defender”
•• Strategic input to and support of
business strategy to foster innovation

•• Shaping the broad regulatory agenda

Quantitative •• Fines and penalties as •• Fewer fines and penalties and lower
a cost of doing business legal costs (including the cost of
corrective actions)
•• Fewer instances
of consumer harm •• Greater Compliance efficiency

•• Detective compliance •• Enhanced customer experience

mitigation (i.e., noting
issues after the fact) •• Compliance alignment with business
performance objectives

•• Preventative compliance savings

9
Compliance modernization is no longer optional | How evolved is your approach?

“By thinking outside the traditional compliance box, we can

develop a myriad of strategies to demonstrate the value of
compliance to the enterprise and ensure the longevity of
our team and compliance programs.”
—FCPA blog, Compliance as a return on investment, March 20, 2014
http://www.fcpablog.com/blog/2014/3/20/compliance-as-a-return-on-investment-part-2.html

The modernized Compliance function Being proactive and predictive Measuring the value of Compliance by
can predict, prevent, and respond. It can How much of Compliance’s ongoing testing these yardsticks will have to be defensible,
apply analytics to gain valuable insight and monitoring has been automated repeatable, and grounded in clear
and drive better detection. It can use or enabled through analytics? Have the assumptions. The measurement does not
technology innovation like RPA, cognitive numbers of preventative controls or have to be purely scientific, but it should
automation, and natural language related risk mitigation routines increased use points of reference everyone can
processing at critical junctures of the year over year? Has this led to an increase understand. Yet in its 2016 Compliance
Compliance framework to increase quality in compliance adherence or reduced Trends survey, Deloitte found only 27
and create capacity. On this new footing, reputational and regulatory compliance risk? percent of companies have a standalone
Compliance can do more than save money process to measure the effectiveness of
in fines and penalties: it can also use the  taying out of the penalty box
S their compliance programs.
data it collects to drive more effective (Compliance effectiveness)
operations by synching compliance Has Compliance reduced the number While each path to demonstrate
processes with business processes. of internal audit observations and value will be different, no organization
findings, regulatory observations and can treat Compliance modernization
When organizations extract data from issues, or the baseline volume or trend as a purely technical job. Fully
compliance activities, the Key Performance of customer complaints? evolved compliance is based
Indicators or Key Risk Indicators (KPIs/ on all-hands risk intelligence,
KRIs) derived from the data collected can  fficiency of Compliance
E analysis, and more forward-
be used to influence business decisions Do the first and second LoDs coordinate looking insights that expand the
and enhance the customer experience. in testing activities, processes, or controls? modernization mandate into
This starts with articulating the landscape Is the annual Compliance testing plan strategy and culture as well as
Compliance faces, then articulating the completed each year with enough additional daily operations.
expectations and organizational challenges capacity to take on urgent requests?
that come with delivering value. Ways to
quantify compliance ROI: Quantifying Compliance’s value
Does Compliance enable growth or
opportunities for process optimization
and/or control rationalization relative to
risk mitigation and/or regulatory change?

Integration with the business

Is Compliance helping the business use risk
management to drive value by providing
insights that contribute to effectiveness?

10
 Compliance modernization is no longer optional | How evolved is your approach?

Prediction and prevention

What does it look like?

Seeing around the corner through the use of analytics

Where do you want your Compliance With that in mind, imagine the ways
function to shine: on page one of the behavioral analytics could help pinpoint
newspaper, or in the eyes of an approving which types of employees or actions
board of directors? The difference can be a have the latent potential for risky
matter of time. behavior that runs counter to the
organization’s expected norms. Outlined
Compliance teams that react to fire drills, here is an illustrative use case that
mitigate their effects, and clean up messes leverages predictive modeling
may find themselves under the wrong kind methodologies to produce deeper levels
of spotlight. On the other hand, of understanding around complex
Compliance teams that use available data business issues through the use of
and advanced analytics to see where diverse internal and external data
trouble is likely to appear tomorrow can sources and advanced analytic methods:
potentially keep it at bay.
Conduct Risk Management is one
Advanced analytics can drive predictive cross-industry and cross-sector issue that
modeling that helps leaders interpret predictive analytics capabilities can help
organizational data in complex business companies explore—in effect, to look
environments. Using these insights, they ahead to future employee behavior.
can weigh anticipated actions and results Specifically, organizations can leverage
more effectively. Initially, organizations multivariate analyses by determining
can use exploratory data mining, one-way correlated trends and suspicious
variable analysis, and business intelligence activities and their connections to
methodologies to uncover previously potential employee behavior that is
unseen patterns within data. inconsistent with organizational conduct
guidelines or policies. This kind of
However, the complex challenges analysis uses information that is already
organizations face today can require even available: employees’ biographics,
more powerful tools. That’s because demographics, human resources and job
multiple variables emanate from internal performance data, and other internal
and external sources, and the combination factors. Combined with publicly available
of source data in new and creative ways broker and market data, these granules
can generate additional “synthetic of information have tremendous
information” that needs interpretation potential within a scoring model as
of its own. Multivariate modeling and predictors of employee risk propensity.
analysis of the complex ways these
variables relate to one another can be Organizations that are able to proactively
effectively explored, successfully analyzed, identify and mitigate conduct-related risk
and strategically reported and visualized can position themselves ahead of their
as actionable insights, at various levels in peer groups and mitigate or avoid serious
order to help solve present business financial, operational, legal, and
issues, and predict future risk events. reputational harm.

11
Compliance modernization is no longer optional | How evolved is your approach?

What does it take to get

from here to there?
Moving along the compliance evolution continuum and
unlocking the potential to create material and strategic
value is a process. One way to chart, execute, and
measure the action of that process is to define the steps
along the way. To that end, Deloitte has defined an end-
to-end Compliance Risk Management Framework that lays
out the requirements [Figure 4].

For organizations that still need to meet the Prioritize areas that need to be
foundational requirements, the Compliance addressed based on the results of the
Framework provides a roadmap. For assessment, level of risk, and expected
organizations that are determined to be change to the organization.
more advanced and move to the cutting
•• What is centralized vs. not and is there
edge, it can serve as a reinforcement to
an opportunity to optimize what is done?
bolster continued performance. Some of
•• Which areas of compliance risk are highly
the key steps that can help an organization
controllable, and which ones are not?
move its Compliance function forward to
higher levels of maturity and ROI include:
Develop and update the overall vision/
mission for compliance to align with the
Determine the desired “modernized”
desired “modernized” state.
state for the Compliance Risk Management
Program. •• Define more strategically the allocation of
resources/time to higher-value activities.
•• Assess the status quo—how should the
•• Drive a greater level of transparency,
Compliance function align and support
to other key control partners and
the business strategy?
stakeholders, regarding the change and
•• What level of rigor is required to execute
the rationale for the change.
on the organizational mission, regulatory
and board mandates, etc.?
Develop and update the Compliance
strategy (or annual Compliance plan);
Perform an assessment of the existing
ensure it aligns to the organization’s
Compliance Program against the desired
overall strategy; and determine
“modernized” state.
appropriate measures for success.
•• What execution or oversight activities
•• Define Compliance’s value proposition and
should be stopped, started, or continued?
quantify through ROI and related metrics
•• Critically review Compliance capabilities
and measures.
and the talent model that supports them.
•• Determine what “levers” (investments,
initiatives, resources, tools, technology,
process optimization, etc.) are needed to
achieve desired “modernized” state.
–– What redundancies exist? How are
technology and automation utilized to
12
build capacity into the system?
 Compliance modernization is no longer optional | How evolved is your approach?

“Compliance officers have always had to be creative in

terms of their approach, and to try to do more with less.
At some point, however, creativity needs to give way
to innovation, if not revolution, in terms of how limited
compliance resources are deployed.”
—Thomson Reuters, Cost of Compliance 2016, p. 26

Figure 4:
The modernized Compliance Risk Management Framework

The end-to-end Framework sets a standard way to design, assess, implement,

and continuously improve an organization’s compliance function

Culture and strategy

Escalation, Communication, Regulatory

Policies and Risk assesment and Monitoring Data, measurement, investigation, awareness, interaction and
Governance procedures regulatory change and testing and reporting and resolution and training coordination
Framework components

Board of Directors/ Formalized policies (e.g., Defined risk assessment Defined scope and Regular measurement Defined protocols for Timely and proactive Standard protocols in
committee oversight business, Compliance strategy and approach to frequency for monitoring and reporting of risks, issue, remediation, and communication plans place to communicate
of the Compliance and and Ethics program identify, quantify, and testing based on risk leveraging enabling risk/issue escalation based on business with regulators
Ethics program, including policies and codes of prioritize, and respond assessment results technology and/or regulatory
sponsorship of a culture conduct), procedures, to existing risks on a (including emerging Employee reporting and changes “Speaking up” Critical stakeholders
of compliance and ethics and related controls that regular basis risks) Development of case management/ programs for employees identified to liaise and
address the complexity dashboards with easy investigations systems to safely voice questions interact with regulators
Executive leadership of business and risk Integrated regulatory Point-in-time testing display and analysis of that capture, prioritize, and concerns including during
commitment to and appetite in mitigating change management assesses both program concentrations, risk and assign accountability examinations and in
communication of the compliance risk program design and operating appetite breaches, and with regard to questions, A training plan that is communicating exam
value of compliance/ effectiveness other risk/performance issues, disclosures, and risk-based and has a outcomes
ethics Protocols related to (KRIs/KPIs) that, in part, allegations defined scope at the
screening/due diligence Ongoing monitoring demonstrate the value of enterprise and line-of- An enterprise-wide view
Compliance organization on new hires and programs to survey, the Compliance and business/shared of recent and planned
and operational leadership review, and analyze Ethics program services levels, including examination activities
leadership, structures, business performance role-based training and findings
and processes including and risk indicators
roles and responsibilities

Design, access, implement, and continuously improve

People Process Technology Analytics

Professionals with the requisite skills and Risk-based business processes to facilitate the Technology platforms leveraged across multiple risk Data, techniques, and solutions utilized to analyze,
Enablers

experiences to design, implement, maintain, and execution of the Compliance program areas that help prevent, detect, and respond to predict, and create actionable insights that develop
leverage the Compliance program to manage legal, compliance and ethics breaches the future direction of the Compliance program to
compliance, policy, reputational, and ethical risks Effectively designed and integrated processes to help enable strategic, operational, and tactical
create organization synergies and cost savings Tools that enhance and accelerate Compliance decision-making
program components and drive down costs and
increase efficiencies

Smart choices Each organization will find it needs to the traditional focus areas of people,
identify, acquire, contract for, and/or build process, and technology, including
Improving what exists specific capabilities to bring about these tools such as regulatory technology
changes. That said, the expectation is not (e.g., robotics process automation) and
and adding new tools merely to build more or add on, but to analytics. Compliance is too important,

and techniques thoughtfully rationalize what exists and

what will be required in the future. Part of
and operations too fast-moving, for this
job to rely entirely on the insights that
this modernization effort is to trim away appear to the naked eye or the traditional
non-value-add activities and to refocus baseline metrics; utilizing analytics and
precious resources and investment where some of the other rapidly developing
they are needed most. As with most deep regulatory technologies will be critical.
organizational change, the job will span
13
Compliance modernization is no longer optional | How evolved is your approach?

The bottom line:

Benefits of modernizing Compliance
From a cost center to a value driver. How often have
Compliance officers heard that? If it were the only benefit
to emerge from advancing the Compliance program from
the basic blocking and tackling to value creator, many
organizations would find it justifies the effort.

But there’s more. In addition to shifting the the data for which value ends up serving
cost-return balance, true modernization the needs of regulators. Part of achieving
leaves behind re-engineered core processes true value creation is the realization that
that make the Compliance function more this data can also benefit the business and
effective. It makes the function more flexible organization as a whole.
to scale up or down as needs change, and
it creates capacity in the system. It can help In reaching the highest stage of evolution,
not only to reduce the potential cost of a CCO has to embrace a new vision of
regulatory scrutiny but also to reduce the where the Compliance function fits in an
level of scrutiny. And it elevates Compliance organization’s strategic and leadership
professionals to true partnership with picture. In this vision, “fewer negatives”
the businesses. are no longer a sufficient return on the
investment the organization makes
A modernized Compliance function can be in Compliance. Instead, an evolved
an organization’s most finely tuned way Compliance function can help bring
to monitor what’s happening inside its measurable, positive value to decisions
four walls and what’s coming from outside it hasn’t always participated in, such as
them. Some may view it as the addition of a product lineup, market definition, new
“sixth sense” that lets the organization see business pursuits, customer experience,
risks and opportunities in a new and more and operational methods.
precise way.
Every organization and every Compliance
Given its greater ability to analyze data, the function has a starting point somewhere
renewed function can not only detect risks on this compliance maturity continuum.
that may affect organizations in negative Not every enterprise will commit to pushing
ways, but also steer the organization toward this evolution as far is it can go. But for a
new areas of opportunity. It can make discipline on the move, movement can be
operations more efficient and increase in only one direction: forward. Wherever
consumer confidence not in incremental your organization is starting and wherever
ways but in game-changing ones. it is headed, it’s imperative that your
strategy include a plan to build value
In part, this is because Compliance is (or creation into compliance. Once that
can be) one of the most data- and analytics- strategy is in place you can identify
rich parts of the enterprise. Historically, the places where critical investments
organizations have devoted large are required to make progress.
investments to capturing and processing

14
 Compliance modernization is no longer optional | How evolved is your approach?

Contacts
Leadership Contributors
Thomas Nicolosi Thank you to the following Deloitte professionals for their insights,
Compliance Modernization Leader contributions and support to this report:
Principal
Deloitte Advisory Tim Cercelle, Managing Director | Deloitte Advisory, Deloitte & Touche LLP
Deloitte & Touche LLP John Conrad, Principal | Deloitte Advisory, Deloitte & Touche LLP
Email: tnicolosi@deloit te.com Keith Darcy, Senior Advisor | Deloitte & Touche LLP
Thomas Delegram, Managing Director | Deloitte Advisory, Deloitte & Touche LLP
Nicole Sandford Howard Friedman, Managing Director | Deloitte Advisory, Deloitte & Touche LLP
Regulatory & Operational Risk Leader Marc Greathouse, Partner | Deloitte Advisory, Deloitte & Touche LLP
Partner Nolan Haskovec, Senior Manager | Deloitte Advisory, Deloitte & Touche LLP
Deloitte Advisory Marlo Karp, Partner | Deloitte Advisory, Deloitte & Touche LLP
Deloitte & Touche LLP John Lucker, Principal | Deloitte Advisory, Deloitte & Touche LLP
nsandford@deloit te.com Kevin McGovern, Partner | Deloitte Advisory Deloitte & Touche LLP
Maureen Mohlenkamp, Principal | Deloitte Advisory, Deloitte & Touche LLP
Chris Spoth Shaun Nabil, Senior Manager | Deloitte Advisory, Deloitte & Touche LLP
Executive Director Andrew Nippert, Managing Director | Deloitte Advisory, Deloitte & Touche LLP
Center for Regulatory Strategy Americas Gina Primeaux, Principal | Deloitte Advisory, Deloitte & Touche LLP
Managing Director Richard Rosenthal, Senior Manager | Deloitte Advisory, Deloitte & Touche LLP
Deloitte Advisory James Siciliano, Senior Manager | Deloitte Advisory, Deloitte & Touche LLP
Deloitte & Touche LLP Felicia Sokalski, Partner | Deloitte & Touche LLP
Email: cspoth@deloit te.com Karolyn Woo-Miles, Partner | Deloitte Advisory, Deloitte & Touche LLP

15
About Deloitte
As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary
of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description
of our legal structure. Certain services may not be available to attest clients
under the rules and regulations of public accounting.

This publication contains general information only and Deloitte is not, by means
of this publication, rendering accounting, business, financial, investment, legal,
tax, or other professional advice or services. This publication is not a substitute
for such professional advice or services, nor should it be used as a basis for any

CENTER for
decision or action that may affect your business. Before making any decision or
taking any action that may affect your business, you should consult a qualified

REGULATORY
professional advisor.

STRATEGY
Deloitte shall not be responsible for any loss sustained by any person who relies
on this publication.

Copyright © 2017 Deloitte Development LLC. All rights reserved. AMERICAS