Is your approach to compliance fit for the future? Kristin Rivera and Andrew McPherson explore how to deliver compliance that supports your mission and values, creates a differentiated experience for your customers and boosts your bottom line.
Is your approach to compliance fit for the future? Kristin Rivera and Andrew McPherson explore how to deliver compliance that supports your mission and values, creates a differentiated experience for your customers and boosts your bottom line.
Kristin Rivera:
Welcome to our podcast series, “Emerge stronger through disruption.” I'm Kristin Rivera and I lead PwC’s global forensics practice as well as our Global Crisis Centre. Today, I'm coming to you from my home office in Larkspur, California, which is just outside San Francisco. In each episode of this series, we'll be talking to global colleagues about the challenges that are facing business leaders as they navigate disruption.
And today we'll focus specifically on compliance, transformed, and how innovative organisations are applying its principles. And I couldn't be more delighted to welcome my friend and colleague Andrew McPherson. Andrew, just tell me a little bit about yourself as well as where you're based.
Andrew McPherson:
Hi, Kristin, great to be chatting with you.
Well, I'm on the other side of the ball and the other side of the day to you, I'm down here in Sydney, Australia. Enjoying the onset of summer. So I'm sorry to break that to you, but it's a beautiful day down here in Sydney, and I'm really enjoying the prospect of summer. I run, in PwC, cross-firm risk and regulatory focus, and that takes me right across all of our capabilities to pull them together, package up what makes sense for different client challenges and issues, and get them to market... and also to think and plan about what we need in future.
And that's great because I've spent my career on risk and compliance, and it's been wonderful to actually sail across all those different capabilities and think about all the great ways we can serve clients using different combinations of them.
Kristin Rivera:
Andrew, it sounds like you were exactly the right person to be talking to today.
There has never been a greater need for organisations to deliver compliance in a fresh way and in a way that really genuinely supports their purpose, mission and values. So, Andrew, as a key architect of compliance transformed, would you give us a bit of an overview of what it is, and also its power for companies?
Andrew McPherson:
My friends find this surprising, but I really love compliance. I've spent 30 years building a career around really helping clients focus and optimise around what they're doing on managing risks to achieve their strategy. And that's working both with executives and boards.
And one of the things I've found really personally interesting, and at times, frankly, upsetting through that, is just the number of times I've observed two themes, two repeating themes that I've seen again and again, and the first is what I'd call a compliance heart attack. And that's where a client or an organisation has a really massive compliance issue that surprises them -- and these sort of issues are organisation-changing -- and life-changing for many individuals.
It might cost the CEO and a number of the board members and executives their job. It can sometimes really trash the brand. Huge anxiety for employees, customers, and so forth. Shareholders can lose a lot of market capitalisation. Compliance heart attacks -- they’re a pretty serious event for organisations, and some don't survive them.
But interestingly, the thing that I find more insidious is what I call compliance heart disease. And that's where compliance and all the processes around it are actually choking the arteries and veins of an organisation. It's a bit more insidious than a big heart attack event. And there it is, eating away at costs -- very expensive, these compliance processes.
Also customer experience -- it gets in the way of what the customers really want. And it impacts the culture and the staff experience. So in the last couple of years in the PwC CEO Survey, I wasn't surprised at all to see the number one thing CEOs were worried about -- their anxiety, the thing they felt threatened by -- was regulation. Not only the volume of it, but the change in it.
And one of the things that I think is interesting is, there's not a lot of organisations who I see really value their compliance teams. And this is where an interesting contrast comes -- when you have these serious health events, when the CEOs are saying they worry about it -- but you know what? The compliance teams are often in the basement or in the office furthest from HQ. And I think there's a piece here we’re forgetting, that in today's world, in a trust-based world where transparency operates pretty quick, without trust you are dust.
And I think the number one way to lose trust is just fail to live up to what's expected, to live up to commitments you've made and so forth. I won’t book my family on an unsafe airline. Compliance is really important and really valuable to organizations.
Kristin Rivera:
I love that perspective, Andrew, and your analogy of likening compliance to a heart attack or heart disease really resonates with me.
I spent the first two decades of my career helping companies with compliance heart attacks -- dealing with the investigations and the regulatory inquiries and all of the fallout that comes from a major compliance failure. And yet, interestingly enough, again, I'm here in San Francisco, so many of the companies I work with are technology companies -- I think they really fear the heart disease more than the heart attack.
Because the idea of clogging up the works, of slowing innovation, is just as terrifying -- if not more terrifying -- for companies that make their living innovating and coming up with new ideas. Tell me a bit about how compliance transformed is different from historic approaches to compliance.
Andrew McPherson:
Yeah, that resonates with me because as a young fit guy, I didn't like going to the doctor. I really didn't like going to the doctor. And then my organisation, PwC, forced me to have an annual medical -- and all of a sudden, in my early 30s, I started to appreciate preventative health for the first time in my life.
I'd never given it any thought at all. And I think that's a concept that's also got some resonance here around -- what actually helps you from heart disease and heart attacks in life, as in business, is a bit of preventative health measures. So we had a bit of a look -- I was curious as we looked at this, and we talked to analysts and we could see this coming through in the CEO Survey, but we asked ourselves, okay, where are these organizations -- where are our clients spending money on compliance?
And what's interesting is that that wasn't really transparent, it wasn't apparent, there wasn't a lot of information on that. So we did quite a bit of work on this. We did some study and we looked right across organisations across the globe, across industries. And we identified where the top 10 areas of compliance spend were, and they’re very common across industries.
There is not a lot of change, one industry to the next. So number one is almost always the specific product and service standards that applies to your organization. So if you're an airline, it's engineering and it's safety, right? And there's a whole bunch of standards and rules and things around that. If you're a hospital, it's clinical compliance and clinical matters.
What was interesting for us as an organisation is some of the things that are perhaps our history and still an important part of our organisation is tax and financial reporting and market compliance -- they were eight and nine on the list. They were well down the list of where organisations are spending big.
So workforce and labor obligations, data protection, and cyber, environment, sustainability, and the compliance regime around that -- they were the big spending areas, and others. I think the other thing that really struck us was just how big the total spend was. It was enormous on compliance, and there's not many CEOs have that number in a dashboard, or are actually aware of that number.
That's because compliance is well spread through an organisation, as it should be. There's different areas of compliance in different pockets, and they're all important in different ways. But very few organisations looked at it holistically. Very few organisations were thinking about: What does this do to our brand?
What does this do to our customers? What does this do to our staff? And the other thing we started to realize was, wow, this is really interesting: Compliance functions -- you don't often hear about a compliance function transformation. You don't often hear about compliance holistically. We started to realize that wow, we think these are like the last major corporate functions to have transformed themselves.
Finance, technology, sales, people functions -- they've all been transformed, some of them multiple times. You don't hear a lot about organisations transforming the way they comply with their expectations on them.
Kristin Rivera:
You know, it's interesting, in the US, the Department of Justice is the sort of regulatory body that defines what good looks like from a compliance perspective across all industries.
And during the pandemic, they came out with some really insightful new guidance. And one of the things that they recommend is that companies really think about why their programs are designed the way they are. And I like to say they need to be purposeful. And it's interesting, because most companies, particularly in less-regulated industries, but I think most companies that I talked to, struggle to answer that question -- because they've grown up organically, because there was a need and it got fixed and it's a bit haphazard.
And I think that goes very much along the lines with what you're describing, that this function has not been transformed as other corporate functions have. So if we think about transforming compliance, what do you suggest companies should be looking for? What is the desired end-state of a compliance transformed?
Andrew McPherson:
I’m glad you asked, Kristin. Look, we were curious about this, because as we said, these hadn't been done much. Even our organisation had done relatively few and we'd done them -- approached them differently in some ways. So we started to look at what was happening in the market, and we did some work around, okay, so what's working, what things are we seeing impactful?
And in our compliance transformed thought leadership and the microsite, we identify five principles. And these are five things we're seeing organisations do that seem to be working quite well in the compliance space. So let me take you through the five. The first is that if your approach to compliance is aligned with your strategy, purpose, and values, not just laws and regulations, that's good.
That then makes it more purposeful, to your point, Kristin. And again, if I pick that example, I said I wouldn't book my family on an unsafe airline. My Australian airline spends quite a bit more than the average airline on engineering, compliance, and safety. They spend above the odds on it and they market the heck out of it. And their processing reflects it -- and I'm really happy to pay.
So there's an example where their approach to compliance is really aligned to their market strategy, their pricing strategy, and so forth. So aligning your compliance strategy to your organisation strategy, its purpose and values, gets you a much better outcome than coming at it through the laws and regulations.
So the second thing is designing compliance processes with the customer in mind. You want your compliance processes to support the customer experience and support what's valued by your customers rather than get in the way of it. And that's really, really important, is using compliance to create a differentiated experience for the customer, particularly when part of what the customer's buying these days is trust in brands, in products, in organizations.
And an example I'd give there is, you know, I've used two financial advisors over recent times to make investments. And one of them sends me a pile of paper that I have to print, I have to sign, all this sort of stuff -- and I feel really irresponsible cause I don't print much these days. The other one's got this really good digital means for me to authorise. And, you know, advisor one has probably delivered me higher returns, but who do I invest more with?
Path of least resistance, right? It's interesting how that plays into customer experience: Advisor two is winning my business because they built a really elegant compliance process that didn't cost them, didn't burden them.
Kristin Rivera:
Just to interrupt you, Andrew, if we think about the current generation of workforce who have grown up with smartphones and having the simple elegance of everything they need at a finger touch away in an app -- well, this is what they expect in the workplace, as well.
And so while you or I might be a bit more tolerant of some of the administration that could go along with compliance, I think that tolerance is really waning as the next generation of workers matures.
Andrew McPherson:
Absolutely. And that takes us straight to the third thing that we noticed that's really working.
So where compliance functions are really using technology and data to power what they're doing, to get cost out, to cause higher reliability compliance, not just leveraging what you might call enterprise GRC systems, but really tactical technologies, automation, language recognition -- all of this sort of stuff that they're doing now, that's taking an awful lot of cost out.
Actually, more importantly, to me, it's brilliant preventative health. It's putting high reliability into compliance. So tech and data -- super important. The fourth one is a bit interesting and a bit different. One of the things that we noticed is that there's a skill in our organisation that we've used in a range of things around human-centered design.
Governments are pretty good at using it, right? Go ask the taxation authority about how they use human-centered design to get people to pay their taxes on time or their rates for their land tax or so forth. They're actually quite into it. Compliance functions in your average organisation are not using that skill.
And we can see something really interesting there, because what human-centered design is about is it makes it easy and it motivates, it incents people to take particular choices. And in compliance, you want them to take compliant choices. So designing your processes for both staff and customers using the human-centered design can be really powerful.
So those four then lead to the fifth, which is really an outcome. Organisations using those four features, we found were taking a far more predictive, preventative and proactive mindset to compliance. They were looking ahead, they were using data to sense and detect early changes in compliance patterns.
And it put them in a space where they weren't just looking back in the revision mirror. They will looking forward out the windscreen, at compliance. And as a result, either would get ahead of issues or respond to them really quickly when they arose. And we think that outcome is a really important fifth feature, and to me, what we're aiming for.
Kristin Rivera:
Those five principles really resonate with me, and I know from my conversations with chief compliance office officers, that they really feel right for them as well. It feels like the right direction for compliance now. And again, with so many companies transforming or rationalising their compliance organisations, sometimes for the first time, these are also very timely.
So I'd like to wrap up with the million-dollar question, Andrew, which is; What about ROI? You mentioned early on that many organisations don't really have a handle on how much they're spending, and arguably are spending far more than they realise on compliance. But what would you say to the chief compliance executive that would like to transform their organisation, but is struggling to get buy-in as to why it's worth investing?
Andrew McPherson:
It's really interesting, because there's a very human response when you say the word compliance. Most people go, “Ugh, compliance.” It's a bit of a downer. There's so much attached to that word for us in our lives -- doing my tax return, you know, all of that sort of stuff. It's compliance.
And the whole point of this work is to lighten that burden. So, to me, I think it's really important that compliance officers and those talk about the outcomes, not the process. Talk about the customers, not the laws. Talk about the impact on culture. Talk about how they can save money, not how they need more money.
So an ROI is a really simple equation. First, you have a look at what's the return you can get from a particular action. And a great way to look at that is to actually take an inventory of your cost. How much cost have we got? And then think about, what are those actions, using those five principles -- and I'm sure there's some other things as well, but they were the five that really stuck out.
And what can you do to get a return? A return to customer, a return to costline, a return to culture and staff, and most importantly, growth. And to me, in a trust-based world, compliance sells. I am not going to send my family on an unsafe airline. I'm only going to sign up to digital products and solutions that I feel treat my data and so forth.
So I think there's money in this. I think there's revenue in this, when done right. So I think we've just got to change our language. And in doing that, we've got to change our mindset, and to do that, we've got to bring some new skills to the table here around compliance. That's what we're trying to do -- is awaken that possibility and show that, and help people other than the chief compliance officers do this.
So if there's one thing I’d say to the chief compliance officer, send them to our microsite, take your CEO to the microsite. Send your CEO, send your head of the audit committee, send some of the line-one execs who are looking at this to the microsite.
We've got a little quiz there that anyone can do. And it's targeted at those senior executives -- not those who live and breathe compliance. It'll take less than two minutes. It's going to ask them five questions about how they're thinking about this against those five principles. And we just think it's really interesting to provide thinking about this.
So I commend that to you to help you manage your stakeholders.
Kristin Rivera:
We'll be sure to include a link both to the microsite you've mentioned, Andrew, as well as that quiz so our listeners can access that easily. But I'd really like to thank you for taking the time to sit with me today and share your perspectives on compliance, transformed.
I look forward to our next discussion when we'll explore transparency and how reporting can drive change within organisations. Please remember to subscribe to our podcast series, “Emerge stronger through disruption,” wherever you get your podcasts so that you don't miss out on future episodes. Thanks so much for joining us. Until next time.