In NAVEX Global’s inaugural Definitive Corporate Compliance Benchmark Report, ethics and compliance related representatives from a wide range of industries and more than 1,000 organizations responded to survey questions about their approaches to building, managing and optimizing effective ethics and compliance (E&C) programs.
As the market evolves toward comprehensive platform solutions, we have integrated our findings into one report to highlight key correlations and identify systemic performance drivers.
Although we have been collecting and delivering leading-edge market benchmark reports for almost a decade, we have traditionally produced four separate reports focused on individual compliance program elements. Now, as the market evolves toward comprehensive platform solutions, we have integrated our findings into one report to highlight key correlations and identify systemic performance drivers. (Our Hotline Benchmark Report will still be available separately.)
The Significance of Program Maturity
E&C program maturity – classified in the report as Reactive, Basic, Maturing or Advanced – is a key indicator of current and future program performance based on the answers respondents provided to global survey questions. The definition of full performance is based on indicators such as use of program elements, program effectiveness measures, program performance and accomplishments, and support of senior management.
Along with program maturity, the report finds the impact of leadership buy-in and the use of technology as key performance drivers in successful compliance programs. For instance, approximately half (48%) of all respondents say their senior management view their compliance program as a strategic part of risk management efforts. However, when the data is cut to isolate respondents from Advanced programs, that number rises to 83%. For Reactive programs, the number drops to 13%.
Of this 83% subset of respondents who operate Advanced programs and have senior management who view the program as part of a comprehensive risk management strategy, 97% feel their organization is ethical most, or all, of the time. Analyzing the data one step further, and we see that two-thirds of that group (65%) also use five compliance technology solutions.
That is a lot of data to process in a short paragraph, but the key takeaway is this:
Respondents from Advanced compliance programs have senior management who view their efforts as a strategic part of risk management, implement a larger number of technology solutions to automate their compliance operations, and believe that their organization is ethical all or most of the time.
As you can see, the study found that there is a divide between program performance when it comes to maturity level. This divide becomes even more apparent when applied to high profile topics in the industry.
Program Maturity in Relation to Emerging Topics
Current news cycles have made four topics top of mind for compliance professionals: harassment, bribery and corruption, conflicts of interest, and data privacy and security. The Definitive Corporate Compliance Benchmark Report dives deeper into the data for each; however, I will highlight two topics here that I think offer important learnings.
Surprising Response (or Lack of Response) to Preventing Sexual Harassment in the Workplace
Considering the #MeToo movement’s dominance of the headlines over the last two years, our survey (conducted in early 2019) found that only half (48%) of surveyed organizations rated harassment as a top E&C program concern. And when asked, “how has your organization changed because of the #MeToo movement?” again, almost half (48%) said there has been no change.
84% of Advanced programs said they have deployed harassment-specific training
However, cutting the data by program maturity, we see a somewhat different story. Advanced programs were most likely to have opened a dialog within the organization about harassment and to have increased training courses or frequency. When asked about tactics taken to prevent harassment, 84% of Advanced programs said they have deployed harassment-specific training; 72% have implemented harassment-specific policies; and 66% have incorporated executive support into their anti-harassment approach.
While it may be surprising that almost half of businesses have made no changes in response to #MeToo, it should come as no surprise that those who have made changes will be in better position to create harassment-free workplaces. And those Advanced compliance programs, with their strong leadership support, are better positioned to quickly respond to future changes in the workplace.
Data Occupies Top Three Compliance Concerns
The top three ethics and compliance program concerns identified in the report all relate to data: data privacy, data security, and data confidentiality. These concerns span across all program maturity levels. With data breaches and new data regulations making news every day, business leaders have recognized cybersecurity as a risk they must proactively address. Accordingly, 68% of respondents cite cybersecurity as a top concern, and 69% cite data privacy/protection as a top concern.
As a primary function in the people business, E&C can have considerable influence on reducing human error.
But while organizations are implementing sophisticated cybersecurity technology, many of the largest and most damaging data security breaches still result from internal human error. Many compliance officers rightfully rely heavily on their IT and data privacy teams to stay on top of all of the requirements. However, compliance officers are well situated in the organization to partner with these teams using our existing ethics and compliance systems and processes to help the organization address this and any other emerging risks to the organization. As a primary function in the people business, E&C can have considerable influence on reducing human error.
Resources to Match Concerns
Though compliance officers’ concerns often align with the news cycle, the resources their organizations provide don’t always match up, especially when it comes to Reactive organizations. This echoes what my colleague Ingrid Fredeen wrote recently about compliance training: “Training expectations are not always aligned with training investment.” Similarly, third-party risk management solutions don’t always align with an organization’s exposure to risk. And on a more foundational level, the study found that compliance budgets have largely not expanded to meet expanding risks.
We as a compliance function have become adept at delivering effective single program elements. Now, as our industry and programs grow more sophisticated, we are identifying what the next level of program maturity looks like. This includes integrated program strategies that inform, adapt to, and complement one another and holistically contribute to improved ethical cultures and reduced organizational risk.