Compliance Program Maturity is an Indicator of Current & Future Program Performance

In NAVEX Global’s inaugural Definitive Corporate Compliance Benchmark Report, ethics and compliance related representatives from a wide range of industries and more than 1,000 organizations responded to survey questions about their approaches to building, managing and optimizing effective ethics and compliance (E&C) programs.

As the market evolves toward comprehensive platform solutions, we have integrated our findings into one report to highlight key correlations and identify systemic performance drivers.

Although we have been collecting and delivering leading-edge market benchmark reports for almost a decade, we have traditionally produced four separate reports focused on individual compliance program elements. Now, as the market evolves toward comprehensive platform solutions, we have integrated our findings into one report to highlight key correlations and identify systemic performance drivers. (Our Hotline Benchmark Report will still be available separately.)

Download: Definitive Corporate Compliance Benchmark Report

The Significance of Program Maturity

E&C program maturity – classified in the report as Reactive, Basic, Maturing or Advanced – is a key indicator of current and future program performance based on the answers respondents provided to global survey questions. The definition of full performance is based on indicators such as use of program elements, program effectiveness measures, program performance and accomplishments, and support of senior management.

Along with program maturity, the report finds the impact of leadership buy-in and the use of technology as key performance drivers in successful compliance programs. For instance, approximately half (48%) of all respondents say their senior management view their compliance program as a strategic part of risk management efforts. However, when the data is cut to isolate respondents from Advanced programs, that number rises to 83%. For Reactive programs, the number drops to 13%.

Of this 83% subset of respondents who operate Advanced programs and have senior management who view the program as part of a comprehensive risk management strategy, 97% feel their organization is ethical most, or all, of the time. Analyzing the data one step further, and we see that two-thirds of that group (65%) also use five compliance technology solutions.

That is a lot of data to process in a short paragraph, but the key takeaway is this:

Respondents from Advanced compliance programs have senior management who view their efforts as a strategic part of risk management, implement a larger number of technology solutions to automate their compliance operations, and believe that their organization is ethical all or most of the time.

As you can see, the study found that there is a divide between program performance when it comes to maturity level. This divide becomes even more apparent when applied to high profile topics in the industry.

Program Maturity in Relation to Emerging Topics

Current news cycles have made four topics top of mind for compliance professionals: harassment, bribery and corruption, conflicts of interest, and data privacy and security. The Definitive Corporate Compliance Benchmark Report dives deeper into the data for each; however, I will highlight two topics here that I think offer important learnings.  

Surprising Response (or Lack of Response) to Preventing Sexual Harassment in the Workplace

Considering the #MeToo movement’s dominance of the headlines over the last two years, our survey (conducted in early 2019) found that only half (48%) of surveyed organizations rated harassment as a top E&C program concern. And when asked, “how has your organization changed because of the #MeToo movement?” again, almost half (48%) said there has been no change.

84% of Advanced programs said they have deployed harassment-specific training

However, cutting the data by program maturity, we see a somewhat different story. Advanced programs were most likely to have opened a dialog within the organization about harassment and to have increased training courses or frequency. When asked about tactics taken to prevent harassment, 84% of Advanced programs said they have deployed harassment-specific training; 72% have implemented harassment-specific policies; and 66% have incorporated executive support into their anti-harassment approach.

While it may be surprising that almost half of businesses have made no changes in response to #MeToo, it should come as no surprise that those who have made changes will be in better position to create harassment-free workplaces. And those Advanced compliance programs, with their strong leadership support, are better positioned to quickly respond to future changes in the workplace.

Data Occupies Top Three Compliance Concerns

The top three ethics and compliance program concerns identified in the report all relate to data: data privacy, data security, and data confidentiality. These concerns span across all program maturity levels. With data breaches and new data regulations making news every day, business leaders have recognized cybersecurity as a risk they must proactively address. Accordingly, 68% of respondents cite cybersecurity as a top concern, and 69% cite data privacy/protection as a top concern.

As a primary function in the people business, E&C can have considerable influence on reducing human error.

But while organizations are implementing sophisticated cybersecurity technology, many of the largest and most damaging data security breaches still result from internal human error. Many compliance officers rightfully rely heavily on their IT and data privacy teams to stay on top of all of the requirements. However, compliance officers are well situated in the organization to partner with these teams using our existing ethics and compliance systems and processes to help the organization address this and any other emerging risks to the organization. As a primary function in the people business, E&C can have considerable influence on reducing human error.

Resources to Match Concerns

Though compliance officers’ concerns often align with the news cycle, the resources their organizations provide don’t always match up, especially when it comes to Reactive organizations. This echoes what my colleague Ingrid Fredeen wrote recently about compliance training: “Training expectations are not always aligned with training investment.” Similarly, third-party risk management solutions don’t always align with an organization’s exposure to risk. And on a more foundational level, the study found that compliance budgets have largely not expanded to meet expanding risks.

We as a compliance function have become adept at delivering effective single program elements. Now, as our industry and programs grow more sophisticated, we are identifying what the next level of program maturity looks like. This includes integrated program strategies that inform, adapt to, and complement one another and holistically contribute to improved ethical cultures and reduced organizational risk.

Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.

Do Your Expectations Align with Reality — Why Compliance Training Needs More Attention

Over the years, E&C professionals have increasingly reported that they expect big things from their ethics and compliance training programs. However, for program expectations to align with reality, compliance training needs more attention. Let's look at several ways to improve program effectiveness.

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

What Is Robotic Process Automation & Why Should Compliance Care About It?

The sophistication of robotic process automation has soared in recent years. These days, survey after survey finds that companies are racing to adopt RPA, and many expect to use it widely within the next several years. Learn what compliance officers must consider when it comes to adopting RPA within the ethics and compliance program as well as managing it throughout the entire enterprise. 

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.