[co-author: Eric Gneckow]
The resilience of risk and compliance (R&C) leaders over these past couple of years has been remarkable. Our profession adapted amid the massive and sudden workplace shifts brought on by COVID-19, and by most accounts, maintained the efficacy of our programs by focusing on the core areas most important to managing risk. The 2022 edition of The Definitive Risk & Compliance Benchmark Report provides evidence of this resilience and dedication even as the world dealt with a second year of pandemic disruption.
This year’s report is based on survey responses from more than 1,100 compliance professionals around the world. As in years past, it serves as a barometer for R&C programs as a whole and offers data on practices that organizations can use to improve their own performance in the future.
Among the key findings is evidence of greater confidence in how organizations will structure their workforces and locations going forward. Fully 95 percent of respondents indicate their organization has a plan to address post-COVID work, whether it be in-person, hybrid or fully remote. The uncertainties of the pandemic may not be fully behind us, but there is evidence most organizations know how they will move forward.
It is also clear many compliance leaders will face relatively novel workforce dynamics that could present new cultural and compliance challenges. Considerations include: will high-performing, remote employees see themselves as passed over for career advancement versus peers with greater levels of in-person face time? R&C professionals must play an important role in ensuring that these new working models can still enable a culture of ethics, trust and fairness, no matter where an employee is located.
The structure of R&C programs across the board continues to take many forms. Non-compliance duties are still somewhat common for compliance personnel. And for 1 in 5 organizations, the function itself is split across multiple departments. As for executive leadership visibility to the impact of risk and compliance programs, only one-quarter of organizations have an independent compliance function reporting to the board and/or CEO.
This year, NAVEX leveraged both the Department of Justice Guidance for the Evaluation of Corporate Compliance Programs and the High-Quality Ethics & Compliance Program (HQP) Assessment from the Ethics & Compliance Initiative (ECI) to frame the survey and characterize where programs stood on the maturity spectrum. Using the ECI-HQP guidelines, respondents self-reported their level of program maturity; from the “underdeveloped” to the most mature “optimizing.” It was encouraging to see that nearly 2 in 5 programs considered themselves in the top two tiers of maturity, indicating that many organizations possess and/or focus on the HQP elements ECI encourages.
Still, 1 in 10 respondents self-reported that their organization was in the “underdeveloped” category. But even this can be interpreted as something of a positive finding – a level of self-awareness around opportunities to improve means the information in this report will present ample ideas and possible tools to help “underdeveloped” programs mature.
Notably, The ECI maturity model does not indicate a completion point or final goal line. Instead, it describes each stage of maturity as a journey of improvement and refinement. Even highly mature programs must be monitored and refined as market conditions, risk profiles, regulations, organizational growth and other factors come into play.
The results of this year’s risk and compliance benchmark report survey highlighted several key areas that present both challenges for practitioners and opportunity to significantly increase the positive impact of their programs, specifically:
Risk assessments are a foundational element and an essential practice for all R&C programs, yet more than one-quarter of respondents (26 percent) did not report that their organization’s risk assessment is either current or subject to periodic review. This alone is concerning. In addition, less than half (47 percent) said their assessments are informed by continuous access to operational data across the organization. A similar proportion said their risk assessment resulted in a risk-tailored resource allocation devoting greater time and scrutiny to higher-risk areas of the business. While this bodes well for roughly 50 percent of organizations who use their risk assessments effectively, it is problematic for the other half. The bottom line is that while many organizations are doing a good job in their risk assessments, a significant portion may be going through the motions but achieving less-than-optimum results.
Roughly half of respondents (48 percent) indicate that their senior leadership and mid-level managers persisted in a commitment to compliance even when faced by competing interests and/or business objectives. This of course may mean that the other half fear this is not the case. Despite a strong majority of respondents who said leaders encourage compliance within their organizations, there is a sense that these same leaders fail to consistently model ethical and compliant behavior, which undermines the extent to which employees embrace those values themselves.
The EU Whistleblower Directive is but one recent example of regulations across the globe that require organizations to enable and protect reporters of misconduct. In multiple areas of this report, respondents indicated a surprising lack of prioritization for this important function. Setting aside the possibility of regulatory response for a weak or ineffective system, a strong internal reporting (whistleblowing) program is a critical risk management function. Risk and compliance practitioners have long recognized it as “the canary in the coal mine” for detecting and addressing risks and patterns of misconduct. But this year’s survey suggests focus on internal reporting – and the predictive value of this information in identifying and mitigating risk – is not as sharp as it could be. Further, organizations are not yet seeing value in proactively addressing the fear of retaliation in their organizations. Until this addressed, a true speak-up culture is not possible.
When asked to indicate the importance of compliance issues to their organization, 66 percent of respondents rated regulatory compliance as being “absolutely essential.” Only 39 percent said “organizational culture” was “absolutely essential.” This disparity presents an opportunity – organizational culture is, of course, the major driver of ethical behavior. Organizations may want to consider whether they are sufficiently prioritizing culture in support of compliance not to mention, as an overall positive workplace.
More than half (56 percent) of respondents said their organization’s Environmental, Social and Governance (ESG) program has support from the CEO, and about the same share (53 percent) said helping their organization maintain social and environmental accountability was either “very important” or “absolutely essential” in their organization’s decision-making process. While this indicates ESG is poised for growth, nearly half (48 percent) of respondents said their organization does not use any frameworks or standards to measure ESG factors or disclose program performance. But among the other 52 percent of organizations, respondents indicate use of one or more of at least eight different frameworks in their reporting. Time will tell what standards and frameworks will emerge as ESG becomes a greater organizational priority.
This year’s survey should give risk and compliance professionals confidence about the positive impact their programs can and do have on the business. There is significant self-awareness about program maturity – where an organization’s program is today as it aspires to improve – even among those that are early in their development. It is also increasingly clear that helping executive leadership demonstrate support for compliance programs is fundamental to its success.
Finally, there is little doubt that performance against ESG metrics will have greater importance going forward. Intriguingly, many social and governance aspects of an organization’s behavior have been part of the compliance function long before the ESG acronym was coined. In relatively short order, it is quite possible ESG-related metrics and actions will become a natural extension of risk and compliance responsibilities.
The 2022 Risk and Compliance Benchmark Report is now available: