NAVEX continues to be one of the premier sources of essential annual benchmarking studies. Recently, NAVEX issued its 2022 Definitive Risk and Compliance Benchmark Report. The Report was based on over 1100 survey responses from compliance professionals around the world.
From the topline view, NAVEX reported that organizations have successfully addressed post-COVID work environments with a combination of on-site, remote and hybrid arrangements. In this novel situation, companies face challenges when embedding and promoting a company’s culture.
Additionally, ethics and compliance programs continue to face challenges in execution of their programs — only one quarter of companies maintain an independent compliance function reporting to the Board and/or CEO. Almost one third (29 percent) of respondents reported that their compliance department is located in the legal department. Further, only 2 in 5 programs self-described their programs as “mature.” 1 in 10 described their program as “underdeveloped.”
The NAVEX Report contains several key findings:
Underutilization of Risk Assessments: NAVEX reported that risk assessments are being conducted but the results are not always used. As all compliance professionals know, a risk assessment is the foundation of every compliance program. Yet only 26 percent of respondents reported that their risk assessment is current or subject to periodic review. Less than half (47 percent) update their compliance programs with operational data. The other 53 percent of respondents are not fully utilizing and updating their risk assessment results to inform their overall compliance program.
Leadership Commitment to Compliance: Nearly half of respondents (48 percent) reported that senior leadership and mid-level managers were committed to compliance even when faced with competing interests or business objectives. While business leaders encourage compliance, these same leaders fail to model ethical and compliance behavior, which undermines the overall effectiveness of compliance.
Companies Soft Attitude to Whistleblowers: While regulators continue to focus on whistleblowers, companies appear not to be devoted to promoting and protecting internal whistleblowers. A vibrant internal reporting system is critical to a company’s culture and operations. Companies, however, are falling short in this effort and failing to prioritize employee reporting and protection against retaliation.
Emphasizing Regulatory Compliance to the Detriment of Culture: 66 percent of respondents reported regulatory compliance as “absolutely essential;” only 39 percent stated that organizational culture was “absolutely essential.” This misunderstanding represents a gap in understanding that organizational culture is the bedrock of any compliance program.
ESG Metrics and Standards are Rising in Importance: More than half (56 percent) of respondents reported that their organization’s ESG program has support from the CEO, and supporting the company’s ESG initiative. While ESG is poised for growth, nearly 48 percent of respondents stated their organization does not use any frameworks or standards to measure ESG factors or disclose program performance. With respect to the remaining 52 percent of organizations, respondents used one or more of eight existing different frameworks in their reporting.
Board of Directors Disconnect: While most boards receive periodic compliance reports, surprisingly, 3 in 10 respondents reported that their boards do not receive any periodic compliance reports. 48 percent reported examine compliance data as part of their oversight function. Only 36 percent reported that boards hold executive and/or private sessions with the compliance representative. Such a low level of board engagement is not only unwise but dangerous.
Access to Data and Resources: Interestingly, respondents stated that their programs have sufficient access to resources. The vast majority — 83 percent — stated they have sufficient access to sources of data to monitor and/or test policies, controls and transactions. Almost 4 in 5 respondents (79 percent) stated their programs were at least “somewhat sufficiently” funded for auditing, documenting, analyzing and acting on results of compliance efforts. Nearly three quarters (74 percent) stated that staffing was at least “somewhat” sufficient, or better, to meet program objectives.
Training and Updating Policies is a Top Challenge: Nearly one-half of respondents (48 percent) selected “training employees on policies” as one their top-three challenges. Two out of five stated that aligning policies with changing regulations” was a top challenge.