[author: Linda Luty]
NAVEX publishes the Definitive Risk and Compliance Benchmark Report each year, surveying over 1,100 industry professionals. The purpose of this report is to provide insight into the effectiveness of R&C programs and enable leaders to share findings with their boards of directors, c-suite and other stakeholders. Among other things, this information can be used to demonstrate how the program stacks up and where opportunities exist for improvement. This post explores one of the report’s key findings: E&C programs still have opportunities to better utilize program data.
Data lives everywhere in your organization, but if you can’t find the data you need, it might as well live nowhere. Siloed information is essentially useless if the data is not in the correct hands, or if it is simply being collected and shelved. One of the richest sources of data comes from ethics and compliance programs, particularly from the whistleblower hotlines, where inquiries and reports provide invaluable insights into the culture health of the organization.
There is significant conversation about the importance of building compliance programs on a strong foundation of risk assessment, including guidance from the U.S. Department of Justice. This guidance also expects that compliance officers have access to cross-functional risk data. Yet, in the 2022 Risk and Compliance survey, fewer than half of respondents whose organization uses risk assessment results (47%) indicated they have access to operational data across functions to inform their risk assessments.
If information is everywhere, what information is being used to review, test and improve risk and compliance programs? Survey data from this year’s report indicates:
- More than 60% of organizations said they use lessons learned from misconduct to improve their programs
- Nearly half (45%) use organization’s culture of compliance to review, test and improve their programs
Organizational culture is likely the strongest driver of behaviors, and this measure, while potentially subjective, is an important risk factor to consider in measuring program effectiveness. However, this data also indicates that nearly 40% of organizations do not use lessons learned from misconduct, and over half do not look to their culture of compliance to review, test and improve programs.
In short, data related to cultural health exists, but is only being leveraged by approximately half of organizations.
Effective program reviews consider multiple sources of data, and our survey found that organizations do use a variety of sources for program audits. Of those who use compliance program audits, more than 4 out of 5 (84%) review their compliance policies, procedures and practices to ensure they are applicable for particular business units.
Most also audit internal investigation reports and incident reports from their hotline/whistleblower programs. It is notable, however that 30% do not use incident reports from hotline/whistleblower programs as a source of data.
Between leveraging data from multiple sources in a program audit and using lessons learned from misconduct and evaluations of cultural health – such as employee sentiment surveys – E&C leaders have the source material to paint the picture of their organization’s culture.
Earlier we discussed one of the other survey findings, leadership’s opportunity to improve commitment to compliance – this is perhaps one of the most important places to start. By engaging the board of directors, c-suite and other senior leadership, organizations are then able to create a top-down culture of compliance.
One way to do that is with data. Compliance leaders have a wealth of information from their own organization, and also benchmarking data available to demonstrate the importance of a culture of compliance and build the case for prioritizing this as a cultural value.
Another strategy is to lean on the DOJs continued emphasis on a culture of compliance. Regulatory enforcement is on the rise and more and more, organizations and executives are being held accountable for corporate misconduct. Proactively addressing this by focusing on compliance will pay dividends in the long term, and the company will undoubtedly benefit from a consistently ethical culture.
NAVEX is committed to helping organizations of all sizes improve their cultures through ethics and compliance. The Risk and Compliance Survey Benchmark Report consists of the data yielded from over 1,100 risk and compliance professionals surveyed and gives valuable data on the state of risk and compliance programs across the world. For more insights and a deeper understanding of E&C programs