Increasing convergence of risk and compliance priorities
Integrated risk and compliance management software firm NAVEX has announced the publication of its 2023 State of Risk & Compliance Report. More than 1,300 risk and compliance (R&C) professionals from around the world were surveyed.
Among the key findings of this study are a perceived decline in commitment to compliance among management teams, a persistent connection with information security (InfoSec) teams for the compliance function, and an increase in overall program maturity. The study also found notable differences across geographical responses.
"This year's findings demonstrate the importance of collaboration between the chief compliance officer (CCO) and chief information security officer (CISO) as the compliance risk landscape increasingly focuses on data privacy and information security concerns," says Carrie Penman, NAVEX Chief Risk & Compliance Officer.
"Risk and compliance professionals are continuing to work across departments to overcome the hurdles posed by the cyber-threat environment and the future of work."
Leadership's commitment to risk and compliance
The level of commitment demonstrated by management to the company's compliance efforts fell by 8% from 2022 to 2023, while commitment in the face of conflicting interests and/or business objectives dropped by 9%.
Three-quarters of respondents indicated that senior leaders encourage compliance within the organisation, and nearly as many report seeing executives lead by example through commitment to the business' compliance efforts. However, despite 70% saying senior leaders demonstrate adherence to compliance, only 47% said this persisted in the face of competing interests or objectives.
Post-COVID hybrid work model
Last year, 30% of survey respondents indicated their organisations anticipate most employees would return to in-office working conditions with an additional 56% predicting a hybrid scenario; with a fairly even mix of in-office and remote employees. Also last year, 62% of respondents said flexible, work-from-home models had a positive impact on workplace culture. This year, 93% of respondents said their organisation is embracing a hybrid work model, if not fully remote, and nearly three-quarters (73%) say it has a somewhat or very positive effect on company ethos.
It is well known that positive corporate cultures help drive better business outcomes. This dynamic is critically important as it relates to a remote workforce, who are typically under less direct supervision. For example, remote work makes observing policy and code of conduct violations or other undesired behaviours more challenging and it presents more IT security risks.
Interdependence of compliance, data privacy, and IT/information security
Nearly one-third (30% in 2023 vs. 22% in 2022) of respondents said their organisation experienced a data privacy/cybersecurity breach in the past three years. Considering this real-world challenge compliance professionals are facing, cybersecurity (60%) and data privacy (57%) are two of the three most chosen topics respondents said their organisation will train on in the next two-to-three years.
Europe lags the US in focus on non-retaliation
Despite regulatory pressures from the EU Whistleblower Directive, European respondents relegated whistleblowing, non-retaliation and related training as a low priority compared to the US. In the US, 66% of respondents said their organisation planned ethics and code of conduct training in the next two-to-three years. However, only 45% of respondents in Germany and 38% in France said the same. This training is likely to include material to educate recipients about a non-retaliation policy.
Experienced compliance professionals know that a strong non-retaliation policy is necessary for a reporting program to be effective. More than three-fifth of all respondents (68%) indicated that reporting, retaliation, and whistleblowing were either a "very important" or "absolutely essential" compliance issue for their organisation, with the following distribution in select countries: 71% (US), 66% (UK), 60% (France), 59% (Germany). In the US, 61% of respondents indicated that there is a non-retaliation policy in place at their organisation; this drops to 41% in Germany, followed by the UK at 36%, and France with only 27%.
More respondents indicated that their organisations have a data privacy policy included in their ESG program (54%) than a non-retaliation policy as a part of their confidential reporting and investigatory program (51%). Surprisingly, the gap is especially wide in Europe, illustrating an important inconsistency between the intent of the EU Whistleblower Directive and the focus of the responding organisations.
Access to and use of data
A substantial majority of respondents (69%) said their access to sources of data to monitor and/or test policies, controls, and transactions, was either "sufficient" or "very sufficient." Nearly seven out of ten respondents feel they have "sufficient" or "very sufficient" access to the data their programs need. It is notable that far fewer indicate they have a purpose-built solution to administer various program aspects (23-34%) such as incident management or policy management solutions. Depending on the program element, between 12% and 28% are still using a paper-based management method. This approach makes it difficult for programs to efficiently manage, analyze, and leverage the operational data they are bringing in.
Program maturity and reporting structure
Today's stringent regulatory environment, combined with societal expectations for greater transparency, require more compliance rigor than ever before. Compared to 2022, a significantly greater share of respondents (53% in 2023 vs. 38% in 2022) described their programs as managing or optimising (on the Ethics and Compliance Initiative HQP maturity levels of underdeveloped, defining, adapting, managing and optimising). Interestingly, program maturity seems to have little impact on where inside the organisation the compliance function reports. Among all respondents, a similar number of respondents (22%) reported that compliance is independent and reports to executive leadership.
"Effective programs, ones with cross-functional collaboration, executive and manager buy-in, strong policies and training, robust internal whistleblowing/non-retaliation mechanisms and vigilant third-party management, are best poised to navigate the ever-changing regulatory landscape while fostering a culture of ethics and compliance," says Penman.
"Even for the most mature programs, the task of fostering those dynamics will always be one of continuous improvement."