NAVEX’s 2023 State of Risk & Compliance Report: Compliance Steps Up
A significant finding was an increase in respondents who characterized their respective programs as “mature,” applying the ECI’s five-point definition for program maturity. Specifically, more than half (53%) stated their organization was on the mature side of the spectrum, compared to 38% in 2022. At the same time, the number of immature programs declined from 2022 to 2023.
NAVEX also found that mature programs often included strong board and executive level engagement. Of the programs that were mature or better, 67% deliver periodic reports to the board; 55% have compliance experience represented on their board; 52% conduct private sessions with a board committee; and 25 percent reported that compliance is an independent function reporting directly to CEO or board.
In recognition of the rising threat level from cybersecurity attacks, ransomware, and data privacy, ethics and compliance programs have forged a new and lasting internal partnership with Information Security professionals. Three in 10 respondents reported that their organization suffered a data privacy/cybersecurity breach in the last 3 years. Eight-four percent of respondents indicated that compliance and information security have a strong working relationship.
The top five risks identified by respondents reflected this rapidly evolving risk picture:
- Fifty-nine percent reported data privacy and security as very important/absolutely essential;
- 58% reported regulatory compliance;
- 44% reported harassment and discrimination;
- 43% reported anti-bribery and corruption; and
- 39% reported diversity, equity and inclusion.
In another indication of the singular focus on data privacy and cybersecurity, respondents identified the top five topics for training during the next two to three years: (1) cybersecurity (60%); (2) ethics and code of conduct (58%); (3) data privacy (57%); (4) harassment and discrimination (52%); and (5) diversity, equity and inclusion (48%).
NAVEX reported several interesting findings relating to senior management commitment to compliance. Three-quarters of respondents reported that senior leaders encourage compliance in the organization, and nearly as many report that senior leaders demonstrate their commitment to compliance to employees.
With respect to middle management, NAVEX reported a lower commitment compared to the 2022 report. Specifically, middle management’s reported commitment to compliance fell by 8 percent, and its tolerance for greater compliance risk, unethical behavior and impediments to compliance personnel increased in 2023.
Interestingly, NAVEX noted that compliance programs are increasingly collaborating with other functions in the organization. In particular, 20% reported that compliance was now spread across different functions and working together.
On specific program elements, NAVEX reported some interesting results: 65 percent reported they had either sufficient or very sufficient funding to audit, document, analyze and act on results of compliance efforts; a similar number reported having adequate staffing levels.
With respect to purpose-bult solutions needed to administer program functions, ethics and compliance training and hotline and incident management are most likely to have a purpose-built solution (34%); and third-party risk management ranked the lowest with 25%, and 28% reported that they continue to rely on a paper-based third-party risk management program.
NAVEX’s report noted an interesting difference in perspective between Europe and the United States in implementing anti-retaliation programs. Even in the face of the EU Whistleblower Protection Directive, EU respondents indicated a relatively lower priority for non-retaliation, whistleblowing and related program elements.
More than half of all respondents indicated that whistleblowing, reporting and anti-retaliation were either very important or absolutely essential compliance issues: United States 71%; United Kingdom 66%; France 60%, and Germany 59%.
Only 61% of United States organizations indicated they had a non-retaliation policy; in Germany 41%, the United Kingdom 36%, and in France only 27% maintain an anti-retaliation policy.
2 Responses
[…] If you ask corporate board members and senior executives to list their number one risk (other than financial operations), the answer in today’s risk environment is clear – cybersecurity and data privacy. The rapid elevation of this risk is reflected in weekly headlines announcing ransomware, cyber-attacks and data breaches. In NAVEX’s recent State of Compliance Survey, one in three respondents indicated their company had… […]
[…] If you ask corporate board members and senior executives to list their number one risk (other than financial operations), the answer in today’s risk environment is clear: cybersecurity and data privacy. The rapid rise in this risk is reflected in the weekly headlines announcing ransomware, cyber-attacks, and data breaches. In the recent NAVEX State of Compliance Survey, one in three respondents indicated that their busine… […]