Like the annual Presidential State of the Union Address, NAVEX’s yearly State of Risk and Compliance Report provides important insights and benchmarks against which compliance professionals can measure their own accomplishments and upcoming priorities.

This year, NAVEX surveyed nearly 1000 risk and compliance professionals.  The headline findings are fascinating and impportant to consider.

The New Priority of Artificial Intelligence (AI)

We are all aware of the importance of AI, the need to proactively address risks, and to build an AI governance structure.  NAVEX’s survey revealed that only 1/3rd of compliance professionals are “very involved” in AI decision-making, only 32 percent are “somewhat involved,” and 35 percent are either “not involved” or “not sure.”

It is imperative that compliance has a seat at the table in AI decision making, oversight and risk management.  Because of the importance of AI to various business functions, compliance has to get ahead of the adoption curve to ensure that proper controls are implemented to manage pervasive risks.

In most cases, the AI initiative may be headed by Information Technology.  That seems logical but sitting alongside IT should be risk and compliance professionals to support adoption, training and use of AI technologies that are incorporated into business processes.

The NAVEX report cites the fact that 67 percent of respondents cited their “lack of visibility into risks” or “gaps in implementation of compliance controls” as their top AI concern.  Luckily, 65 percent of the respondents reported that compliance is either “very” or “somewhat” involved in decision making regarding use of AI at their organizations.

Internal Investigations Structure

The NAVEX report included a timely and important inquiry on the organization of internal investigation functions.  A large majority of respondents (67 percent) noted that organizations used a centralized structure to conducting internal investigations.  Only 23 percent responded that their organization maintained a decentralized approach.  Mature compliance programs typically have a centralized internal investigation function (73 percent).  Organizations with between 1000 and 9999 employees were the most likely to have a centralized investigation function.  62 percent of organizations with 10,000 or more employees had a centralized investigation program.  Approximately 33 percent of respondents who have a centralized program have only 1 to 5 investigators.  16 percent of those with decentralized program have more than 30 investigators, versus 12 percent of centralized programs.

Compliance and Risk Functions and Overlap

The NAVEX Report confirmed a growing and important trend — the overlap of risk and compliance as natural partners in identifying risk, measuring risk, and implementing risk mitigation strategies.  Compliance often wears two hats — a risk mitigator and an ethical organization evangelist.

This was confirmed in the survey where 7- percent of compliance professionals reported they were “highly engaged” in risk assessment and management.  However, only 61 percent of respondents stated that their organization used risk assessment results to review and improve their risk and compliance program.  Interestingly, only 24 percent of respondents noted that their risk assessment process is effective.

Board and Compliance Engagement and Reporting

Surprisingly, only 64 percent of respondents confirmed that compliance provide periodic reports to the board of directors or committees thereof. The rate increases to 71 percent for organizations with 10,000 or more employees.  Only 52 percent of respondents stated that the board of directors exercises oversight of the compliance program.

Third-Party Risk Management

Over 50 percent of respondents conducted screening of third-parties for regulatory (58 percent) and cybersecurity and date protection (54 percent) risks.  On other issues, the screening functions was below 50 percent: financial health and stability (49 percent); human rights (33 percent); and litigation history (30 percent).  A large percentage (84 percent) agreed that their third-party due diligence program reduces their legal, financial and reputational risks.

Leadership Role in Ethics and Compliance Programs

We all agree on the importance of “tone from the top.”  The survey reflected this issue, noting that 78 percent cited their senior leaders as encouraging and promoting ethics and compliance in their organization.  A small number of executives and mid-level managers — 10 percent — encouraged their employees to act unethically to reach a specific business objective. 

Compliance Training Programs

In general, respondents reported positive marks to ethics and compliance training programs.  76 percent reported that their training programs were “good” and tailored to high-risk and control employees.  80 percent reported training programs were delivered in foreign languages when appropriate.

Consistent with the growing trend of delivering shorter, targeted training sessions, NAVEX’s report noted that 43 percent of respondents stated that their training program was “excellent” or “very good.”

Internal Reporting Systems

Given the importance of maintaining an effective employee reporting system, NAVEX stated that 53 percent of respondents stated it was “unlikely” that their organization has a hotline or whistleblower internal reporting channel.  Larger organizations (more than 10,000 employees) had a higher rate — 69 percent confirmed they have a hotline or whistleblower internal reporting channel.  Fewer than 49 percent of respondents stated their organization had a non-retaliation policy.

Purpose-Built Technology and Compliance

Ethics and compliance professionals have integrated technology to execute compliance functions and provide strategic support to the business.  78 percent used purpose-built technology for training, while between59 and 73 percent used technology to support other compliance program functions.