Each year, NAVEX produces the Hotline & Incident Management Benchmark Report – a comprehensive assessment of trends in whistleblowing. This year, our analysis included 1.52 million reports across 3,430 organizations and is in use by many organizations to benchmark their compliance programs against peers and industry standards.
The findings in this report, which cover data from 2022, illuminate trends in hotline reporting and the overall cultural health of thousands of organizations across the globe. This post explores one of the key findings from this year’s benchmark: smaller organizations have different intake and outcome trends than their bigger counterparts, and mid-size companies are experiencing some challenges
Key finding from this year’s report
This year, NAVEX expanded the number of benchmark metrics subject to analysis by organization size. The ability to highlight these findings illustrated what many compliance professionals and regulators have already known – every company, and every program, is different. No one “number” is the “right” number” in an organization’s self-assessment of program efficacy. All findings are in context. However, the analysis by organization size points to some opportunities to consider where processes for a large organization may not be as effective for a smaller one, and vice versa.
Smaller organizations see largest report volumes, and should take those reports very seriously
Findings for smaller organizations suggest a robust incident management program is critical.
By a wide margin, the smallest organizations, those with fewer than 2,500 employees, had the greatest “reports per 100 employees” across the size spectrum in 2022. At 2.99 reports per 100 employees, this number significantly outweighs the 1.37 reports per 100 employees for organizations with between 50,000 and 99,999 employees and 1.20 for organizations with over 100,000 employees.
Similarly, substantiation rates were highest for the smallest organizations, with those under 2,500 employees registering a 47% substantiation rate. No other size cohort saw greater than a 42% substantiation rate.
This comes as smaller organizations also saw the largest levels of anonymous reporting, with those in the 2,500-to-5,999 range seeing 60% anonymity. That compares to under 50% anonymity for organizations over 50,000.
Given the simple fact of a smaller head count, even a single substantiated report can have a major impact on the cultural health of a smaller organization. As smaller organizations generally may have fewer resources for activities such as incident management, the dynamics revealed in this analysis show that this is not an area to underinvest. Larger report volumes, stronger substantiation and greater anonymity all suggest that compliance professionals at smaller organizations have their work cut out for them – and the opportunity to make a substantial impact on their organization’s culture.
Mid-size organizations appear to be the most challenged
Organizations in the middle of NAVEX’s analysis by employee count appear to face the most challenges.
In the range of 2,500 to 50,000 employees, organizations received the fewest reports per 100 employees – under 1.0 reports. These organizations have among the highest anonymity levels as well, and the longest case closure times. Substantiation rates are close to overall medians.
While the smallest organizations in our study of the hotline data face a level of activity suggesting the value of a robust incident management program, it’s possible some might be able to “get by” with less sophisticated practices – at least in the short term. This is decreasingly likely for mid-size organizations, where increasing complexity – locations, head count, regulatory pressure – may rapidly outstrip a less sophisticated approach to incident management. Resource constraints may be most acute for these organizations, both in messaging and in investigations.
Large organizations should ensure report capture from all sources
It’s true that data show large organizations capturing less than half of the reports per 100 employees as smaller organizations. Yet that may not tell the whole story – are all issues being captured and analyzed in a cohesive manner?
It seems plausible that, for the largest organizations, issues are more likely to be resolved at a local location level and never make it to a centralized reporting system. Compliance professionals at larger organizations may have substantial direct optics into the issues reporters are vocalizing and an easier time encouraging use of a centralized system, thus increasing the likelihood those reports are recorded. Contrast that with a large restaurant chain with scores of individual locations, for example, and it’s easy to see how some issues may be addressed on an ad-hoc basis at the individual branch level.
Large organizations can benefit by ensuring reports from all channels, such as “walk-in” reports to a manager, are captured, which can provide important insight into trends and risk areas. Data show that these largest organizations have the shortest median case closure times, at 19 days, which suggests resources for investigation – resources that may also be well suited for intake and data analysis.
Unique challenges, common solutions – learn more
Not surprisingly, a robust hotline and incident management program is an important asset for organizations of any size. Yet compliance professionals face different dynamics in steering their programs toward addressing the unique dynamics seen across the size spectrum, all ultimately in service of capturing data and reports, and responding in a robust manner. These are some of the hallmarks of a compliance program that builds an ethical culture that trusts an organization will “do the right thing.”
The benchmark report is full of data analysis and insight for you to improve your hotline program performance. To gain expert analysis and to access the full report:
