PORTLAND, Ore. — June 20, 2024 – NAVEX, the leader in integrated risk and compliance management software, today announced the publication of its 2024 State of Risk & Compliance Report. This year, more than 1,000 risk and compliance (R&C) professionals were surveyed across the globe. Among the key findings of this study include the significant influence of leadership on compliance program maturity, the uneven sharing of technology across R&C business units, and persistent challenges associated with third-party oversight.
“The survey results from this year indicate a link between the perceived commitment of leadership to compliance and the perceived maturity of a compliance program,” stated NAVEX Chief Risk and Compliance Officer, Carrie Penman. “Further, stronger board engagement was also linked to more mature programs. Put simply, leaders at all levels significantly impact how the company’s compliance program performs through active involvement and positive actions, leading to greater program maturity."
Level of maturity holds steady for second year, though lack of important program elements raises concern
Similar to the 2023 State of Risk and Compliance survey results, 50% of respondents said their program was in one of the top-two maturity tiers as defined by the Ethics & Compliance Initiative’s program excellence framework. Only 22% said their program was in one of the two lowest tiers.
Yet, only 61% of respondents said their organization has a hotline or whistleblower internal reporting channel – a critical R&C function – as part of their incident management program. Fewer – 55% – said their organization has a non-retaliation policy. Sixty-four percent said training on ethics and code of conduct was planned in the next two-to-three years, meaning a large share are not planning training in this foundational topic. These are all essential elements of any compliance program, and findings suggest some may be falling short.
Leadership’s compliance commitment associated with program maturity and outcomes
Data suggests a positive leadership commitment to compliance has the power to influence stronger program maturity. Ninety-two percent of respondents who placed their organization in the two highest maturity levels flagged at least one positive behavior among senior executives pertaining to the compliance program – “encouraging compliance and ethics,” “modeling proper behavior” or “persisting in a commitment to ethics in the face of competing interests.” A smaller share – 75% – in the two earliest-maturity bands said the same, a 17-percentage point spread.
Fifty-one percent of respondents who said their program was in earlier-maturity stages indicated at least one negative behavior – “tolerating greater risk,” “impeding compliance personnel” or “encouraging employees to act unethically” among senior executives. On the other end of the maturity scale, a smaller share – 37% – of later-maturity respondents flagged a negative behavior.
Negative leadership behaviors also appeared associated with a greater organizational likelihood to experience a compliance issue. For example, 51% of respondents who said their organization experienced at least one compliance issue in the past three years also flagged at least one negative behavior among senior executives. Twenty-seven percent of those who said they had not experienced a recent compliance issue flagged a negative behavior.
Finally, respondents who indicated better program maturity were also more likely to confirm their board of directors had various avenues of engagement with the compliance program. Seventy percent of respondents in the later maturity stages said their board received periodic reports about compliance matters, compared to 56% of those in the lower maturity tiers. Thirty-nine percent of those in later maturity said the board was highly engaged in the program, compared to 18% in earlier maturity.
Data sharing is uneven across silos
When asked whether their function shared technology systems and data with other functional areas – not their own – respondents were most likely to say they did so with compliance (81%), risk (76%) and data privacy (73%). The smallest segment said they shared technology with sustainability (53%), but relatively small shares said they shared technology with finance (64%) and human resources (68%) as well. Lower levels of data sharing with human resources is concerning given the volume of human resources related issues received by compliance programs.
Some survey data provided a brief look into compliance’s engagement with AI. Seventy-five percent of respondents said the compliance function was at least “engaged” or even more deeply involved in AI risk management. Thirty-nine percent said their organization planned training around AI.
Ongoing oversight of third parties appears to present challenges
Only 69% of respondents said their organization was “good” or better at engaging in ongoing monitoring and risk management throughout the course of a relationship with a third party. This suggests three out of 10 organizations are challenged in this area – and 11% of respondents went so far as to say their program was “poor” with respect to ongoing monitoring of third parties.
Regulatory and consumer pressure will continue to increase expectations of ethical business practices across the supply chain globally, requiring due diligence to be more than a “check-the-box” or a “one and done” exercise.
To register for The State of Risk & Compliance in 2024 webinar here.
About 2023 State of Risk & Compliance Report
The benchmark research was conducted online by The Harris Poll on behalf of NAVEX among 1,066 adults, who are non-academic professionals (management/non-management or higher) and knowledgeable about their organization’s risk and compliance program in the United States (n=589), United Kingdom (n=133), France (n=113), Germany (n=113), and other countries (n=118). The survey was conducted between February 12 – March 18, 2024.
About NAVEX
NAVEX is trusted by thousands of customers worldwide to help them achieve the business outcomes that matter most. As the global leader in integrated risk and compliance management software and services, we deliver our solutions through the NAVEX One platform, the industry’s most comprehensive governance, risk, and compliance (GRC) information system.