Compliance Week: Benchmark Report Provides Holistic Look at Compliance Best Practices
Compliance Week: Benchmark Report Provides Holistic Look at Compliance Best PracticesDownload
About this Article
NAVEX’s first-of-its-kind Ethics & Compliance Benchmark Report provides comprehensive research into the multiple disciplines of an ethics and compliance program.
- For anyone responsible for:
- Ethics and compliance program creation or management
- What You'll Learn:
- Common traits shared by robust & effective compliance programs
- How leadership buy-in can impact your program and how to get it
- What metrics should be tracked to measure program effectiveness
- The importance of taking risk areas into account when selecting a training program
- Page length:
- 3 pages
Read the Article
Benchmark report provides holistic look at compliance best practices
COMPLIANCE WEEK MAGAZINE
JUNE 2019 ISSUE
A benchmark report published by NAVEX provides comprehensive research into the multiple disciplines of an ethics and compliance program. Jaclyn Jaeger reports.
NAVEX on Tuesday published a first-of-its-kind ethics and compliance benchmark report that provides in a single, consolidated document comprehensive research into the multiple disciplines of an ethics and compliance program. The findings better enable ethics and compliance officers to holistically assess how their programs stack up against their peers.
The report pulls from 963 survey respondents who influence or manage their organization’s ethics and compliance program and come from diverse industries of varying organizational sizes. The maturity of survey respondents’ ethics and compliance (E&C) programs was than assigned to one of four categories: reactive, basic, maturing, and advanced.
In past reports, NAVEX has defined maturity looking across four disciplines: policy management, training, hotline and incident management, and third-party risk management. This new report, however, broadens that definition to address complete program performance based on a variety of maturity indicators—such as program elements, program effectiveness measures, program performance, and senior leadership support. According to the report, robust and effective E&C programs share the following common traits:
- Adequate funding and staffing
- Risk-based priorities and training
- Agile policy and procedure management that keeps pace with regulatory and industry changes
- A reliable internal reporting and case management system
- A comprehensive approach to third-party risk management
- Continuous improvement based on learnings.
One of the most significant findings to come from the report is the profound impact leadership buy-in has on an E&C program. “What we found was that it’s really the primary driver of program effectiveness,” says Carrie Penman, chief compliance officer at NAVEX.
Specifically, the report states organizations with strong executive backing “show greater success, more maturity, and adoption of E&C technologies that improve program performance.” Moreover, leadership buy-in is a clear driver of an ethical culture, as demonstrated by the 47 percent of respondents in advanced programs who view their organizational cultures as ethical “all of the time.” Conversely, reactive programs with senior leadership who view their E&C programs as a “necessary evil” rated their organizational ethics much lower.
Providing boards with periodic reports on the status of the E&C program is another important element of leadership buy-in, which 47 percent of respondents said they do. Advanced programs (78 percent) are far more likely to engage with their boards, compared to the 34 percent of reactive programs who provide reports to the board only when asked and the other 21 percent who said they don’t report to the board on ethics and compliance matters at all.
That finding is concerning. “Boards have an obligation to have oversight of the [E&C] program, and there is no way they can have oversight if they’re not engaging with the program,” Penman says.
As NAVEX stated in the report, “Boards that know about their E&C responsibilities relative to the program are more supportive and demanding of better measurement, analytics, performance improvement, and reduction of risks, driving their E&C programs to perform at a higher level.”
Another key finding: Technology usage correlates with and success. The top objectives for selecting new E&C technology are “increased analytics and rapid visibility to risk,” as well as “improved performance,” cited by 34 percent of respondents each. Other top objectives, cited by 33 percent of respondents each, were to reduce risk and improve the consistency of information. The report further found that advanced programs and organizations with more than 6,000 employees are more likely to prioritize these program performance criteria than any other maturity level or organizational size.
Having a defined and dedicated budget and full-time employees (FTEs) assigned to ethics and compliance are also important elements of a robust E&C program. Higher budgets tend to correlate with a program’s level of maturity, with 33 percent of respondents of advanced programs working with an annual budget of over $500,000. Additionally, advanced programs and larger organizations are more likely to have a higher number of FTEs assigned to their E&C program, according to the report.
Nearly all organizations have a code of conduct and policies and procedures intended to prohibit and reduce misconduct, but just 49 percent of organizations have a dedicated compliance officer, according to the findings. This percentage increases with program maturity.
While 71 percent of respondents said their organizations have a reporting hotline, just 37 percent said they have an escalation policy for reports requiring the timely attention of the board. “This mismatch of a hotline and escalation policy leads to questions about the appropriate operation of these hotlines,” the report said. “A good escalation policy increases stakeholder trust in the hotline process, adds objectivity to escalation decisions, and negates the need for a separate hotline going directly to the board.”
Another concerning finding is that 20 percent of respondents, across all maturity levels, indicated they have a separate hotline going directly to the board. “That really surprised me, because there are a whole lot of reasons why that’s not a great idea,” Penman says. “It adds a lot of risk to board members to have to investigate these reports that go only to them, and it sends a message that they don’t trust management.”
A better practice, she says, is to have an agreed-upon escalation policy that states what type of issues need to be reported to the board and when. Typically, for example, those would include issues involving senior management or any issue that could cause significant financial or reputational harm.
The report also looked at the variety of metrics that E&C leaders track to measure compliance program effectiveness. Gathering data from employees through surveys and other cultural assessments was the most commonly cited means to gauge program effectiveness. Objective data—such as the analysis of internal audit findings and breaches of the code of conduct—should also be used to measure program effectiveness, according to the report.
One surprising finding: Only 41 percent of respondents indicated their organizations track whistleblowing reports, retaliation, and substantiation rates—all easy metrics to track with a hotline. “We highly encourage all organizations to do this,” NAVEX said in the report.
Overall, most respondents indicated that “providing multiple channels for employees to report” drives hotline report volume. Advanced programs are more likely to recognize the value of multiple channels to drive report volume, however, including training employees on what and how to report, the role of leaders encouraging a speak-up culture, and transparency.
Just 35 percent of respondents believe documenting reports from all sources and other departments drives report volume. This is concerning because documenting reports from all sources and other departments helps organizations “proactively address issues before they become larger problems or employees take their concerns outside the organization, either to a regulator or an attorney,” the report stated.
To improve the effectiveness of an incident management program, NAVEX recommends that E&C leaders consider the following: broadening the scope of reports captured by incident management tools to ensure tracking of all possible reports, not just phone and Web-based reports; re-engaging employees with refreshed training, awareness materials, or intake tools; sharing an honest desire to hear from employees and test the organizational culture for a willingness to speak up; and addressing fear of retaliation.
Another notable finding was the low number of respondents (26 percent) who take risk areas into account when selecting a training program. “Risk-based training from my perspective is the primary driver in selecting any training program,” Penman says. “It’s really important that employees get the role-relevant training that they need and not just rolling out a one-size-fits-all [training program].”
It’s also surprising that just 10 percent of respondents said local language support, learner location, and a diversity of formats was top of mind. “Addressing important E&C issues in multiple languages and taking culturally sensitive approaches to ensure your learners understand is a legitimate challenge among growing global organizations,” Penman said.
When looking at the benchmark report’s results in totality, it’s helpful to focus on the common elements shared by the most advanced E&C programs. As NAVEX summarized, “Advanced programs demonstrate better performance and more accomplishments, both indicators of program effectiveness. They typically have larger budgets, enabling investment in key program elements to prevent violations. The most mature programs typically enjoy senior management buy-in, support, and willingness to invest.” ■
NAVEX’s GRC software and compliance management solutions support the integrated risk, ESG and compliance management programs at more than 13,000 organizations worldwide.