The operations of a modern enterprise generate a dumbfounding amount of data – much of it without really trying. Every third-party piece of software, every transaction, every spreadsheet, every document, every contract, creates a digital record that, when properly managed could conceivably provide business intelligence informing a host of critical decisions. Of course, this introduces the importance of data governance – that “data” must be corralled in a manner that is meaningful and manageable for respective business units.
For risk and compliance (R&C), access to this wellspring of business intelligence data is evidently strong. But is that plentiful access equivalent to what R&C professionals are actually doing with that data? To better understand this dynamic and others, NAVEX surveyed over 1,300 risk and compliance (R&C) professionals across the globe in 2023 in order to better understand their priorities and programs. Among our key findings covered in the resulting NAVEX State of Risk & Compliance Report (formerly known as the Definitive Risk and Compliance Benchmark Report) was, for R&C, the fuel for a data-empowered future might be looking for an engine.
Most R&C programs have plentiful data access
Survey data showed a majority of respondents indicating strong access to data. A combined 69% said they had “sufficient” or “very sufficient” access to data to monitor and/or test policies, controls and transactions; 65% said the same regarding funding to audit, document, analyze and act on the results of compliance efforts; and 62% said the same regarding staffing to audit, document, analyze and act on the results of compliance efforts.
These responses all suggest most R&C programs have good access and resources for supporting the intake of data for their programs across silos. This is an encouraging finding. For some organizations, HR, cyber, legal, procurement and other risk-focused business units are not at the same table in a way that can meaningfully inform a cohesive cross-functional risk strategy. In the best cases, these business units are speaking the same language of risk, sharing data from their respective operations in a way that can inform overall business strategy.
Furthermore, 59% of respondents said their risk assessment is informed by continuous access to operational data across business functions. This is another indication that most practitioners feel they have ample access to data across the organization.
But what are R&C programs actually doing with that data? And could they do more?
Applying data may be a challenge
While nearly 7 out of 10 respondents indicated they have access to the data their programs need, a much smaller share of respondents indicated they have a purpose-built solution to administer aspects of their R&C programs. This means many practitioners are using a potentially cobbled-together approach to support operations such as third-party risk monitoring and disclosure management. Does this mean bandwidth that could otherwise be devoted to empowering business results is allocated to filling out a spreadsheet in a manner that will “play nice” with some other risk management software program, building a chart by hand for a board report, or some other extremely hands-on task?
Survey data showed that the majority of respondents do not have a purpose-built solution. The most common was a solution for training or incident intake and management, at 34%. About a quarter said they have a purpose-built solution for disclosure management or third-party risk monitoring. Between 12% and 28% are using paper-based methods across various program elements.
R&C practitioners appear to have all of the data in the world at their fingertips, but many may lack the tools to put it into action.
While nearly 7 out of 10 respondents indicated they have access to the data their programs need, a much smaller share of respondents indicated they have a purpose-built solution to administer aspects of their R&C programs.
Where the industry is going
Based on countless customer conversations, years of survey data and internal subject matter expertise, NAVEX firmly believes R&C programs will require more sophisticated, integrated, purpose-built software solutions in order to leverage the volume of data that infuses today’s business operations. The contrast between data access and implementation of purpose-built solutions suggests the R&C functions are, frankly, being overwhelmed by the data at their disposal or missing out on opportunities to leverage it for meaningful business results.
Ready to learn more?
Ready to learn more about the State of Risk & Compliance? We have you covered with the complete report, full of other findings and data points to shed light on all aspects of compliance program performance. For the full report:
