NAVEX: Top 10 risk and compliance trends for 2022

GRC software provider NAVEX held a webinar Tuesday discussing not only the top 10 risk and compliance trends for 2022 but also how compliance departments will have to adjust. The webinar featured contributions from various thought leaders in the compliance space.

DEI: Diversity, equity, and inclusion programs must be addressed. Many DEI programs still include vaguely stated goals, without any real specificity. They also tend to fall under human resources.

DEI is so much about culture and values that it only makes sense for ethics and compliance to play a role, said Kristy Grant-Hart, founder and chief executive of Spark Compliance Consulting. Grant-Hart cited a thought leadership piece by Patrice Palmer of the Colorado State University College of Business, who stressed the importance of DEI statement goals and being proactive about communicating them.

“Regular social media posts and persistent messaging on the corporate website are a good place to start,” Palmer wrote in a NAVEX e-Book.

Palmer also recommended analyzing the company’s strengths, weaknesses, opportunities, and threats to determine where to direct compliance efforts and to “help create buy-in and keep the leadership team on an intentional path.” Designate the appropriate resources and staff to this effort and start small—for example, including pronouns in email signatures or using gender neutral language in all policies and procedures, she wrote.

“DEI is not a fading trend; on the contrary, it will become more informed,” Grant-Hart said. In the year ahead, stakeholders will expect from companies more “transparency, honesty, and accountability.”

ESG priorities: ESG risks are financially material to businesses, making compliance a natural fit for playing a role in managing this risk. This trend will come to the forefront in 2022.

“Organizations will continue to see increased public attention to ESG matters and will need to act quickly to get ahead of the disclosure regulation curve,” said Carrie Penman, NAVEX’s chief risk and compliance officer. “Compliance’s role in ESG management will and should continue to grow as organizations prioritize the creation and growth of ESG initiatives.”

A third but related compliance trend will be preparing for ESG reporting requirements in the United States, Europe, the United Kingdom, and other jurisdictions around the world. Grant-Hart cited the European Union’s Corporate Sustainability Reporting Directive (CSRD) adopted in April as an example. The directive will affect 50,000 companies, including any U.S. company—private or public—with an EU subsidiary.

“In 2022, the shift from ESG voluntary guidelines to binding regulations will continue and accelerate, especially with the CSRD,” Grant-Hart said.

The new normal workplace: The current cybersecurity landscape will require continuing to adapt employees to a more security-aware mindset, Penman noted. Secondly, the ability to map company data will remain critical—for example, what is in the cloud and where the company stores its information.

“Third, cultivating an internal speak-up culture will be more challenging in this environment,” Penman added. “The challenge we face is cutting through all this virtual noise and helping employees focus on their opportunities and obligations to speak up.”

Training and policies: “In many ways, this year will be a continuation of the last several, where employers work to continue to evolve and adapt training and policy to a highly polarized environment while also investing in technology and resources to ensure equity in education and enforcement across the workforce,” Penman said. In practice, that means prioritizing access to technology and ensuring policies and training are easily accessible to all employees, including at the factory level.

Ingrid Fredeen, vice president of online learning content at NAVEX, said adapting employee training to address new and evolving risk also has taken on a greater level of importance for all organizations. Such topics include, for example, Covid-19 protocols and compliance requirements; contemporary examples of harassment and discrimination; and purposeful, deliberate approaches to diversity and inclusion.

Business continuity risk: Business continuity continues to creep into the purview of compliance, especially as it concerns supply chain and cyber disruptions. From a holistic standpoint, “We can’t be thinking about organizational and operational risk in a silo,” Penman said. “They’re quite interdependent.”

“Factors within each company’s ecosystem will become more volatile, creating more uncertainty as companies look to the near-term for success,” Penman continued. “The need to transform company operations and supporting technology to become more efficient and cost-effective will skyrocket, leaving companies scrambling to juggle maintaining operations with significant internal change management.”

Holistic TPRM: Companies now have reporting requirements for not just anti-bribery and anti-corruption, but also modern slavery issues, cybersecurity, ESG, and more.

Due diligence will take on greater importance, Grant-Hart said. Holistic third-party risk management (TPRM) needs to be something companies not only do, but something they prioritize, she said, helping stakeholders understand why it’s important from a variety of perspectives—regulatory risk, enterprise risk, and ESG risk.

EU Whistleblowing Directive: Whistleblowing protections in the European Union will take center stage. While EU countries have had two years to implement the Whistleblowing Directive into law, most did not meet the deadline, creating a minefield of challenges for compliance.

Local requirements might pose the biggest risk. Specifically, the directive requires each legal entity with 50 or more workers have its own reporting channel and procedure. What that means in practice, however, is anybody’s guess.

“The biggest challenge is going to be in the area of how organizations will be able to conduct investigations with all these local requirements,” Penman said. The directive will have a lot of organizations trying to figure out how to ensure compliance with whistleblower protection laws while still being able to take appropriate action to properly investigate any potential corporate misconduct, she said.

Data privacy: From a global standpoint, “The coming year will yield increased attention to privacy programs, and current and upcoming legislation will demand dedicated resources and organizational buy-in to maintain that compliance,” Grant-Hart said. For companies, that will require establishing a more cohesive data privacy compliance program that is broader than any single law, she said.

One way to effectively go about that is to adopt a well-known framework and build upon it to create a uniform data privacy policy. Popular choices include the NIST Privacy Framework; OECD Privacy Framework; ISO 27001; Generally Accepted Privacy Principles; or the Fair Information Practice Principles.

Compliance sabermetrics: Big Data will cause management to change their perspectives of compliance for the better. Kyle Welch, assistant professor at George Washington University School of Business, referred to this as “compliance sabermetrics.”

For example, whereas many companies still tend to assume a high volume of employee reports indicates a problem with organizational culture, “The new wave of insights from data will cause a different question to be asked in the future: ‘Do we have the resources to make sure we are effectively investigating our increased information from employees?’” Welch wrote in the NAVEX e-Book.

The compliance message is this: “The increasing collection and analysis of compliance data will further challenge long-held assumptions about which metrics warrant attention and what they indicate about a company’s organizational culture and health,” Welch wrote. “Successful firms will invest in these efforts, deemphasizing intuition in favor of empirical data analysis.”