Shared elements of best-in-class risk and compliance programs

Different from last year’s report is its new title and overall shift in focus from “ethics and compliance” to “risk and compliance.” Previously called the “Definitive Corporate Compliance Benchmark Report,” NAVEX Global renamed it to the “Definitive Risk and Compliance Benchmark Report” to reflect the increasingly critical role that risk assessments and risk management play in an effective compliance program.

This trend is further reflected in the Department of Justice’s recently revised “Evaluation of Corporate Compliance Programs,” which explicitly instructs prosecutors to “endeavor to understand why the company has chosen to set up the compliance program the way that it has and why and how the company’s compliance program has evolved over time.”

For the first time in this year’s benchmark report, NAVEX Global explored the topic of risk integration and to what extent respondents’ risk and compliance (R&C) programs manage the following six types of risk: compliance, IT, operational, reputational, third-party, and financial. According to the findings, compliance risk overall remains the central focus for 88 percent of R&C programs, followed by IT risk (57 percent) and operational risk (53 percent). No risk was managed by fewer than 40 percent of R&C programs overall.

The report pulled from more than 1,400 survey respondents globally who influence or manage their organization’s risk and compliance programs and includes detailed responses from those who actively manage or influence their program’s hotline and incident management, policy and procedure management, ethics and compliance training, and/or third-party risk management functions. Building off the 2019 benchmark report, which identified three key factors of program performance—program maturity, leadership support, and technology adoption—this year’s report identified four additional program drivers: a culture of trust, board engagement, program evaluation, and regulation.

Programs were categorized into one of five buckets: reactive, basic, defining, maturing, or advanced. Overall, the report found the most advanced risk and compliance programs share the following key elements:

• Leadership buy-in and oversight;
• An escalation policy requiring direct reporting to the board;
• A risk-based training program to board members, third parties, and employees;
• A hotline and incident management system;
• Processes to prevent retaliation;
• Routine audits to inform decision making; and
• The implementation of purpose-built solutions to automate processes and administer program elements.

NAVEX Global then examined why these maturity drivers impact R&C program performance. With this information, risk and compliance professionals can make better informed program decisions. Key elements of advanced R&C programs are discussed in more detail below.

A culture of trust. According to the findings, “organizations with a strong, positive culture of trust have more developed programs and demonstrate better program performance.” Eighty-nine percent of respondents with advanced programs said improving organizational culture was important in their R&C program’s decision-making process, as opposed to 55 percent of reactive programs.

Advanced programs perform better than reactive programs that do not trust their organizations to behave ethically. “This reinforces a truth risk and compliance professionals have long understood: Culture doesn’t just happen,” Mary Bennett, president of Right Compliance Consulting, said in a July 22 Webinar discussing the results. “Programs with cultures of trust focus on improving their cultures more. It’s a product of conscious effort and delivered intention.”

Leadership support. Overall, 64 percent of respondents said they have program buy-in, oversight, and commitment from their senior leaders. Just 46 percent, however, said they felt their leadership viewed their program as strategic with a return on investment. This indicates that 18 percent of programs have “soft” support, meaning that while leaders buy into the program, they don’t understand its real value. “It appears that risk and compliance professionals can do more to ensure that their program gets the most leadership support possible,” Bennett said.

The report also found a strong correlation between leadership buy-in and support and R&C program performance and maturity. Respondents who said their senior leaders view the R&C program as an investment were far more likely to view the R&C program as ethical, while those who felt their leadership viewed the R&C program as a “necessary evil” were much more likely to see their organization as ethically compromised.

NAVEX Global further examined how the presence of a compliance officer’s role impacts leadership support. According to the findings, programs with full-time compliance officers were 20 percentage points more likely than programs without a compliance officer to have senior leadership that views the R&C program as strategic. Programs with a part-time chief compliance officer were no more likely than other programs to say their leaders shared the same high opinion of the program.

“It is not surprising that having a part-time compliance officer is associated with a less favorable leadership perception and bias because even a high-level, part-time compliance officer—for example, a chief finance officer with compliance as part of their job—has less time dedicated to leading and overseeing an R&C program,” Bennett said. “This lack of committed time from a part-time compliance officer translates to fewer resources, stunted program maturity, and lower priority for further development.”

Board engagement. Board oversight and program reporting is trending strongly in a positive direction, with 56 percent of respondents saying their R&C program periodically reports to a board that also oversees it. Furthermore, the report found that board engagement is tied to maturity—with 91 percent of advanced programs rating their board involvement as “good” or “excellent,” versus 31 percent of reactive programs.

As a sign of increased engagement, more R&C programs now formally require certain matters be reported to the board through escalation policies, and 61 percent also said they provide at least one hour of training to their board of directors on compliance topics.

“Leadership perception and engagement matters,” says Carrie Penman, chief compliance officer at NAVEX Global. “How an organization’s senior leadership views its compliance function really impacts the overall program performance, as does the frequency with which compliance officers interact with the board.”

Adoption of technology. “Automated programs perform significantly better than those that do not leverage technology,” Bennett said. This finding was observed across all program activities surveyed. Additionally, programs that utilize technology are also significantly more likely than non-automated programs to be viewed by senior leaders as strategic investments with ROI (40 percent versus 29 percent).

Virtually all (97 percent) advanced programs use technology solutions, as opposed to 48 percent of reactive programs. Across all program maturity levels, companies report that technology “increases consistency, streamlines workflows, and reduces costs for R&C programs,” and 64 percent of respondents overall said they use technology “to enable consistent policy, training, regulatory alignment and accountability” as the most popular reason for adoption.

Advanced programs are more likely to use R&C technology solutions to integrate program components, with 63 percent saying they were interested in integration, making it a higher priority than formalizing and/or institutionalizing processes (51 percent); and reporting to management, executives, or boards (62 percent).

Regulations. Ninety-one percent of survey respondents rated “meeting legal and regulatory requirements” as “important” or “very important” in their R&C program’s decision-making process. “However, this approach alone is unlikely to enhance the overall program performance much, if at all,” Penman says. “Programs that want to improve should prioritize workplace culture, tone from the top, and program automation as much as, if not more than, regulatory requirements.” According to the report, as programs mature, they rely more on internal reporting measures, such as risk assessments, internal investigation reports, and hotline incident reports to make informed program decisions.