NAVEX’s annual report on the state of risk and compliance is a must read.  Each year NAVEX supplies helpful insights that compliance professionals, corporate managers and board members can use to benchmark their respective risk management and compliance strategies. This year’s survey reflects submissions from over 1300 respondents around the globe.

A significant finding was an increase in respondents who characterized their respective programs as “mature,” applying the ECI’s five-point definition for program maturity. Specifically, more than half (53%) stated their organization was on the mature side of the spectrum, compared to 38% in 2022. At the same time, the number of immature programs declined from 2022 to 2023.

NAVEX also found that mature programs often included strong board and executive level engagement. Of the programs that were mature or better, 67% deliver periodic reports to the board; 55% have compliance experience represented on their board; 52% conduct private sessions with a board committee; and 25 percent reported that compliance is an independent function reporting directly to CEO or board.

In recognition of the rising threat level from cybersecurity attacks, ransomware, and data privacy, ethics and compliance programs have forged a new and lasting internal partnership with Information Security professionals.  Three in 10 respondents reported that their organization suffered a data privacy/cybersecurity breach in the last 3 years.  Eight-four percent of respondents indicated that compliance and information security have a strong working relationship.

The top five risks identified by respondents reflected this rapidly evolving risk picture:

1. Fifty-nine percent reported data privacy and security as very important/absolutely essential;
2. 58% reported regulatory compliance;
3. 44% reported harassment and discrimination;
4. 43% reported anti-bribery and corruption; and
5. 39% reported diversity, equity and inclusion.

In another indication of the singular focus on data privacy and cybersecurity, respondents identified the top five topics for training during the next two to three years: (1) cybersecurity (60%); (2) ethics and code of conduct (58%); (3) data privacy (57%); (4) harassment and discrimination (52%); and (5) diversity, equity and inclusion (48%).

NAVEX reported several interesting findings relating to senior management commitment to compliance. Three-quarters of respondents reported that senior leaders encourage compliance in the organization, and nearly as many report that senior leaders demonstrate their commitment to compliance to employees.

With respect to middle management, NAVEX reported a lower commitment compared to the 2022 report. Specifically, middle management’s reported commitment to compliance fell by 8 percent, and its tolerance for greater compliance risk, unethical behavior and impediments to compliance personnel increased in 2023.

Interestingly, NAVEX noted that compliance programs are increasingly collaborating with other functions in the organization.  In particular, 20% reported that compliance was now spread across different functions and working together.

On specific program elements, NAVEX reported some interesting results: 65 percent reported they had either sufficient or very sufficient funding to audit, document, analyze and act on results of compliance efforts; a similar number reported having adequate staffing levels.

With respect to purpose-bult solutions needed to administer program functions, ethics and compliance training and hotline and incident management are most likely to have a purpose-built solution (34%); and third-party risk management ranked the lowest with 25%, and 28% reported that they continue to rely on a paper-based third-party risk management program.

NAVEX’s report noted an interesting difference in perspective between Europe and the United States in implementing anti-retaliation programs. Even in the face of the EU Whistleblower Protection Directive, EU respondents indicated a relatively lower priority for non-retaliation, whistleblowing and related program elements.

More than half of all respondents indicated that whistleblowing, reporting and anti-retaliation were either very important or absolutely essential compliance issues: United States 71%; United Kingdom 66%; France 60%, and Germany 59%.

Only 61% of United States organizations indicated they had a non-retaliation policy; in Germany 41%, the United Kingdom 36%, and in France only 27% maintain an anti-retaliation policy.