NAVEX uncovers state of risk and compliance in latest report
NAVEX has announced the publication of its 2023 State of Risk & Compliance Report. More than 1,300 risk and compliance (R&C) professionals from around the world were surveyed.
Among the key findings of this study are a perceived decline in commitment to compliance among management teams, a persistent connection with information security (InfoSec) teams for the compliance function, and an increase in overall program maturity.
Carrie Penman, NAVEX Chief Risk & Compliance Officer, comments, “This year’s findings demonstrate the importance of collaboration between the chief compliance officer (CCO) and chief information security officer (CISO) as the compliance risk landscape increasingly focuses on data privacy and information security concerns.
“Risk and compliance professionals are continuing to work across departments to overcome the hurdles posed by the cyber-threat environment and the future of work.”
Leadership’s commitment to risk and compliance
The level of commitment demonstrated by management to the company’s compliance efforts fell by 8% from 2022 to 2023, while commitment in the face of conflicting interests and/or business objectives dropped by 9%.
Three-quarters of respondents indicated that senior leaders encourage compliance within the organisation, and nearly as many report seeing executives lead by example through commitment to the business’ compliance efforts. However, despite 70% saying senior leaders demonstrate adherence to compliance, only 47% said this persisted in the face of competing interests or objectives.
Post-COVID hybrid work model
Last year, 30% of survey respondents indicated their organisations anticipate most employees would return to in-office working conditions with an additional 56% predicting a hybrid scenario; with a fairly even mix of in-office and remote employees. Also last year, 62% of respondents said flexible, work-from-home models had a positive impact on workplace culture.
This year, 93% of respondents said their organisation is embracing a hybrid work model, if not fully remote, and 73% say it has a somewhat or very positive effect on company ethos.
It is well known that positive corporate cultures help drive better business outcomes. This dynamic is critically important as it relates to a remote workforce, who are typically under less direct supervision. For example, remote work makes observing policy and code of conduct violations or other undesired behaviors more challenging and it presents more IT security risks.
Interdependence of compliance, data privacy and information security
Nearly one-third (30% in 2023 vs. 22% in 2022) of respondents said their organisation experienced a data privacy/cybersecurity breach in the past three years. Considering this real-world challenge compliance professionals are facing, cybersecurity (60%) and data privacy (57%) are two of the three most chosen topics respondents said their organisation will train on in the next two-to-three years.
Access to and use of data
A substantial majority of respondents (69%) said their access to sources of data to monitor and/or test policies, controls, and transactions, was either “sufficient” or “very sufficient.” Nearly seven out of ten respondents feel they have “sufficient” or “very sufficient” access to the data their programs need.
It is notable that far fewer indicate they have a purpose-built solution to administer various program aspects (23-34%) such as incident management or policy management solutions. Depending on the program element, between 12% and 28% are still using a paper-based management method. This approach makes it difficult for programs to efficiently manage, analyse, and leverage the operational data they are bringing in.
Program maturity and reporting structure
Today’s stringent regulatory environment, combined with societal expectations for greater transparency, require more compliance rigor than ever before, the researcher state.
Compared to 2022, a significantly greater share of respondents (53% in 2023 vs. 38% in 2022) described their programs as managing or optimising (on the Ethics and Compliance Initiative HQP maturity levels of underdeveloped, defining, adapting, managing and optimising).
Interestingly, program maturity seems to have little impact on where inside the organisation the compliance function reports, the survey finds. Among all respondents, a similar number of respondents (22%) reported that compliance is independent and reports to executive leadership.
Penman says, “Effective programs, ones with cross-functional collaboration, executive and manager buy-in, strong policies and training, robust internal whistleblowing/non-retaliation mechanisms and vigilant third-party management, are best poised to navigate the ever-changing regulatory landscape while fostering a culture of ethics and compliance.
"Even for the most mature programs, the task of fostering those dynamics will always be one of continuous improvement."