Navex Global has published its latest annual ethics & compliance benchmarking report, a deep dive into all sorts of activities and priorities among corporate compliance programs. It’s a great document to help compliance officers place their own issues in larger context, so let’s take a look at what Navex had to say.
Typically Navex publishes four smaller benchmarking reports throughout the year, focusing on specific issues such as policy management or internal reporting. This year Navex consolidated all four into one longer report (72 pages) with responses from nearly 1,000 ethics and compliance professionals around the world.
First Navex identified broad “performance drivers” — traits organizations that value strong compliance functions, which therefore leads to more mature or effective compliance programs.
For example, the most important driver of performance is senior executives’ strong support for ethics and compliance. The flip answer to that might be, “No kidding,” but think about what that statement means for the compliance officer. To win support, you need to frame ethics and compliance as a risk management function, that helps the organization build resiliency in a complex, difficult business landscape.
In other words, you need to be clear that the compliance function is not a legal function, and shouldn’t be subordinate to the legal function, because it has a much larger range of concern.
Corporations have plenty of risks today that are far removed from the legal function — risks that stem from a poor corporate culture, where people don’t care to raise concerns about decisions or actions that seem ethically wrong.
That’s how the ethics and compliance function can add real value to the organization: by focusing on issues of process and culture, to make ethical behavior easier throughout the whole business. That, in turn, will make the regulatory compliance part much easier, too.
Consider this: another finding in the Navex report is that the top concerns of ethics and compliance professionals are driven by “business and social trends, scandal headlines, enforcement actions.”
Well, enforcement actions are often driven by social trends and scandal headlines. Compliance officers today are running scared about the GDPR and other data privacy laws — because social trends about privacy shifted in the 2010s, leading to more scandal headlines about data privacy, leading to more enforcement actions. We can say the same about ethical sourcing in the supply chain, or sexual harassment issues in the #MeToo era.
All of those issues are huge concerns for corporations today, where focusing early on ethics and a corporate culture attuned to calling out those problems can save your business enormous grief later.
That’s why ethics and compliance capability is so important. Frame it that way, and you can win over more executive support. Win over executive support, and you can propel your program down the road of success more quickly.
Back to the Stats
Budgets are small but steady. Twenty-five percent of respondents said their budgets are $50,000 or less, and another 15 percent said they have no budget at all— but those figures exclude salaries, which obviously could mean much larger budgets if you did include them. Most respondents also expect their next year’s budget to stay within 10 percent of current amounts.
One interesting point: among companies that describe their function as “reactive” (the lowest level of maturity), 74 percent are in the low-budget or no-budget camps. That compares to only 22 percent among the “advanced” compliance programs.
Recall what we just said above, that the top compliance concerns today are driven by changing social or business trends and scandal headlines. Reactive programs are never going to get ahead of those forces with small budgets. Social and business risks are only going to become more volatile and tempestuous in the future.
So if your firm wants to remain in a reactive crouch — hey, that’s your journey. Just understand it will involve lots more reaction in years to come, which sounds like an incoherent mess of an organization to me.
Mismatch on reporting and escalation? Seventy-one percent of respondents said they have an internal hotline at their organizations. Great news, but only 37 percent have a written escalation policy about what issues need timely attention from the board.
There’s a risk in that gap. Without clear escalation policies and procedures, companies rely more on manager judgment about what issues should go up the chain of command for attention by specialists or senior executives. Frankly, I’d be more comfortable if those numbers were reversed, where more companies had clear escalation policies.
We see examples of “escalation risk” in all sorts of ways. Just the other week, the Treasury Department dinged State Street Corp. on sanctions violations, because State Street didn’t have escalation policies to bring sanctions questions to sanctions compliance specialists. Board directors worry that corporate culture doesn’t bring risks to their attention in a timely manner.
Hotlines are great; but escalation processes are crucial tools for a strong speakup culture, and that culture is crucial to an effective compliance program that helps the organization to address risk. So the 37 percent figure is concerning.
The top concerns for compliance professionals this year are increasing awareness of policies and regulation (cited by 66 percent); and better training and support for managers in their responsibilities (cited by 63 percent).
To my thinking, those two priorities are pretty much the same thing. They both point to engaging business leaders across the enterprise on ethics and compliance matters, so that those managers know how to lead employees in the way that you, the compliance officer, want to see.
Savvy compliance officers could even connect these goals back to our first point: that a strong ethics and compliance function is more about building resilience in the organization so it can survive a complex, competitive business environment.
It’s not about forcing business units to follow certain policies and procedures because the compliance department says so. It’s about helping business units understand why the company smart, ethically rigorous policies in the first place — so the company will be less prone to making mistakes and getting distracted cleaning up those mistakes. The company will be more anticipatory of shifting social tastes and enforcement priorities, and dodge those balls before they whack your firm in the chest.
That’s a mature compliance program.
Disclosure: Navex pays me to write occasional blog posts and other commentary on its website. The company did not pay me to write this post, nor review the copy before I published. I didn’t even tell Navex I was writing this.