NAVEX delivers quality studies and important insights on ethics and compliance topics. In its 2024 State of Risk & Compliance, NAVEX provides a comprehensive report on current trends and practices involving risk and compliance management.
The Report reflects the survey results from over 1,000 respondents global who influence or manage their organization’s risk and compliance programs. Over half of the respondents came from the United States (56%), while others came from the United Kingdom (12%), France (11%), and Germany (11%). The respondents also were from a broad cross-section of companies in size and industry.
Program Maturity: As an initial matter, NAVEX reported that the number of companies with self-reported mature compliance continues to increase. Applying the compliance program measurement scale developed by the Ethics and Compliance Initiative, approximately half of the respondents stated that their compliance program was in one of the top-two maturity tiers for compliance programs (i.e. Managing or Optimizing). Only 22 percent of respondents stated their program was in one of the two lowest tiers (i.e. Underdeveloped or Defining).
In related findings, less mature compliance programs were associated with lower likelihood of employee reporting. The majority of respondents (77%) said their employees would most likely make a report of misconduct internally.
Despite the steady state of compliance program maturity, the NAVEX survey uncovered important gaps in compliance programs. Only 61 percent of the respondents said their organization has a hotline or whistleblower internal reporting channel. Fewer (55%) said their organization has a non-retaliation policy. Only 64 percent said training on ethics and code of conduct was planned in the next two to three years.
Cross-Functional Relationships: Given the importance of cross-functional partnerships, more than half of respondents indicated they have a “Strong” relationship with Compliance (58%), Data Privacy (53%) and Risk (53%). On the negative side, one fifth cited negative relationships with Human Resources (21%) and Finance (20%).
Compliance Incidents: Half of the respondents said their organization experienced at least one compliance issue in the past three years. 31 percent said they experienced more than one issue. The most commonly cited issue was privacy and cybersecurity (28%); the second-most cited issue was regulatory or stakeholder demand for ESG transparency and reporting (17%).
Engagement and Merger & Acquisitions: NAVEX reported that Compliance is highly or moderately engaged across several business processes such as reputational harm, data breach or mergers. Notwithstanding this finding, Compliance is often brought late into the process of a planned merger and acquisition. In this area, NAVEX reported that Compliance was not adequately engaged in a timely manner, and even one-fifth of the respondents noted they are never engaged in company mergers and acquisitions.
Third-Party Risk Management: Only 69 percent of respondents cited their organization’s monitoring and risk management of third parties as “good.” Three out of every ten organizations reported that they found it challenging to maintain continuous monitoring of their third-party population. Approximately 11 percent of respondents noted that their program was “poor” with respect to ongoing monitoring of third parties.
ESG Programs: Roughly half of respondents who are knowledgeable about ESG stated that their organization uses purpose-built technology to administer ESG disclosures (55%), employee equity and inclusion (54%), responsible supply chain (53%) and resource footprints (51%). A third of respondents (33%) stated that their organization conducts a materiality assessment to identify ESG risks.
Board Engagement: NAVEX reported that strong board engagement correlate with positive metrics. Two-third of respondents said their board receives periodic reports on compliance matters — notably, one-third of respondents indicated that the board does not receive periodic compliance reports, a disturbing result.
Artificial Intelligence Training: With the rapid development of artificial intelligence, approximately 40 percent indicated they were planning training on AI issues in the next two to three years.
Supply Chain Management: Respondents generally cited the need for improvements for their organization’s third-party due diligence. For the most part, organizations maintained strong processes for onboarding and initial risk mitigation, while many acknowledged that their monitoring activities were relatively weak to non-existent.
