2021

The Definitive
Risk & Compliance
Benchmark Report
Data and Insights to Get More
Value from Your Program
 NAVEX Global is the worldwide
leader in integrated risk and
compliance management software
and services that help organizations
manage risk, address regulatory
compliance requirements and foster
an ethical workplace culture.

For more information visit

www.navexglobal.com.
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT

Contents
Introduction 2

Survey Respondent Profile 4

Executive Summary 6

Key Findings 9
1. Program Maturity 10

2. COVID-19 Impact 12

3. Program Priorities 16

4. Risk Assessment & Measures of Effectiveness 26

5. Resources and Empowerment 30

6. Program Elements 38
a. Incident Management 38

b. Policy & Procedure Management 42

c. Third-Party Risk Management 46

d. Ethics & Compliance Training 50

e. ESG Reporting 54

7. Risk Management 58

About the Authors 63

1
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT

Introduction
NAVEX Global has been collecting and delivering • What role does the regulatory environment play
leading-edge market benchmark reports to the risk in program performance?
and compliance (R&C) industry since 2012. In 2019,
• How can a successful program reduce regulatory
we published our first-ever “Definitive Corporate
risk while measurably improving efficiency, accuracy
Compliance Benchmark Report,” a comprehensive
and consistency?
review of risk and compliance (R&C) programs that
offered key findings, analysis, and insight to help
organizations measure, evaluate and advance
How to Use This Report
their programs. The data and insights in this report help chief
compliance officers and other R&C professionals
This year, NAVEX Global partnered with an independent make informed program decisions. The report also
research firm to survey R&C professionals from a wide outlines practical ways to improve R&C programs
range of industries about the design, priorities and of all maturity levels and organizational sizes:
performance of their R&C programs. The results of
the survey represent over 1,000 respondents globally • Benchmark your organization’s program against
who influence or manage their organization’s risk and peers, industry standards and best practices.
compliance programs. In addition, this report includes • Assess your program maturity.
detailed responses from those who actively manage or
• Identify specific steps to improve performance.
influence their program’s incident management, policy
and procedure management, ethics and compliance • Review and compare program priorities and
training, third-party risk management, integrated effectiveness measures.
risk management, and/or environmental, social and
• Determine whether your approach to organizational
governance (ESG) functions.
risk is aligned with market trends and best practices.
Insights and analysis addressed in the new 2021 • Review how your organization is protected or
report include: exposed to risk through your approach to incident
management; policy and procedure management;
• What are the top priorities of R&C decision makers?
ethics and compliance training; third-party risk
• What elements make an effective R&C program, management; and environmental, social and
and how are they administered? governance practices.
• How do programs evaluate their performance? • Leverage reports and recommendations to
• How does technology impact program effectiveness get organizational buy-in, budget and
and design? understand the ROI of a comprehensive
risk and compliance program.
• How does senior management’s view of R&C
programs influence program outcomes?
• How do R&C programs integrate risk
management functions?

2
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT

Key Definitions
POLICY MANAGEMENT includes controlling the INTEGRATED RISK MANAGEMENT is a process that
organization’s policies and procedures throughout the improves decision making and enhances business
policy lifecycle: drafting, editing, approving, updating, value by integrating risk intelligence into activities
distributing, storing and documenting attestations. across the enterprise, such as strategic planning and
Policy management software (or a policy management strategy execution, investment decision making,
system) refers to the technology that enables more project portfolio management, enterprise performance
efficient management and execution of those practices. management, third-party performance management,
and information governance.

ETHICS AND COMPLIANCE (E&C) TRAINING

includes regulatory compliance, conduct, employment PROGRAM MATURITY is a measure of the size
law and information security training from a behavioral and sophistication of a company’s existing risk and
perspective. This definition includes all forms of training compliance program. For the purposes of the 2020
on ethics and compliance topics: online, in-person, study, maturity designations were based on the
virtual and blended training approaches. Educational number of program elements employed, the systems
and awareness approaches are also within this scope used to administer them, and respondents’ assessment
of training. of their program’s overall ability to address R&C issues
and concerns. The maturity scoring describes five
progressive levels of program development: Reactive,
INCIDENT MANAGEMENT typically consists of
Basic, Definitive, Maturing and Advanced. We utilize
telephone, web, mobile and other whistleblower
program maturity as an indicator of current proficiency
channels where employees and other stakeholders
and performance.
can make reports. Incident management systems record
and encourage responses to questions, reports and
incidents received, and offer executive reporting tools
and the ability to track and manage resolution.

THIRD-PARTY RISK MANAGEMENT is an umbrella

term that refers to all risk-management activities
related to third parties: onboarding, screening,
monitoring and in-depth risk analysis; as well as
associated processes to identify, stratify, prioritize
and mitigate third-party risks. Third-party due diligence
refers to the studied assessment of third parties before,
during and after an engagement. Internal business
justifications, external preliminary risk assessments,
establishing business rules and authorizations,
processing documentation and policies, database
analysis and reputational reporting are all third-party
due diligence. It also includes active monitoring of
third-party engagements for new “red flags” and
real-time changes to the third party’s risk profile.

3
NAVEX Global | Protecting Your People, Reputation and Bottom Line
Survey Respondent Profile
N=1,002

Job Function

44% 14% 10% 7% 6% 19%

Ethics / Risk Legal Human Resources / Accounting / Information Other

& Compliance. Employee Relations Auditing Technology

Job Level Company Annual Revenue USD

30% > $1B

14% C-Level
27% $50M - $1B
39% Senior Management / Director
18% < $50M
29% Other Management
10% Nonprofit / Government
18% Non-Management
15% Don’t Know / Won’t Say

Company Size Program Maturity

36%

Large: 10,000+ Employees

25%
27%
19%

Medium: 1,001 - 9,999 Employees

11%
35% 9%

Small: < 1,000 Employees

38% Reactive Basic Defining Maturing Advanced

 66%

79% 34%
13%

82% 5%

Geographical Footprint Headquarters Other Locations

AMERICAS 82% 79%

North America 79% 29%

South America 1% 23%

Central America 1% 17%

Caribbean 1% 10%

EMEA 13% 66%

Europe 9% 30%

Middle East 2% 20%

Africa 2% 16%

APAC 5% 34%

Industries (Percentage of Respondents) Knowledgeable About

Healthcare / Policy and Procedure Management

17%
Social Assistance
82%

Ethics and Compliance Training

Manufacturing 17%
81%

Incident Management
Finance / Insurance 15%
70%

Third-Party Risk Management

Professional / Scientific /
9%
Technical Services 50%

Integrated Risk Management

Educational Services 5%
43%

Environmental, Social & Governance

Other 37% 27%

Note: Totals may be over 100% due to multiple selection options.

 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT

Executive Summary
As we stated in our 2021 Incident Management Above all, this year’s benchmark report demonstrates
Benchmark, to say 2020 was disruptive is an exercise that the quickly maturing risk and compliance sector is
in understatement. And while we may reasonably hope taking a broader, more integrated and holistic approach
that the worst is behind us, the uncertainty and risk to managing uncertainty. And that’s a good thing,
that it introduced is unlikely to recede anytime soon. because there is every indication that this will be its
defining challenge in the months and years to come.
Fortunately, there are valuable lessons to be learned
from the events of the past year, as well as positive This rapid pace of change makes benchmarking
signs for the risk and compliance space in particular. your program more important than ever. As risk and
In the face of sudden and massive shifts in how, where compliance functions innovate to meet an expanding
and with whom we work, the risk and compliance universe of business needs, it is essential they measure
functions of businesses across the globe responded their programs and progress against both their peers
with strength and resiliency, adapting to new and increasingly demanding regulatory guidance.
conditions and challenges as they arose.
To that end, this year’s risk and compliance benchmark
The crisis also prompted new and renewed interest has drawn on a variety of expert opinion and regulatory
in going beyond compliance to tackle a host of risks guidance, including the U.S. Department of Justice’s
through activities including business continuity planning; “Evaluation of Corporate Compliance Programs,” for
enhanced due diligence and continuous monitoring its questioning and analysis. We chose this guidance
of third parties; advancements in how we update, for its current and holistic view of the ethics and
disseminate, and document the use of policies and compliance function. However, be aware; this tool is
procedures; and in better training of employees, third just one of many global guidelines for creating and
parties and leadership on ethics and compliance issues. maintaining effective R&C programs. Its purpose is
Our incident management systems proved consistently to guide prosecutors in assessing programs that have
robust, taking full advantage of technology and already committed a compliance failure. As Hui Chen,
automation solutions. former compliance counsel for the Justice Department
and author of the original DOJ corporate compliance
Similarly, the increasing size and scope of environmental guidance, notes, “If you can give fairly reasonable
disasters has led to an increased (and welcome) answers to these questions, congratulations, you are
sense of urgency from the broader public, as well as a C student. The A students are not in front of us.”1
commitments from businesses to make a difference In other words, the guidance provides the necessary
through robust and impactful Environmental, Social table stakes to play, but not best practices to win.
and Governance (ESG) programs.

1
Chen, Hui, and Carrie Penman. “Decoding the DOJ’s Guidance: An Insider’s Guide.” Webinar, May 2019.

6
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT

The results of our survey identified several key successes outcomes. Fortunately, however, respondents are
and challenges, specifically: satisfied with the skill and quality of the staff they
have. Over two-thirds (69%) say their staff have
• The risk and compliance sector is rapidly maturing. appropriate experience and qualifications.
This year we witnessed sizeable increases in program
maturity and confidence. The number of Mature and • Leadership’s commitment to compliance wavers
Advanced programs grew by 29%, while the number in challenging circumstances. Three-fourths of
of Reactive and Basic ones declined by 35%. We also respondents said their senior leaders and managers
saw a significant increase in the adoption of purpose- both demonstrate a commitment to compliance.
built systems to manage R&C functions, as well as However, when asked if their leadership had persisted
robust use of program measures, continuous access in that commitment in the face of competing interests
to data across functions and integration of risk or business objectives, that number shrank by as much
management throughout the enterprise. However, as 37 percentage points. This is further validation of
programs should take note: More sophistication can last year’s benchmark finding that a substantive portion
create opportunity for growth, but programs that of leadership support was “soft” or situational.
don’t seize the moment could be left behind. • Organizations are good at acquiring data –
• The pandemic did not significantly disrupt risk but are not effectively utilizing it. Overall, R&C
and compliance, but it did impact R&C priorities. programs are excelling at collecting information.
Surprisingly (given the size and scope of the They relied on multiple sources for their program
pandemic), risk and compliance programs emerged audits, testing and analysis, and rated their
relatively unscathed. None of the R&C functions continuous access to data across business functions
surveyed were described as “disrupted” or “very relatively high. However, programs still lagged when
disrupted” by more than a fifth of respondents, and it came to effectively leveraging that access, whether
over half reported that none of the R&C functions that meant using risk assessment results to make
surveyed experienced significant disruption. risk-based resource allocation decisions or using
Workplace culture also remained largely unharmed. metrics to track policy access or to assess
Half of those surveyed said they experienced no reporting effectiveness.
change in their workplace culture, while the other half
To make the most of this moment, R&C professionals
was just as likely to say it improved as not. However,
must make culture a must, not a “nice to have.”
R&C priorities did shift. Business continuity ranked as
That means elevating the importance of improving
the number two priority for respondents, right behind
organizational culture in your decision-making
data privacy, protection and security – a clear sign
processes and holding all employees accountable for
R&C programs are thinking about operational risk.
their actions. They must also make securing funds and
• Programs say they are under-resourced. One staff a top priority, and jealously pursue leadership
major point of interest this year is the fact that many support even in the face of competing priorities. They
programs say they suffer from a lack of adequate must learn to effectively use the data available to
funding and staff. Only a third (34%) of respondents them and integrate their risk management practices
rated their access to both these resources as “good” throughout the enterprise. Above all, they must seize
or “very good.” This is especially important since, the opportunity of this moment, uncertainty and all –
as the report demonstrates, substantive resourcing or risk getting left behind.
is strongly correlated to a host of positive program

7
NAVEX Global | Protecting Your People, Reputation and Bottom Line
THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT

8
NAVEX Global | Protecting Your People, Reputation and Bottom Line
Key Findings

9
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

1. Program Maturity

Risk & Compliance Program their programs as strong and capable of covering
Maturity Is Increasing most or all risk and compliance issues (Figure 1.2).
Program maturity, which measures the size and Such confidence is greater in highly regulated
sophistication of company’s existing risk and industries such as healthcare and financial services,
compliance program, is a key indicator of program likely due to the self-preserving need to comply
performance. It is based on the number of program with myriad government regulations.
elements employed, the systems used to administer However, while more Mature programs perform
them, and respondents’ assessment of their program’s better than their less-developed peers, they still
overall ability to address R&C concerns. The maturity underperform in several key areas. For example,
scoring describes five progressive levels of program fewer than half (44%) of Mature and Advanced
development: Reactive, Basic, Defining, Maturing programs track employee access to policies and
and Advanced. Generally, the more mature an R&C procedures, and a similar percentage don’t address
program is, the better its outcomes. Throughout this employees who fail all or part of their ethics and
study, a program’s likelihood to rate its performance compliance training – practices specifically outlined
as “good” or “excellent” is positively associated with in the U.S. Department of Justice’s Evaluation of
its level of maturity. Corporate Compliance Programs.1
Risk and compliance programs have come a long The bottom line: While program maturity and high
way in a short time. Program maturity has steadily levels of program confidence are very important,
increased, with Mature/Advanced programs growing there is still lots of opportunity to improve our
by 29% over last year, while the number of Reactive/ R&C programs.
Basic programs declined by 35% (Figure 1.1). This
is tremendous progress. Confidence in risk and
compliance programs is also high, with over two-
thirds (67%) of our survey respondents describing

1
“Evaluation of Corporate Compliance Programs.” U.S. Department of Justice, Criminal Division, June 2020, p4-6.

10
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Program Maturity (Continued)

Figure 1.1 Risk & Compliance Program Maturity

Shown: Percent of respondents per maturity level, 2020 vs 2021

8% 9% 11%
13%

20%
19%

2020 2021
25%

30%

29%
35%

Reactive Basic Defining Mature Advanced

1: Risk & Compliance Program Maturity

Figure 1.2 Risk & Compliance Program Confidence

Shown: Responses to “Which of the following best describes your risk & compliance program?”

Percent of respondents with strong programs that

67% cover most or all risk & compliance issues
70%

6% 27% 50% 17%

We Can Respond to Critical Issues, but We Have a Strong Program, but

Can't Scale or Plan for Additional Needs Have Room for Improvement
We Have Essential Capabilities, but Are We Fully Cover All Risk
Not Where We Should Be & Compliance Issues

2: Risk & Compliance Program Confidence

11
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

2. COVID-19 Impact

COVID-19 Did Not Significantly were frequently administered through purpose-built

Disrupt Risk & Compliance Functions software, which is adopted more often as programs
It seems safe to say all organizations worldwide have Mature. Automated R&C solutions can be operated
felt the worrying effects of the global pandemic on remotely by a small staff – great features for minimizing
their internal functions. However, risk and compliance disruption at a time when much of the workforce was
programs fortunately experienced only minor reduced or working from home.
disruption of their core activities. None of the R&C
functions surveyed were described as “disrupted” The Shift to Remote Work Varied by Industry
or “very disrupted” by more than a fifth (20%) of Remote working ushered in a sea change in the
respondents (Figure 2.1). Over half (53%) oreported way people do their jobs, with almost 2 of 3 (61%)
that none of the R&C functions surveyed experienced employees working from home. The number varied
significant disruption.2 COVID-19 was most unsettling by industry, with desk-based workers heading to
for Third-Party Risk Management and Compliance home offices most frequently, such as those in
Training. It had less impact on Policy Management professional and financial organizations (81% and
and Incident Management – a finding reinforced by 77%, respectively). Employees with jobs requiring
our 2021 Incident Management Benchmark Report.3 their physical presence in the workplace, for example
The minimal impact numbers for these and all other those in healthcare or manufacturing, were about
program elements increased even further as maturity half as likely to work remotely.
increased. Interestingly, many of these core program
components (particularly Incident Management)

Figure 2.1 COVID-19 Impact on Risk & Compliance

Shown: Responses to “How disruptive has the COVID-19 pandemic been?” by program element

Third-Party Risk
6% 14% 24% 25% 31%
Management
Ethics & Compliance
Training 6% 11% 20% 21% 42%

Data Privacy
4% 12% 21% 26% 37%
& Protection

Managing Compliance
Issues 4% 12% 21% 28% 35%

Policy & Procedure

4% 9% 19% 23% 45%
Management

Incident Management 8% 16% 20% 53%

5 (Very Disruptive) 4 3 2 1 (Minimally Disruptive)

7: COVID-19 Impact on Risk & Compliance

2
Don’t Know/Not Applicable responses excluded from base; N=891.
3
Penman, Carrie, and Andrew Burt. “2021 Risk & Compliance Incident Management Benchmark Report.” NAVEX Global, May 2021.

12
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

COVID-19 Impact (Continued)

Half of Organizations Experienced Business Continuity Plans

No Change in Workplace Culture Helped Mitigate COVID-19
With so many people working from home, it seems Safety first may be an obvious top issue in recovering
likely that the change in workplace dynamics would from a pandemic, but this is hindsight. Without the
cause significant damage to the culture of many pandemic experience, legal or operational matters may
organizations. However, the survey revealed a have taken first place. This is where business continuity
surprise – half (49%) of cultures saw no change and pre-planning can make a difference in handling a crisis.
another one-quarter (26%) even improved (Figure 2.2). Almost half (46%) of organizations affirmed they had
But remote work may not be the common practice a business continuity plan and more than 3 out of 4
much longer. Most (57%) surveyed organizations (80%) of those agreed on its value in mitigating the
plan to return employees to their pre-COVID work pandemic’s impact (Figure 2.5).
environment (Figure 2.3). The top priority of employers
by far (78%) in mobilizing the back-to-work effort is
safety first (Figure 2.4). There are no differences based
on industry; workforce size; revenue; geographic
footprint or headquarters location. The world is one
on this prime concern.

Figure 2.2 Work-From-Home Impact on Figure 2.3 Return to Work Planning

Workplace Culture Post-COVID
Shown: Responses to “How has work-from-home Shown: Responses to “Do you plan on returning
affected your workplace culture?” to Pre-COVID working conditions?”

10%

25%
26%

33%
57%

49%

No Not Sure Yes Negatively Impacted No Change Improved

11: Return to Work Planning Post-COVID

13
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 2021 RISK & COMPLIANCE INCIDENT MANAGEMENT BENCHMARK REPORT

COVID-19 Impact (Continued)

Figure 2.4 Return to Work Priorities

Shown: Responses to “Which considerations are most important to your organization’s return
to work decision making?”

Safety 7% 15% 78%

Operational 36% 50% 14%

Legal 58% 34% 8%

Third Priority Second Priority First Priority

10: Return to Work Priorities

Figure 2.5 Business Continuity Planning Impact

Shown: Responses to “Did you have a business continuity plan in place for a global pandemic prior to COVID-19?”

Percent of respondents who had a business continuity plan in

80% place and said it helped mitigate the pandemic’s impact
70%

7% 17% 20% 11% 46%

We Didn’t, And Have No Plans to We Did, and It Helped Mitigate

We Didn’t, but We Do Now
Develop One the Impact of COVID-19
We Didn’t, But We Are Planning / We Did, but It Didn't Help Mitigate
Developing One Now the Impact of COVID-19

12: Business Continuity Planning Impact

14
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2021 RISK & COMPLIANCE INCIDENT MANAGEMENT BENCHMARK REPORT

15
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

3. Program Priorities

Cybersecurity and Business Continuity Also noteworthy are the two bottom priorities that
Top Priorities; Diversity and ESG are far below the pack – Diversity/Inclusion and
Concerns Lagging ESG. The bottom spot winners are surprising given
the global social justice movement that ignited in
With finite resources and a limited budget, R&C
2020.4 It appears the priority ranking is ordered by
programs must be judicious each year in their
level of risk and legal compliance – starting with
prioritization of focus areas. This is typically driven
potentially catastrophic areas of concern that
by level of unmitigated risk for each area. This year,
could take down an organization; followed by legal/
COVID-19 had a dramatic effect on program priorities
regulatory matters; ending with the “soft” areas
with pandemic-related issues propelling Business
(ESG is admittedly governed by laws, but it also
Continuity & Operational Risks from relative obscurity
has a significant, emotional component that until
to the second top spot in organizations’ lists of
recently has caused this risk to be largely treated like
concerns (Figure 3.1).
other “soft” risk areas such as diversity, inclusion,
However, data privacy and cybersecurity issues remain respect and professionalism). Legal and regulatory
the chief concern, likely due to the ever-increasing requirements also remain the primary decision-making
number of serious headline-worthy hacks into major factor for setting R&C program priorities. This risk
organizations. No entity wants to be that headline or category is associated with tangible, defined
pay the financial and reputational penalties. Firsthand “hard” consequences that can seriously harm
experience may have also played a role. One in three an organization – there is nothing soft about it.
programs have experienced a data privacy and/
or cybersecurity breach within the past three years,
making it the most widely experienced R&C challenge
surveyed (Figure 3.2).

4
Silverstein, Jason. “The Global Impact of George Floyd: How Black Lives Matter Protests Shaped Movements around the World.” CBS News, June 4, 2021.

16
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Program Priorities (Continued)

Figure 3.1 Risk & Compliance Program Priorities (Issues)

Shown: Responses to “Are the following issues a priority for your risk & compliance program?”

Data Privacy, Protection

& Security 63%

Business Continuity
& Operational Risks 44%

Bribery, Corruption & Fraud 40%

Whistleblowing, Reporting
6%
& Retaliation 36%

Harassment
6%
& Discrimination 33%

Other Regulatory Issues

4% 29%

Conflicts of Interest
4% 25%

Diversity, Equity & Inclusion

4% 17%

Environmental, Social
3% 13%
& Governance

Figure 3.2 Risk & Compliance Challenges Faced

Shown: Percent of respondents who answered “yes” when asked if they had experienced any
of17:
theRisk & Compliance
following Program
in the past 3Priorities
years (Issues)

Data Privacy /
33%
Cybersecurity Breach

Legal / Regulatory Action 22%

Employee Litigation 15%

Party Compliance Failure 14%

Adverse Media Coverage 13%

Reputational Damage 12%

Other 2%

None 45%

15: Risk & Compliance Challenges Faced 17

NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Program Priorities (Continued)

R&C Priorities Differ by Industry It is also important to note that reports of retaliation
R&C program priorities are ranked differently based on have dropped during the COVID-19 pandemic.8
industry. For example, harassment and discrimination However, a lack of reporting does not mean retaliation
is a higher priority than overall for the Education isn’t occurring. Financial organizations would be well-
sector (Figure 3.3). In contrast, the financial services advised to make reporting/retaliation a higher R&C
industry has given a low priority to harassment and program priority.
discrimination, despite several recent high-profile
Bribery, corruption and fraud is also much more of a
incidents in this area. This may be partly due to the fact
priority than overall for the Manufacturing industry.
that many financial firms have required employees to
This is logical given most manufacturers conduct
agree to mandatory arbitration for sexual harassment
at least some cross-border commerce and frequently
claims – leading some to assert the sector did not have
have relationships with many global third parties
an accounting during the #METoo movement.5 There
through their supply chains and distribution networks,
continues to be a massive gap in the pay scale between
increasing their risk. Healthcare and professional
men and women doing the same job in this sector and
services, in contrast, rank this priority much lower.
top positions in the firms rarely are awarded to women,
Healthcare organizations typically share limited
indicating there may be a cultural component at work
opportunity for corruption, mostly through their
that makes this risk area a blind spot.6
purchasing processes; therefore, this industry prioritizes
Whistleblowing and retaliation is another area where corruption risk much lower than overall (20% vs. 40%).
industries have different priorities. The manufacturing The Professional Services sector also sees corruption
sector ranks this risk significantly higher, while as an almost equally low (24%) R&C priority, though
the financial services industry again considers it the reasons are not readily apparent.
a significantly lower priority. A 2020 survey found
Curiously, Professional Services was the only industry to
more misconduct was observed by employees who
prioritize diversity, equity and inclusion at a significant
experienced several significant workplace changes
higher rate than overall (31% vs. 17%). This possibly
in a year than those who endured none.7 The rapid
indicates an inclination within this industry to engage
succession of changes pushed on most employers by
more diverse providers for the wider range of talent and
the pandemic may have fueled the increased focus on
creativity a diverse provider brings to the client’s work.
whistleblowing and retaliation, with the manufacturing
sector being particularly hard-hit by change. Finance,
in contrast, may not have undergone as many changes
over the last year as manufacturing.

5
Krawcheck, Sallie. “Why Women Continue to Lose in the Financial Services Industry and How We Can Fix It.” Fortune, October 17, 2019.
6
Antilla, Susan. “25 Years after the ‘Boom Boom Room’ Lawsuit, Wall Street Still Has a Long Way to Go.” CNN, May 27, 2021.
7
“2020 Global Business Ethics Survey Report: Pressure in the Workplace.” ECI, March, 2021.
8
Penman, Carrie, and Andrew Burt. “2021 Risk & Compliance Incident Management Benchmark Report.” NAVEX Global, May 2021, p.48-49.

18
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Program Priorities (Continued)

Figure 3.3 Risk & Compliance Program Priorities (By Industry)

Shown: Percent of respondents who prioritized the following issues by industry
HARASSMENT & DISCRIMINATION

Education 65%

Overall 33%

Finance 15%

WHISTLEBLOWING, REPORTING & RETALIATION

Manufacturing 48%

Overall 36%

Finance 18%

BRIBERY, CORRUPTION & FRAUD

Manufacturing 62%
18: Risk & Compliance Program Priorities (By Industry)
Overall 40%

Professional
24%
Services

Healthcare 20%

DIVERSITY, EQUITY & INCLUSION

Professional
31%
Services

Overall 17%

19: Risk & Compliance Program Priorities (By Industry)

19
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Program Priorities (Continued)

Resources, Industry & Independence Affect These data appear to loosely reflect Maslow’s Hierarchy
Importance of Organizational Culture of Needs.9 R&C Programs will prioritize their basic
Several factors influence R&C priorities (Figure needs first – stay out of jail, minimize litigation costs
3.4). Unsurprisingly, meeting legal and regulatory and reputational damage, mitigate key risks overall,
compliance was the main consideration with 84% regulatory compliance. When those needs are well-
of organizations rating it “very important,” followed controlled, programs perceive they have the luxury of
by 63% that rated mitigating risk in the same tier. moving on to tackle more emotional, “softer” cultural
The two remaining surveyed drivers – improving needs – workplace civility and respect, diversity and
corporate culture and alignment with business inclusion, social issues, caring for environment.
strategies – occupied last place (43%) for the Catastrophic events aside, it is ironic that both “soft”
highest rating. When expanding the rating priorities and regulatory concerns are risk areas that
scale to “important/very important,” culture are best mitigated broadly with a strong culture of
improvement ranked as the overall lowest (77%) ethics and integrity, and culture is fueled by the factor
influence on R&C program decision-making. of emotion. Yet the lowest priority areas are soft –
Nonetheless, organizational culture was rated diversity, inclusion, environment, social issues – and
as “very important” more often by two key are all about respectful conduct and the motivation to
industries – Healthcare (51%) and Professional do the right thing. If those areas received more fruitful
Services (54%), both very client-focused sectors focus from organizations, daily workplace conduct
(meaning relationship focused – another “soft” (read as “culture”) would change for the better. Culture
cultural attribute) (Figure 3.5). More than half (51%) is the root cause and main driver of all human behavior.
of independent R&C programs also gave culture As we likely have heard repeatedly, culture trumps
these top two ratings. Additionally, 55% of programs rules every time. Getting the culture right is ultimately
with very sufficient resources – staffing, funding and the most effective way to successfully meet the basic
access to data – rated culture as “very important,” needs of your R&C program.
with almost 9 of 10 (86%) placing it in the top two
levels of importance.

9
McLeod, Saul. “Maslow’s Hierarchy of Needs.” Simply Psychology, December 29, 2020.

20
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Program Priorities (Continued)

Figure 3.4 Risk & Compliance Program Decision-Making Considerations

Shown: Responses to “How important are the following considerations in your R&C program’s
decision-making process?”

Meeting Legal /
Regulatory Requirements 6% 11% 83%

Mitigating Risk 10% 27% 63%

Aligning With Business Strategies 18% 38% 44%

Improving Organizational Culture 23% 34% 43%

Not Important Important Very Important

20: Risk & Compliance Program Decision-Making Considerations

Figure 3.5 Importance of Organizational Culture in Risk & Compliance Program Decision Making
Shown: Percent of respondents who cited improving organizational culture as “very important” by cross-section

Well-Resourced 55%

Professional & Technical Services 54%

Independent R&C Function 51%

Healthcare 51%

Overall 43%

Finance 32%

21: Importance of Organizational Culture in Risk & Compliance Program Decision Making

21
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Program Priorities (Continued)

A Majority of R&C Programs Use Purpose- the R&C elements surveyed, with a whopping three-
Built Solutions to Administer Elements quarters (73%) planning to adopt such solutions
The use of automated systems to manage R&C within the next two years. The shift to automation
program elements is becoming more common. At is highest among Advanced and independent
least a third of respondents who have a given element programs (Figure 3.7), which are typically better
administer it with a purpose-built solution (Figure 3.6). resourced than their less Mature or non-independent
Sixty-one percent (61%) of surveyed programs use counterparts. Maturing organizations take note –
purpose-built systems to administer at least one of independent programs are not always found in large
or high-revenue organizations; risk and compliance

Figure 3.6 Purpose-Built Solution Use (by Program Element)

Shown: Percent of respondents with a given element who use purpose-built solutions to administer
the following R&C elements

61%
Percent of respondents who use purpose-built solutions to administer
at least one element of their risk & compliance program

Incident Management 60%

Conflicts of Interest 39%

Policy & Procedure Management 38%

Third-Party Risk Management 38%

Ethics & Compliance Training 37%

Code of Conduct 28%

Awareness Solutions 27%

ESG Reporting 25%

23: Purpose-Built Solution Use (by Program Element)

22
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Program Priorities (Continued)

programs are more likely to report directly to the CEO R&C programs have many reasons for adopting
and/or board in small organizations (36%) than in large technology. The top two are risk reduction and
ones (22%) and are just as likely to be independent increasing reporting capabilities (Figure 3.8), both
within small organizations as big ones. This means a major priorities of all R&C programs. Larger and high-
strong advocate (CCO) for automation, with an open earning organizations, which frequently have Advanced
door to the board and C-suite, frequently can secure R&C programs, use technology more often than their
the resources necessary to implement. peers to boost program reporting abilities (Figure 3.9).
This is a critical program skill that more programs need
to improve as their organizations grow and become
more complex.

Figure 3.7 Risk & Compliance Program Priorities (Automation)

Shown: Percent of Organizations planning to automate their risk & compliance function
in the next 12 months by cross-section
6%

Advanced Programs
6% 48%

Independent R&C Function

4% 43%

Finance
4% 41%

Over 5,000 Employees

4% 39%

Overall
3% 33%

22: Risk & Compliance Program Priorities (Automation)

23
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 2021 RISK & COMPLIANCE INCIDENT MANAGEMENT BENCHMARK REPORT

Program Priorities (Continued)

Figure 3.8 Reasons for Risk & Compliance Technology Adoption

Shown: Responses to “What are your organization’s reasons for adopting new R&C automation
and technology solutions?”

Reduce Risks 46%

Increase Reporting
43%
Capabilities

Streamline Workflows
6% 41%

Automate Practices
6%
& Procedures 40%

Meet Regulatory
4% 37%
Requirements

Reduce Time & Costs

4% 34%

Integrate Program
4% 25%
Components

Don’t Use Technology

3% 7%

Figure 3.9 Organizations Using Risk & Compliance Technology

to Increase Reporting Capabilities
24: Reasons for Risk & Compliance Technology Adoption
Shown: Percent of respondents wo adopted technology to increase reporting capabilities
by organization type and technology solutions?”

1B+ in Revenue 54%

5,000+ Employees 53%

Overall 43%

< 1,000 Employees 33%

25: Organizations Using Risk & Compliance Technology to Increase Reporting Capabilities

24
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2021 RISK & COMPLIANCE INCIDENT MANAGEMENT BENCHMARK REPORT

25
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

4. Risk Assessment & Measures of Effectiveness

Most Programs Lack Fully Informed on “compliance” risks, such as regulatory (e.g.,
& Utilized Risk Assessments bribery, insider trading); R&C program matters
Risk assessment is the critical first step in crafting an (e.g., training completion rates, hotline reporting
effective compliance program. As the U.S. Department numbers); and cultural or human resources concerns
of Justice’s “Evaluation of Corporate Compliance (e.g., bullying, inclusion, equal opportunity). Taking
Programs” states: a universal look at risk, including operational risk,
enables programs to appropriately prioritize
“The starting point for a prosecutor’s evaluation of resources and focus efforts accordingly.
whether a company has a well-designed compliance
program is to understand the company’s business When asked about their use of risk assessments,
from a commercial perspective, how the company has almost three quarters (71%) of respondents said
identified, assessed, and defined its risk profile, and they used them to inform the testing, review and
the degree to which the program devotes appropriate improvement of their R&C programs (Figure 4.1).
scrutiny and resources to the spectrum of risks.”10 While half of respondents reported their risk
assessments were current and periodically reviewed,
Note the emphasis on understanding an organization’s only 29% said those assessments were informed by
business. The expectation is that a risk and compliance continuous access to operational data across business
program will utilize many sources of information, lines. Additionally, only a third used their assessments
including operational data, to review, test and improve to make risk-based resource allocations. Overall, only
their programs so that there is sufficient scrutiny and 16% of respondents meet all three criteria outlined
management of their risks. This may surprise some by the DOJ for risk assessment design and use – a
compliance professionals who focus exclusively sobering thought for many organizations regardless
of their size, industry or geography.

Figure 4.1 Risk & Compliance Risk Assessments

Shown: Responses to “Which of the following is true about your risk assessment?”

Percent of respondents who use risk assessments to

71% review, test & improve their risk & compliance programs

Is Current & Subject

to Periodic Review 50%

Results in Risk-Tailored
34%
Resource Allocation
Is Informed by Continuous
29%
Access to Data

10
“Evaluation of Corporate Compliance Programs.” U.S. Department of Justice, Criminal Division, June 2020.

26
48: Risk & Compliance Risk Assessments
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Risk Assessment & Measures of Effectiveness (Continued)

Figure 4.2 Information Sources for Testing, Review & Improvement

Shown: Responses to “Which of the following information sources does your organization use to review, test and
improve your risk and compliance program?”

Percent of respondents who use 3 or more information

77% sources to review, test & improve their programs

Regulatory Updates 73%

Risk Assessment Results 71%

Compliance Program Audits 68%

Lessons From Prior Misconduct 62%

Lessons From Peers 59% 60%

Measures of Org. Culture 45%

Other 2%

None 3%

47: Risk & Compliance Testing & Analysis

27
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Risk Assessment & Measures of Effectiveness (Continued)

Programs Use Multiple Sources to Test, of the culture of compliance remarkably was at the
Analyze & Audit Functions bottom of the list (Figure 4.2). Though a healthy
Risk and compliance programs operate in a constant culture of compliance is the ultimate indicator of
cycle that begins with risk assessment and ends R&C program effectiveness, it is intangible and
with review of the program to uncover improvement requires measurement and triangulation of many
opportunities, then the cycle repeats. Tools that can cultural factors such as employee fear of retaliation
be used to help improve an R&C program include: and prevalence of management’s good example.
changing or updated regulations, risk and program By contrast, changes in the laws and audit results
assessment results, program audit results, lessons are tangible with straightforward improvement
learned and measures of the compliance culture. opportunities. The state of the culture of compliance
may be the best tool to uncover program opportunities,
Overall, programs scored well in this area, with but it is simply more difficult to quantify and to develop
over 77% of respondents using 3 or more of these tangible R&C program improvements based on
information sources to review, test and improve intangible opinions instead of tangible facts.
their programs. Unsurprisingly, the most used is
regulatory changes and updates, while evaluation

Figure 4.3 Risk & Compliance Program Audits

Shown: Responses to “Which of the following are part of your compliance program audits?”

Percent of respondents who use 3 or more information

59% sources to conduct program audits

Policy / Practice Review 81%

Internal Investigation
Reports 73%

Incident Reports 67%

Testing of Controls 61% 70%

Gap Analysis 59%

Employee Feedback 58%

Program Data 58%

28
NAVEX Global | Protecting Your People, Reputation and Bottom Line

49: Risk & Compliance Program Audits

 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Risk Assessment & Measures of Effectiveness (Continued)

More than 2 of 3 (68%) respondents use data from were less satisfied with their efforts to effectively
periodic compliance program assessments to expose capitalize on that data (Figure 4.4). Fewer than half
gaps in risk controls and reveal ways to enhance their (47%) of respondents rated their ability to use incident
R&C programs. The most common sources of data management information to accurately assess reporting
are reviews of policies, procedures and practices and effectiveness as “good” or “very good.” Barely a
internal investigation reports (Figure 4.3). In addition, quarter (27%) of respondents gave a similar rating
roughly two-thirds use hotline incident reports (67%) to their use of metrics gained from their compliance
and testing of risk controls (61%). Used less often training programs to measure training effectiveness
were employee interviews and feedback – again a less and impact. Across a variety of R&C functions –
tangible measure, but indispensable for understanding including incident management, third-party risk
the state of the compliance culture. management, policy and procedure management, and
ethics and compliance training – respondents generally
Data Utilization Lags Behind Collection reserved their lowest scores for their ability
to effectively leverage the data they acquired.
Generally, respondents were pleased with their
access to data across business functions, giving it an
average rating of 3.5 out of 5. However, programs

Figure 4.4 Data Access and Use

Shown: Percent of programs utilizing data for the following functions. Responses to “How would you rate
your access to data across business functions?”

3.5
OUT OF 5
Respondents gave their access to data across business
functions an average rating of 3.5 out of 5

Assess Reporting
Effectiveness 47%

Ensure Incident Reporting

Responsiveness 40%

Conduct Ongoing
3P Monitoring 35%

Track Policy Access 34%

Measure Training
27%
Effectiveness / Impact

46 / 50. Data Access and Use 29

NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

5. Resources & Empowerment

Fewer than Half of Programs Risk & Compliance Staff

Are Well-Resourced Are Qualified & Well-Trained
One key, tangible and impactful measure of support While a majority of programs report being under-
is funding. This year, we asked respondents to rate staffed, it is positive to note that the satisfaction
the level of funding they receive. The results were with the staff they do have is quite high. More
disappointing, if unsurprising. Less than half (44%) than 2 of 3 respondents (69%) agreed that their
rated their program funding as sufficient or very R&C team members had appropriate experience
sufficient, indicating that about half of compliance and qualifications for their positions (Figure 5.2).
functions suffer from less sufficient financial support Meanwhile, 58% said their personnel received periodic
(Figure 5.1). Of course, Mature and Advanced training and development opportunities. A majority
programs were more likely to say they had sufficient held no other non-compliance duties, with small
or very sufficient funding and data access. The survey organizations significantly more likely than their peers
also revealed dissatisfaction with the level of staffing. to split their compliance staff’s duties. Only a fraction
Overall, 41% of respondents said their R&C programs of respondents (5%) complained of a high turnover rate.
had sufficient or very sufficient staffing.
The same factors that direct money to R&C drive
It is no surprise that satisfaction with funding and this number higher – more organization revenue;
staffing levels increases with program maturity and independent function; higher sufficiency of program
organization revenue. Also, independent compliance funding, staffing and program maturity. Again,
functions reporting directly to the CEO and board APAC rated this personnel criterion the lowest of
are more likely to report having sufficient resources. all demographics; just 56% said they have qualified/
Conversely, organizations headquartered in the APAC experienced staff.
region apparently use different criteria for funding
their R&C functions. This region’s rating of staffing
and funding was the lowest of any demographic
(29% and 25% respectively).

30
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Resources & Empowerment (Continued)

Figure 5.1 Access to Resources

Shown: Responses to “How would you rate your program’s access to the following?”

3.3
OUT OF 5
Respondents gave their access to resources
an average rating of 3.3 out of 5

70%

Funding 8% 15% 33% 27% 17%

Staffing 10% 17% 32% 26% 15%

Very Poor Poor Fair Good Very Good

39: Access to Resources

Figure 5.2 Risk & Compliance Staff Attributes

Shown: Responses to “Do your risk and compliance personnel have/receive the following?”

Appropriate Experience
69%
& Qualifications
Periodic Training /
Development 58%

Non-Compliance
Responsibilities 47%

Comparatively High
Turnover Rate 5%

None of the Above 4%

40. Risk & Compliance Staff Attributes

31
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Resources & Empowerment (Continued)

Leadership’s Commitment to Compliance Risk & Compliance Programs Enjoy Good

Weakened by Competing Priorities Board Access
In our past definitive benchmark surveys, we have The governing board has ultimate responsibility
queried organizations about the buy-in, oversight and to oversee the performance and effectiveness of
commitment of their senior leadership to compliance. its organization’s R&C function. Programs have
This year, we attempted to delve deeper by asking a traditionally fared well in this regard, with 83% of
series of questions to help us better assess the depth respondents saying they met regularly with their
and nature of that support. This included questions board in 2020. This year, respondents continued
about whether they demonstrated a commitment to give comparatively high marks to their board’s
to compliance through their actions as well as their availability, rating their access to the board at an
words, and how strongly they held to their convictions average of 3.7 out of 5.
in the face of competing priorities. We also asked
However, access is just one dimension of board
about middle managers’ commitment to compliance,
engagement. This year we examined the board’s level
including whether they took actions that overtly or
of oversight, expertise and familiarity with reporting
implicitly frustrated compliance objectives.
data. Overall, the results were encouraging. Three of
Initially, the results appear to reinforce the confidence 5 (60%) said their boards used compliance data in the
respondents have traditionally had in their leadership oversight process (Figure 5.5). Almost half (47%) claim
support. Over three-quarters said that senior leaders there was compliance expertise on the board and the
have encouraged compliance within their organizations same number (46%) said the board held executive
(Figure 5.3). Conversely, only a small number of sessions with compliance. Additionally, more than half
respondents said their managers had encouraged of respondents (54%) say their organizations engages
unethical behavior or actively impeded compliance. periodically with the board on risk and compliance
matters and the board has oversight.
However, while most leaders may be willing to talk
up compliance, significantly fewer appear willing Larger organizations, more Mature programs, and
to “walk the walk.” Just over half of respondents those with an independent compliance function
said their senior leadership actually models proper reporting to the CEO and board understandably do
behavior. And while managers generally don’t actively an even better job in these areas. The highly-regulated
frustrate compliance efforts, one in four (27%) are and data-driven healthcare (69%), manufacturing (65%)
willing to tolerate greater compliance risks if it could and finance (69%) industries also significantly exceed
mean higher revenues. Perhaps most telling is the programs overall for boards that use compliance data
difference between leaders’ willingness to demonstrate in their oversight.
a commitment to compliance versus their persistence
in the face of competing factors. Both senior leaders
and managers were significantly less likely to maintain
their commitment when faced with conflicting
objectives (Figure 5.4).

32
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Resources & Empowerment (Continued)

Figure 5.3 Senior Leadership & Manager Characteristics

Shown: Responses to “Which of the following statements are true of your senior leadership?
Which of the following statements are true of your manager?”
OUR SENIOR LEADERSHIP

Encourages Compliance 77%

Models Proper Behavior 56%

OUR MANAGEMENT HAS

Tolerated Risk to Pursue

New Business / Greater Revenue 27%

Encouraged Unethical Behavior

12%
to Achieve Objectives

Impeded Compliance From

11%
Implementing Duties

Figure 5.4 Leadership Commitment: Demonstration vs. Persistence

Shown: Responses to “Which of the following statements are true of your senior leadership?
43: Senior
Which Leadership
of the & Manager
following Characteristics
statements are true of your manager?”

Demonstrates Commitment 71%

to Compliance 75%

46%
Persists in That Commitment
38%

Management Senior Leadership

44: Leadership Commitment: Demonstration vs. Persistence

33
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Resources & Empowerment (Continued)

Over Half of Organizations Have The dedicated, combined role of a chief risk and
Dedicated CCO, CRO or CRCO compliance officer (CRCO) was far less common,
The compliance function needs leadership. The with only 14% saying their organization had such a
management of organizational risk, an equally position. One of 10 said they had a split-responsibility
important function, may or may not be coupled with or part-time CRCO. Like the single function CRO,
compliance. Our survey responses illuminate current there was no deviation from overall for organizations
practice for both risk and compliance leadership. with international operations. Overall, over half (52%)
Almost half (42%) of overall respondents said they of respondents said their organization had a CCO,
have a dedicated chief compliance officer (CCO) CRO or CRCO. Chief officers charged with managing
(Figure 5.6). The number increases with compliance compliance predominate; 47% say they have a CCO or
program maturity; organization size and revenue; and CRCO, versus 30% who say they have a CRO or CRCO.
the heavily-regulated industries of healthcare and Two noteworthy geographic differences bear
finance. Predictably, there is a dedicated CCO FTE most mentioning. APAC of all the demographics made
often (67%) when the R&C program is an independent the most use of part-time or split-responsibility R&C
function reporting directly to the CEO and board. function leaders – CCOs 31%; CROs 29%; CRCOs 21%.
More than 2 of 3 (68%) Advanced programs employ On the other hand, the EMEA demographic employed
full-time dedicated CCOs. a dedicated CRCO most often, at a rate of 21%.
In contrast with the CCO, just a quarter of Perhaps the biggest surprise in this function leadership
organizations (24%) say they have a full-time chief risk data is the number of organizations saying they do
officer (CRO). This increases significantly at the two top not have a CCO (35%) or CRO (61%), let alone a
levels of R&C program maturity (32-41%), likely due CRCO (76%). Regulators and prosecutorial agencies
to these typically larger and wealthier organizations like the DOJ have made it clear that employment of
having the need and finances to consolidate dispersed a qualified CCO or equivalent is table stakes for an
enterprise risk management activities into a single effective compliance function, whether the position
function led by a dedicated leader. The highly is a dedicated or split responsibility. Small size, low
regulated finance industry is particularly fond of using revenue or program immaturity are poor excuses for
dedicated CROs, with 55% saying their organization putting off appropriate function governance. The cost
has someone in this position. One surprise in the may pay for itself when an investigator knocks on
data is no deviation from overall for organizations your door.
with international operations, where regulatory and
operational risks are elevated and where we may
expect more CRO FTEs. Employment of a part-time
or split responsibility CRO is 15% overall, with lower
maturity R&C programs using this type of position
most often.

34
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Resources & Empowerment (Continued)

Figure 5.5 Board Access & Attributes

Shown: Responses to “Which of the following is true of your board of directors?
How would you rate your program’s direct access to the board of directors?”

3.7
OUT OF 5
Respondents gave their access to their board of directors
an average rating of 3.7 out of 5

Examines Reporting Data 60%

Has Oversight of Compliance 54%

Has Members With

47%
Compliance Expertise
Holds Execuive / Private
Sessions With Compliance 46%

Figure 5.6 Prevalence and Role of Chief Compliance Officers / Chief Risk & Compliance Officers
Shown: Responses to “Does your organization have a Chief Compliance Officer and/or
a 45: Board
Chief Access
Risk and AttributesOfficer? Are they full-time or part-time role?
& Compliance

Chief Compliance Officer 35% 23% 42%

Chief Risk Officer 61% 15% 24%

Chief Risk & Compliance Officer 76% 10% 14%

Do Not Have Part-Tme Dedicated / Full-Time

41/54. Prevalence and Role of Chief Compliance Officers / Chief Risk & Compliance Officers

35
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Resources & Empowerment (Continued)

Compliance Independence Even if the roles are separate, with the CCO reporting
Correlates With Better Performance to the GC, the potential for conflict of interest remains.
The question of where the compliance function The best alternative arrangement is an independent
should be housed is somewhat controversial. Our compliance function reporting to the CEO and/
survey results reflect the currently increasing cross- or board of directors. The survey revealed slightly
industry trend. One of 3 compliance programs (33%) more than 1 of 4 programs (27%) are set up as an
are located within and report through the legal independent entity, with 1 of 3 Mature and Advanced
department (Figure 5.7). This poses a conundrum. programs adopting this structure.
In 2003, a U.S. Medicare fraud scandal at a large In addition, having an independent compliance
healthcare company raised conflict of interest function is correlated to a host of positive outcomes.
allegations related to the top legal officer’s dual R&C programs whose leadership report directly to
roles of General Counsel and Chief Compliance the CEO or board are 25% more likely than programs
Officer because she had a duty to “ensure both overall to enjoy leadership support. They are also 39%
that the company was following federal guidelines more likely to have sufficient access to resources.
and that it also was protected from charges of
wrong-doing.”11 There appears to be a theme here. Independent
CCOs that report directly to the CEO are able to
Curiously, Advanced maturity programs report secure higher budgets for their programs. The cash
through legal at the highest rate – almost half (46%). infusion enables programs to grow and mature, which in
The reason for the current trend toward this reporting turn results in greater performance outcomes.
structure may be rooted in a need for a more efficient
administrative solution than afforded by reporting
to the CEO or the board. But efficiency should not
trump independence.

11
“Chief Counsel, Compliance Officer at Tenet Healthcare Resigns.” California Healthline Daily Edition, September 23, 2003.

36
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Resources & Empowerment (Continued)

Figure 7.7 Risk & Compliance Reporting Structures

Shown: Responses to “Where is your company’s compliance function housed?”

Within the Legal Department 33%

It Is an Independent Function Reporting

27%
To the CEO and / or Board of Directors

It Is Split Across Multiple Departments 14%

Under Another Business Function 7%

Within the Human Resources Department 6%

Within the Internal Audit Department 4%

Within the Finance Department 4%

Within the IT / Data Secruity / Data Privacy 3%

Don’t Know 2%

42: Risk & Compliance Program Reporting Structures

37
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

6. Program Elements

Incident Management

Incident Management Is the Most When respondents who have a reporting and
Advanced Component of R&C Programs investigation process rate the performance of these
Organizations with a well-designed compliance systems, more than half described the awareness,
program should have robust reporting and operation and data collection of their solution as good
investigation processes. Three of four (73%) programs or excellent (Figure 6.2). The lowest-ranked aspects
surveyed have a solution to capture and investigate of reporting and investigation systems all address
reports, making it one of the most widely adopted retrospective analysis of the collected data – patterns
compliance functions. A plurality (44%) use purpose- of misconduct (51% good/excellent), reporting process
built software, making this program element the most effectiveness (47%) and responsiveness metrics (40%).
supported by purpose-specific technology (Figure 6.1). These are considered part of a minimally effective
E&C program for organizations of all sizes, revenues,
industries and geographies.

Figure 6.1 Program Elements & Automation

Shown: Responses to “How do you administer the following elements?”

Incident Management 27% 8% 21% 44%

Ethics & Compliance

20% 14% 37% 30%
Training

Policy & Procedure

Management 37% 8% 31% 24%

Third-Party Risk
43% 8% 27% 22%
Management

ESG Reporting 63% 6% 22% 9%

No, We Do Not Yes, a Paper- Yes, an Office Productivity / Yes, a Purpose-

Have This Based Solution ERP Solution Built Solution

62: Program Elements and Automation

38
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Program Elements (Continued)

Of all the facets handled by an incident management A key focus of an incident management process is
system, case closure time may be the most challenging, prevention and detection of retaliation. Our survey
even for excellent E&C programs. The two primary revealed overall 85% of R&C programs have a non-
factors that extend the time taken to investigate retaliation policy; however, just 27% have a process
and close a report are resource constraints and case to detect retribution (Figure 6.4). More work needs to
complexity (Figure 6.3). Over the past three years, the be done to implement a detection process, though
lack of resources has trended steadily downward from it continues to be a mid- to low priority for most
42% to 38%, while complex cases trended upward from organizations. Retaliation was the top claim made to
33% to 37%. Perhaps resource constraints are becoming the EEOC in 2020 with 55.8% of charges filed.12 If you
less of an issue due to better funding; however, more think retaliation is not happening in your organization,
may need to be invested in resources to properly you need a process in place to detect it. Retaliation
handle increasingly complex cases in a timely manner. happens everywhere and better to have the report
come to you than to a government agency.

Figure 6.2 Incident Management Performance Rating

Shown: Percent of respondents who rated their program’s incident management performance as “good” to “great”
in the following areas

3.6
OUT OF 5
Respondents gave their incident management function
an average rating of 3.6 out of 5

Assessing the Seriousness

of Allegations 74%

Conducting Independent
Investigations 70%

Properly Scoping
Investigations 64%

Monitoring Investigation
Outcomes 61%

Tracking & Using

Reporting Data 58%

Generating Awareness 55%

Identifying Patterns
of Misconduct 51%

Assessing Reporting
47%
Effectiveness
Using Metrics to
40%
Ensure Responsiveness

12
Bayt, Katie, and James Plunkett. “EEOC Roundup, Part I: 10 Things to Know About the 2020 Charges and Litigation Statistics.” Ogletree Deakins, March 5, 2021.

39
NAVEX
26: Incident Management Performance Global | Protecting Your People, Reputation and Bottom Line
Rating
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Program Elements (Continued)

Figure 6.3 Factors Impacting Case Closure Times

Shown: Responses to “What has the biggest impact on the time it takes to investigate
and close a report in your organization?”

39%
Resource Constraints 41%
42%

37%
Case Complexity 32%
33%

11%
Process Inefficiencies 12%
9%

7%
Case Ownership Issues 6%
4%

5%
Legal Team Involvement 6%
6%

3%
Other 4%
6%

2019 2020 2021

28: Factors Impacting Case Closure Times

40
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Program Elements (Continued)

Figure 6.4 Prevalence of Incident Management Components

Shown: Responses to “Which of the following are part of your confidential reporting and investigatory program?”

A Non-Retaliation
85%
Policy
A Hotline / Internal
Reporting Channel 85%

Case Management
70%
Processes / Protocols
Third Party Reporting
Through Hotline 55%

Industry
Benchmarking 35%

KPI Dashboard 34%

Process to Detect
27%
Retaliation

27: Prevalence of Incident Management Components

41
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Program Elements (Continued)

Policy & Procedure Management

Policy & Procedure Management Secure in of organizations said they use no metrics to measure
Development, but Lacks Tracking Capabilities the effectiveness of their policy and procedure
This year, organizations rated their policy and management process (Figure 6.7). This is less than
procedure management systems higher than other last year (41%) but it is still problematic. Proper program
program elements. Two out of 3 programs (64%) assessment includes reviewing the effectiveness of the
have a solution to develop, distribute and attest policy and procedure management solution; therefore,
to policies and procedures, which is up from 57% organizations are well advised to start measuring
last year. Overall, a quarter (24%) utilize purpose- whether this element is in fact effective.
built software to administer their policy and The minimum elements of an effective policy
procedure management. system – development, distribution, attestation,
Two-thirds (64%) of organizations with policy and accessibility, training, access tracking – can be
procedure management functions in place are managed best with the features in purpose-built
confident in their ability to do a good or excellent software. Our survey indicates an upward trend in
job developing policies that reflect their legal and adoption of this tool with 38% of respondents stating
regulatory risks (Figure 6.5), though it remains a they use such a solution to automate their policy
top challenge for more than half (53%) (Figure 6.6). and procedure management. This overall number
The biggest challenge for 3 of 5 (58%) programs, is up from 34% last year and 25% in 2019.
however, is employee communication/training on However, providing easy access to policies is a
the policies. Unsurprisingly, those with insufficient challenge for 1 out of 3 (34%) programs, up from
funding in several program areas struggle the most. 1 in 4 (28%) last year. The manufacturing industry is
Perhaps most concerning are two findings. First, challenged most with over half (51%) struggling to
just 1 of 3 (34%) organizations say they are good provide easy access, most likely because many
or very good at tracking access to policies. Even workers are production-based and cannot easily
Advanced programs struggle here, with just over access computers.
half (57%) monitoring access. Second, a third (33%)

42
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Program Elements (Continued)

Figure 6.5 Policy & Procedure Management Performance Rating

Shown: Percent of respondents who rated their program’s policy & procedure management performance
as “good” to “great” in the following areas

3.3
OUT OF 5
Respondents gave their policy & procedure management
function an average rating of 3.3 out of 5

60%

Developing P&P for Legal

& Regulatory Risks 64%

Publishing P&P in Easily

53%
Searchable Formats

Communicating P&P to
50%
Employees & Third Parties
Consulting With Business
Units on P&P Design 49%

Providing Guidance
to Key Gatekeepers 48%

Addressing Barriers to
42%
Employee P&P Access

Tracking Access to P&P 34%

30: Policy & Procedure Management Performance Rating

43
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Program Elements (Continued)

Figure 6.6 Top Policy & Procedure Management Challenges

Shown: Responses to “What are your top policy management challenges?”

58%
Training Employees
47%
on Policies
48%

53%
Aligning Policies With 37%
Changing Regulations
39%

36%
Creating & Documenting
24%
Documents Easily
24%

36%
Managing Version Control 25%
26%

34%
Providing Easy
Access to Policies 28%
25%

30%
Connecting Policies to
14%
Incident Management
16%

Adapting Policies & 29%

Procedures to
Remote Work

24%
Managing Records 17%
16%

2019 2020 2021

32. Top Policy & Procedure Management Challenges

44
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Program Elements (Continued)

Figure 6.7 Measuring Policy & Procedure Management Effectiveness

Shown: Responses to “Which metrics do you use to measure the effectiveness
of your policy management program?”

31%
Attestation Completion Rates
22%

30%
Policy Discoverability / Searchability
23%

30%
Improved Efficiencies
22%

28%
Reductions in Compliance Failures
24%

Improvements in 27%
Organizational Culture 22%

24%
Employee Quiz Results
20%

Reduction in Legal / 21%

Regulatory Fines 17%

33%
We Do Not Use Metrics
41%

2020 2021

31: Measuring Policy & Procedure Management Effectiveness

45
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Program Elements (Continued)

Third-Party Risk Management

Third-Party Risk Management Effective at When it comes to applying a risk-based approach to

Enhanced Due Diligence, but Struggles With third-party risk management solutions, the data from
Resource Allocation & Ongoing Monitoring R&C programs show little change in their approaches
from last year (Figure 6.9). One-quarter tailor risk
A third-party management solution is a must for any
management to the business partner’s unique risks at
R&C program seeking to meet increasingly broad
onboarding (27%); another quarter (25%) stratify risk
regulatory standards. Our survey revealed 57% of R&C
first and apply different levels of risk management
programs are using such a mechanism, a significant
throughout the term of engagement based on risk
increase over the 44% and 46% of last two years.
ranking. One of five (22%) manage only high-risk
Purpose-built software is often used to administer
business partners, with organizations headquartered
third-party management processes. While automation
outside North America using this approach more often.
is low in comparison to the other elements surveyed,
Those who do nothing have decreased slightly from
it is an increase over prior years – a good sign that
the prior year to 10%.
organizations understand the scope and commitment
involved in doing this work and the value of technology Performance is one measure of effectiveness,
in making the tasks more efficient. but the ultimate measurement is whether a third-
party management system significantly reduces an
Regarding performance, the overall top two tasks in a
organization’s legal, financial and reputational risks.
third-party solution rated good or very good by R&C
Most respondents to our survey (61%) agreed, both
programs were ensuring appropriate contract terms
strongly and somewhat, that such a system does
(53%) and performing enhanced due diligence based
indeed have a positive impact on these risks (Figure
on defined risk levels (48%) (Figure 6.8). Advanced
6.10). Agreement increased with R&C program
programs and well-resourced programs unsurprisingly
maturity, which is understandable due to the higher
rated performance of these tasks at the highest
amount of funding and resources enjoyed by more
levels more frequently. By contrast, just 1 out of 4
Mature programs; they simply can do more to manage
organizations headquartered in APAC rated their
business partner risk. However, the regulators do not
performance high on these tasks.
exempt less Mature programs from managing their
The two duties rated as fair or poor mostly commonly third parties in a way that is commensurate with the
were ongoing monitoring of relationships (39%) and size and scope of their business. This area of risk is
requiring third-party training and certifications (43%). becoming such a big regulatory focus that all R&C
R&C programs that were under-resourced rated programs should consider devoting appropriate
performance of these two tasks at the low end more resources to its management.
often. Apparently, sufficient resources make a big
difference in boosting performance of third-party
management systems.

46
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Program Elements (Continued)

Figure 6.8 Third-Party Risk Management Performance Rating

Shown: Percent of respondents who rated their program’s third-party risk management performance
as “good” to “great” in the following areas

3.1
OUT OF 5
Respondents gave their third-party risk management
function an average rating of 3.1 out of 5

Setting Specific &

Accurate Contract Terms 53% 60%

Risk-Based Enhanced
Due Diligence 48%

Tracking & Addressing Red Flags 46%

Establishing Relationship
43%
Rationales

Collecting Third-Party Records 41%

Risk-Based Resource Allocation 37%

Ongoing Monitoring
of Third Parties 35%

Requiring Third-Party Training 32%

33: Third-Party Risk Management Performance Rating

47
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Program Elements (Continued)

Figure 6.9 Application of Third-Party Risk Management

Shown: Responses to “How do you apply risk-based management?”

To All Parties Based on Risk Level 25%

(Continuously Assessed) 26%

To All Parties Based on Risk Level 27%

(Determined at Onboarding) 26%

To All Parties Regardless 22%

of Risk Level 23%

16%
To High-Risk Parties Only
13%

10%
We Do Nothing Currently
12%

2020 2021

34. Application of Third-Party Risk Management

48
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Program Elements (Continued)

Figure 6.10 Assessment of Third-Party Risk Management

Shown: Responses to “Rate your agreement with the following statement: Our third-party due diligence program
significantly reduces our legal, financial and reputational risks.”

24%
Strongly Agree
17%

37%
Agree
37%

22%
Neutral
24%

13%
Disagree
13%

4%
Strongly Disagree
8%

2020 2021

35. Assessment of Third-Party Risk Management

49
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Program Elements (Continued)

Ethics & Compliance Training

E&C Training in Harassment & Discrimination discrimination (78%); data privacy and cybersecurity
Prevention, Data Privacy & Cybersecurity (66%); and conflicts of interest (65%) (Figure 6.12).
Predominate; Diversity & Inclusion Lagging Ethics/code were not included in last year’s survey;
however, the other three top courses in 2021 were in
The use of training plans to lay out the topics,
the same prime position in 2020. This year, there was a
audiences, formats, lengths of time, responsible
noteworthy 10% jump in number of organizations that
parties, launch dates and effectiveness measures for
are planning to train on harassment, discrimination
all compliance training courses and communications
and retaliation. This may be in response to new sexual
is an essential part of any R&C program. The use of
harassment prevention training legislation such as
these plans has been steadily on the rise and the
California’s SB 778, which went into effect in January
2021 survey data indicates 80% of R&C programs are
of this year.13
now using an E&C training plan. Moreover, 30% said
they were using purpose-built software to administer While new legislative and regulatory changes may have
these plans, making it one of the most automated impacted training topics, other recent events – such
elements surveyed. as the racial justice and social equity movements –
appear less impactful. Little more than half (56%) of
In rating the performance of their R&C training
respondents said they plan to offer D&I training in
programs, organizations struggle most with
the next 3 years – essentially the same percentage as
measuring training effectiveness and the impact of
2020. Though initially surprising, this result may make
training on employee behavior. Three out of 4 rate
more sense when placed in the context of our 2021
these areas as average to poor (Figure 6.11). Another
Incident Management Benchmark, which found a
concern is how programs deal with employees who
decline in discrimination reports as a percentage
fail testing. Our survey revealed two-thirds of programs
of total reporting over the past year, as well as a
rate this area average to poor. It appears that many
decrease in the relative percentage of “HR, Diversity
R&C programs need to focus more attention on these
& Workplace Respect” reports more broadly.14
areas, which applies to organizations of all industries,
These internal signals may have influenced training
sizes and geographies. Anecdotal information
priorities more than external events. However, as we
suggests government surveyors and investigators are
stressed in our earlier benchmark, a lack of reporting
taking the latest DOJ guidance to heart. They are
does not necessarily indicate the absence of a
asking for evidence of further remediation, other than
problem. Other factors – such as economic anxiety
re-training, for employees who fail testing, especially
and widespread remote-work environments – may
multiple times. It is time to address this gap in your
be suppressing reports or temporarily lowering
program if it exists.
incidents. Organizations would be well-advised to
The most popular training topics in 2021 mirror the top monitor this issue as economic and public health
organizational risks: ethics and code of conduct, which conditions improve.
includes many risk areas (81%); harassment and

13
TBJ Content Studio. “Where to Start When It Comes to Stopping Sexual Harassment in the Workplace” (Podcast), July 1 2021.
14
Penman, Carrie, and Andrew Burt. “2021 Risk & Compliance Incident Management Benchmark Report.” NAVEX Global, May 2021.

50
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Program Elements (Continued)

Seat time for training has not changed appreciably weakness in organizational commitment to managing
since the 2020 survey. Hours trained are important, as top compliance risks. Board members and company
they are an indicator of an organization’s commitment leaders are typically not inherently aware of what they
to managing key areas of risk. So it is surprising that must know and do to shape the cultural tone that
just 1 out of 4 managers and leaders continue to supports ethical conduct or even why it is important.
receive 4+ hours of R&C training each year and 1 out of They need sufficient training to create and sustain an
5 board members continue to receive no R&C training ethical culture; it is the biggest mitigator of R&C risk.
at all (Figure 6.13). This data suggests an ongoing

Figure 6.11 Ethics & Compliance Performance Rating

Shown: Percent of respondents who rated their program’s ethics & compliance training
performance as “good” to “great” in the following areas

3.1
OUT OF 5
Respondents gave their ethics & compliance training
function an average rating of 3.1 out of 5

Multi-Format Training 53%

Process to Ask Questions 47%

Training for Supervisors 43%

Training for High-Risk Employees 42%

Employee Testing 42%

Micro Learning 40%

Addressing Test Failure 34%

Measuring Effectiveness 27%

Measuring Impact 27%

36: Ethics & Compliance Performance Rating

51
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Program Elements (Continued)

Figure 6.12 Top Ethics & Compliance Training Topics

Shown: Responses to “On which of the following ethics and compliance topics will your organization
provide training in the next 3 years?”

Ethics & Code of Conduct 81%

Harassment & Discrimination 78%

Data Privacy / Cybersecurity 67%

Conflicts of Interest 65%

Whistleblowing & Retaliation 60%

Diversity & Inclusion 56%

Antibribery & Corruption 52%

Use of Social Media 48%

Abusive Conduct & Bullying 41%

Environment, Health & Safety 40%

Third-Party Risk Management 33%

Active Shooter 25%

37. Top Ethics & Compliance Training Topics

52
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Program Elements (Continued)

Figure 6.13 Hours of Training by Audience

Shown: Responses to “How many total hours do the following audiences receive in R&C training each year?”

Third Parties 22% 19% 25% 13% 21%

Non-Managers 4% 8% 27% 23% 38%

Managers & Leadership 12% 30% 23% 32%

Board of Directors 42% 24% 17% 8% 9%

None <1 1 to <2 2 to <3 3+

38. Hours of Training by Audience

53
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Program Elements (Continued)

ESG Reporting

ESG Sophistication & Support planning to increase spending on ESG in 2021. The
Varies by Region & Industry report also found the United States lagging behind
Environmental, Social, and Governance (ESG) data has its European counterparts with respect to its ESG
become a key topic during board room discussions, program maturity.17
elevating Corporate Social Responsibility (CSR) and The current results differ in some significant respects.
Sustainability to a business strategy with quantifiable Nearly two thirds (63%) of respondents to our
objectives. It represents a variety of traditional benchmark survey said they did not include ESG
corporate compliance areas in addition to those of reporting as part of their risk and compliance program,
business operations and corporate responsibility. which we attribute to ESG principles being a proactive
ESG awareness and reporting has vastly increased approach to how a company does business, not a
over the past decade, resulting in growing pressure on traditional risk mitigation activity. This may also be
organizations to adopt ESG initiatives from all quarters. why ESG ranked last on the list of R&C priorities
According to the latest Edelman Trust Barometer (Figure 3.1). However, 64% of respondents who
Special Report, consumers are 70% more likely to described themselves as knowledgeable about their
be attracted to brands that focus on making the organization’s ESG program listed ESG as a priority.
world a better place than those that focus on making In other words, the more a respondent knew about
them a better person. They are also more willing to ESG, the more likely they were to prioritize it.
act on this preference; nearly 2 out of 3 consumers As with the earlier survey, we did find that region
said they believed they could get a brand to change played a notable role. Companies operating outside
almost anything about themselves through their of North America were significantly more likely than
buying decisions.15 This is not lost on investors, who their peers to have ESG reporting. Nearly half (48%)
are applying a premium valuation to companies with of organizations that operated internationally had
strong ESG initiatives.16 ESG reporting, versus less than a quarter (23%) of
In February of 2021, NAVEX Global conducted a their domestic-only counterparts. This is likely due
survey of managers and senior executives on ESG to the European Commission’s early adoption of
practices across the U.S., U.K., France and Germany. ESG and alignment to the United Nations Sustainable
The results found while over 4 out of 5 (81%) of Development goals over a decade ago. European
companies surveyed had a formal ESG program in companies have been embedding sustainability
place, there was not a high level of confidence that into their organizations for years, and now the EU
companies were effectively performing against all has actually regulated the reporting of ESG under
their stated ESG metrics. That said, spending on ESG SFDR and NFRD guidelines. The U.S. is lagging in
initiatives was on the rise, with 63% of companies these requirements.

15
“Trust: The New Brand Equity.” Edelman Trust Barometer Special Report. Edelman, June 2021.
16
“Institutional Investors (U.S. Results).” Edelman Trust Barometer Special Report. Edelman, November 2020.
17
“Measuring Environmental Social and Governance (ESG) Program Commitment in the US and Europe.” NAVEX Global, February 2021.

54
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Program Elements (Continued)

Amongst respondents who were knowledgeable of When it came to ESG concerns, employee wellness
their organization’s ESG efforts, leadership support programs, community volunteer programs and
for ESG reporting was remarkably high, with nearly diversity metrics tracking topped the list (Figure 6.15).
two-thirds (62%) of respondents saying they enjoyed This makes sense, as not all businesses have a large
the support of their CEO (Figure 6.14). Integration environmental footprint; thus HR-centric ESG measures
with the organization was also high. Resourcing for like wellness rank higher because they are within
ESG efforts, however, were significantly lower, with a the control of a greater number of companies. As
distinct minority of respondents affirming they had expected, there are significant differences by industry
dedicated staff (33%) budget (32%). CEO support, based on what is material. Greenhouse gas (GHG)
dedicated budgets, and integration (both within the emissions tracking and reduction goals are much lower
organization and with financial reporting) were strongly in the healthcare industry (12% and 15% respectively).
associated with overall program maturity. Dedicated Conversely, respondents in manufacturing were
budgets were also (unsurprisingly) tied to company significantly more likely to engage in GHG calculations
size and revenue, as well as the level of R&C program (51%). The professional services sector, meanwhile, was
resourcing. Programs headquartered in the EMEA far more likely than their peers to focus on incentives
region were notably more sophisticated. They were for career advancement (69%).
significantly more likely to have a dedicated budget
(54% of EMEA vs. 27% non-EMEA) and staff (54% vs.
28%). Consequently, they were also more easily able
to generate sustainability reports (35% vs. 15%).

Figure 6.14 ESG Resources

Shown: Responses to “Which of the following is true for your ESG program?”

Enjoys CEO Support 62%

Is Integrated Within
Our Organization 47%

Has Dedicated Personnel 33%

Has a Dedicated Budget 32%

Can Easily Generate Reports 19% 70%

Can Integrate ESG &

Financial Reporting 18%

Utilizes an External Auditor 18%

We Have None of These 19%

59: ESG Resources 55

NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Program Elements (Continued)

International operations also had a measurable impact Regarding frameworks, the most notable result (at
on GHG tracking and reduction efforts. Forty-one least initially) is the lack of consensus. Nearly half
percent (41%) of companies operating internationally (47%) of respondents reported operating under no
made GHG calculations, as opposed to just 16% of framework (Figure 6.16). However, these numbers
domestic businesses. An organization’s international mask some regional consensus. Use of the United
profile also affected its diversity efforts. Over half (54%) Nations Sustainable Development Goals differed
of companies operating internationally engaged in dramatically by region. Forty-three percent (43%) of
diversity metrics tracking, as opposed to just 39% of companies headquartered in the EMEA region and
domestic businesses. 35% of APAC-headquartered organizations have
adopted this framework, as opposed to a mere 12%
Frameworks were initially developed to help of U.S. organizations. EMEA-led organizations were
companies report on their ESG performance. However, also much more likely to utilize the Carbon Disclosure
their one-size-fits-all approach means many of them
Project (22% EMEA vs. 9% non-EMEA). More than half
cover sections that aren’t materially relevant to the of North American (NAM) companies, in contrast, have
respondent, while simultaneously not going deep yet to adopt a framework. Fifty-four percent (54%) of
enough into areas that are. Despite these limitations, NAM-headquartered organizations had no frameworks,
frameworks fill an important gap currently left by the versus 29% of companies incorporated outside of the
lack of industry-specific regulatory standards, and North American Region.
allow organizations to broadly compare themselves
to industry peers.

56
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Program Elements (Continued)

Figure 6.15 ESG Measures

Shown: Responses to “Which of the following are included in your environmental, social
and governance (ESG) program?”

Employee Wellness Programs 72%

Community Volunteer Programs 57%

Diversity Metrics Tracking 49%

Employee Incentives 39%

GHG Emission Calculations 32% 70%

Supplier Dirversity Program 28%

GHG Reduction Goals 28%

None 13%

Figure 6.16 ESG Frameworks

Shown: Responses to “Which frameworks do you use to measure/contextualize your ESG performance?”
60: ESG Measures

GRI (Global Reporting Initiative) 25%

SASB (Sustainability Accounting

20%
Standards Board)
SDG (United Nations Sustainable
20%
Development Goals)

CDP (Carbon Disclosure Project) 12%

TCFD (Task Force Climate

Financial Disclosures) 9%

Sustainalytics
5%
(Formerly Morningstar)
WFE (World Federation
of Exchanges) 4%

Other 8%

None 47%

61: ESG Frameworks

57
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

7. Risk Management

2020 was a threshold year for the field of risk (17%), chief compliance officer (14%), chief executive
management. A seemingly interminable series officer (13%), general counsel (12%) and chief risk and
of low-probability, high-risk events introduced compliance officer (9%). However, there are some trends
an unprecedented level of uncertainty into by industry and region. Nearly half of respondents
organizational operations. Paramount among these in the finance sector (47%) and 29% of those whose
was the COVID-19 pandemic, which forced massive, organizations are headquartered in the APAC region are
sudden shifts to work-from-home environments; likely to say this is the duty of the CRO. A quarter (24%)
extensive supply chain disruptions; surging of respondents in healthcare place it with the CCO.
unemployment and market contractions. However,
When we look at well-resourced programs, a clear trio
the pandemic is far from the only crisis; a series of
and hierarchy emerges – CRO, CCO and CRCOs, in
social, technological, economic, environmental, and
that order. Advanced programs, meanwhile, are twice
political upheavals continue to strike populations and
as likely to place this duty with a CRCO than programs
institutions across the globe, creating novel, complex
overall (18% vs. 9%). This makes sense, as Advanced
and interconnected risks. For businesses, this has
programs are much more likely to have a dedicated
resulted in a new and renewed focus on the need to
CRCO than their peers (26% vs. 14% overall). As R&C
identify, measure, respond to and monitor risks across
programs become more sophisticated and grow in
the enterprise in a consistent and cohesive manner.
size, the more likely the risk and compliance functions
are to integrate, and in some cases merge, with a
Risk Ownership Increases
CRCO as oversight. However, it is important to note
With Program Sophistication that, even within Advanced programs, everyone owns
While recognition of the need for an integrated risk. As the Institute of Internal Auditors reinforced
approach to risk management is on the rise, our survey in the recent update to their storied “Three Lines
results demonstrate a lack of consensus around who of Defense Model,” collaboration, alignment and
should manage the task (Figure 7.1). Respondents accountability across the organization at every level
identified a plethora of officers charged with managing is essential for effective risk management.18
risk in their organization, including the chief risk officer

18
“IIA Issues Important Update to Three Lines Model.” Institute of Internal Auditors (IIA), July 20, 2020.

58
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Risk Management (Continued)

Figure 7.1 Risk Management Responsibilities & Oversight

Shown: Responses to “Who in your organization is responsible for managing your risk strategy?
Does your organization have a committee to address risk and risk strategy enterprise-wide?”

Percent of respondents who have a committee

77% to address risk strategy enterprise-wide

Chief Risk Officer 17%

Chief Compliance Officer 14%

Chief Executive Officer 13%

General Counsel 12%

Chief Risk &

Compliance Officer 9%

Management-Level 9%

Chief Finance Officer 8%

Chief Audit Executive 3%

Chief Information
Security Officer 3%

Other 6%

No One 6%

55 / 56. Risk Management Responsibilities & Oversight

59
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Risk Management (Continued)

Programs Have Reached On average, respondents assessed their P&P

the “Optimization Midpoint” optimization at 3.0 out of 5 on the CMMI scale – an
Strong policy and procedure management (P&P) exact midpoint (Figure 7.2). As with risk ownership,
is another key element to well-disciplined risk there were some trends within subgroups. Respondents
management. The Capability Maturity Model from government entities where overwhelmingly likely
Integration, developed at Carnegie Mellon University to rate their program as Reactive (33%), while those
and administered through ISACA, offers a reliable representing nonprofits and healthcare organizations
measure of P&P optimization. Its levels include: were more likely to rate their programs as Optimized
(37% and 24% respectively). Advanced programs were
• Reactive; our P&P are mostly ad hoc more likely to be Optimized (38%). A program’s access
and undocumented to resources was also positively correlated to P&P
optimization. In other words, the better a program’s
• Managed: Our P&P are repeatable and consistent
access to funding and staff, the better its policy and
• Defined: Our P&P are well-defined and documented procedure management. Interestingly, there were
• Measured: Our P&P are tested, measured no significant trends correlating to company size or
and refined revenue, indicating that any organization can achieve
P&P optimization – if it provides its R&C program with
• Optimized: Our P&P are flexible, continually sufficient resources.
monitored and improved

Figure 7.2 Risk & Compliance Policy & Procedure Optimization

Shown: Responses to “How would you describe your program’s processes and procedures?

3.0
OUT OF 5
Respondents gave their level of policy & process
optimization an average rating of 3.0 out of 5

Optimized 18%

Measured 12%

Defined 31%

Managed 29%

Reactive 12%

60
NAVEX Global | Protecting Your People, Reputation and Bottom Line
51: Risk & Compliance Policy & Procedure Optimization
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Risk Management (Continued)

Compliance, Data Privacy Top Risk Areas manufacturing to manage third-party risk (63% vs.
Overall, compliance risk remained the risk area of 52%), and healthcare to manage audit (57% vs.
greatest importance to respondents, with 79% stating 42%). This demonstrates an organic response to risk,
their program was responsible for this type of risk with programs responding to their organizations’
(Figure 7.3). That was followed by data privacy, third individual risk profile and needs. Programs in high-
party, and operational risk, at 58%, 52% and 50%, revenue organizations were much more concerned
respectively. Conversely, business continuity, health about reputational risk (62% vs. 42%). Interestingly,
and safety, and ESG risks were covered by only a the likelihood of a respondent’s program covering
third or less of the programs surveyed. operational, business continuity, health and safety,
and IT/Infosec risk was inversely proportional to an
Survey results also showed the respondent’s industry organization’s size and revenue. This is likely because
strongly influenced what types of risk their program responsibility for these risks is shared with other
managed. Those in finance were much more likely functions as organizations grow.
to cover business continuity risk (51% vs. 36%),

Figure 7.3 Risk Areas Managed

Shown: Responses to “Which of the following risk areas are currently managed by your R&C program?”

Compliance Risk 79%

Data Privacy 58%

Third-Party Risk 52%

Operational Risk 50%

IT / Infosec Risk 43%

Reputational Risk 42%

Audit 42%

Business Continuity 36%

Health & Safety 34%

ESG 24%

Don’t Know 7%

61
NAVEX Global | Protecting Your People, Reputation and Bottom Line
52. Risk Areas Managed
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT KEY FINDINGS

Risk Management (Continued)

Most R&C Programs Have Begun Integrating Importantly, over three-quarters of those surveyed
Risk integration is integral to proper risk management. described their risk management as at least partially
Programs that silo risk management activities across integrated (Figure 7.4). Unsurprisingly, these results
their organization are less able to identify, define and are correlated with program maturity and resources,
effectively mitigate risk, as it prohibits risk intelligence demonstrating that the more developed and better
from informing important business activities such as supported a program is, the more it will seek to
strategic planning, strategy execution, enterprise integrate risk management practices throughout the
performance management, investment decision enterprise. However, as with P&P optimization, there
making and more. To assess respondents’ level of is no correlation between an organization’s size or
integration, we asked them to select one of the revenue and its level of integration. This should send a
following to describe their organization’s governance, clear message to R&C programs – no matter what the
risk and compliance (GRC) capabilities: shape, size or profitability of your organization, if you
have not begun to integrate your risk management
• Siloed throughout our organization activities across your enterprise, then you are decidedly
• Currently siloed, but we are planning to integrate behind the curve.

• We have integrated some of our risk management

capabilities, but not all
• We have a centralized integrated risk management
program run by senior management
• We have a federated integrated risk management
program run by the business that reports to
senior management

Figure 7.4 Risk & Compliance Integration

Shown: Responses to “How integrated are your organization’s governance, risk and compliance capabilities?”

16% 9% 46% 23% 7%

Planning Partially Centralized Federated

Siloed
to Integrate Integrated IRM Program IRM Program

53: Risk & Compliance Integration

62
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT

About the Authors

Carrie Penman
Executive Editor
Chief Risk and Compliance Officer, NAVEX Global

As one of the earliest ethics officers, Carrie Penman has been with NAVEX
Global since 2003 after serving four years as deputy director of the Ethics and
Compliance Officer Association (ECOA) now ECI. A scientist by training, she
developed and directed the first corporate-wide global ethics program at
Westinghouse Electric Corporation from 1994 – 1999. As Chief Compliance
Officer for NAVEX Global, she oversees the company’s internal ethics and
compliance activities employing many of the best practices that NAVEX Global
recommends to its customers.

Carrie has conducted numerous training programs for client Boards of Directors
and executive teams, as well as culture, program and risk assessment projects
globally. She has also served as a corporate monitor and independent consultant
for companies with government settlement agreements.

Carrie is the author of numerous compliance-related articles and commentary

and is regularly featured or quoted as a compliance expert in the press. Carrie
was featured in the Wall Street Journal’s Risk and Compliance Journal and on the
cover of Compliance Week magazine. Carrie is a recognized expert in the area of
hotline reporting and is the author of NAVEX Global’s annual Hotline Benchmark
Report which evaluates data from over one million hotline reports annually.

Carrie is currently an Executive Fellow at the Bentley University Center for

Business Ethics. She previously served on the ECOA Board of Directors and
its Executive Committee and served on the Advisory Board for the Duquesne
University, Beard Center for Leadership in Ethics.

Carrie is a regular speaker at leading ethics and compliance conferences

and events. She is a 19-year member of the faculty of the Managing Ethics in
Organizations course that is co-sponsored by ECI and the Center for Business
Ethics at Bentley University.

In 2017, Carrie received the Ethics & Compliance Initiative (ECI) Carol R. Marshall
Award for Innovation in Corporate Ethics for an extensive career contributing to
the advancement of the ethics and compliance field worldwide and was a finalist
in the Women in Compliance Lifetime Achievement Award for 2018.

63
NAVEX Global | Protecting Your People, Reputation and Bottom Line
THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT

Mary Bennett
Research Analyst and Content Manager, NAVEX Global

Mary Bennett is a former Vice President of Advisory Services, NAVEX Global. She
joined the company in 1999 when it was a one-consultant company and helped
to grow its advisory practice into a group that has served 25% of the Fortune 200
in 40 countries worldwide.

She left NAVEX Global and created her own firm, Right Compliance Consulting
LLC, in 2017. As President of her own company, Mary works across all industries
and all sizes of organizations to create and facilitate award-winning training
programs; conduct culture and program assessments; develop compliance
communications and education plans; and help clients develop best practice
programs from the ground up.

Throughout her career, Mary has been invited to share her expertise at many
conferences including The Conference Board, Health Care Compliance Association,
Society of Corporate Compliance and Ethics, Ethics and Compliance Initiative, and
Consero Forums for both legal and compliance professionals on topics such as
basic business ethics management, taking compliance education to the next level,
ethics risk assessment, compliance program and culture evaluation.

During her tenure at NAVEX Global, Bennett pioneered innovative ethics

training and assessment methods. She has many recognized communications,
customized video work and training programs to her credit.

Prior to working as a consultant, Mary served as Vice President of the Compliance

and Integrity Group at Caremark. In that role, she implemented the requirements
of one of the first healthcare CIAs, grew the helpline function and developed
a helpline computer management system. She created and implemented best
practice training programs for over 800 healthcare facilities across the country,
wrote compliance and communication plans and implemented human resource
tools to embed ethics into the reward systems.

Mary is a registered pharmacist by training and has over thirty years of

management, education and clinical experience. She has published and
consulted nationally and internationally in the areas of compliance,
medications and disease states.

When not consulting, Mary has participated in a community organization

which is devoted to bringing character education into area schools.

64
NAVEX Global | Protecting Your People, Reputation and Bottom Line
THE 2021 DEFINITIVE RISK & COMPLIANCE BENCHMARK REPORT

Andrew Burt
Research Analyst and Content Manager, NAVEX Global

Andrew Burt is a writer and researcher for NAVEX Global, where he collaborates
with risk and compliance experts to develop content offering information,
education, and best practices on industry issues and trends. After obtaining
his MPA from Indiana University, Andrew managed communications for the
University of Oregon’s Global Education Oregon initiative, where he directed
messaging for over 20 educational programs worldwide. More recently, he served
as a writer and research historian for the Reuben G. Soderstrom Foundation for
Organized Labor Studies, and was co-author of the award-winning biographical
series Forty Gavels.

65
NAVEX Global | Protecting Your People, Reputation and Bottom Line
 AMERICAS EMEA + APAC
5500 Meadows Road, Suite 500 4th Floor, Vantage London
Lake Oswego, OR 97035 Great West Road
United States of America Brentford, TW8 9AG
[email protected] United Kingdom
www.navexglobal.com [email protected]
+1 (866) 297 0224 www.navexglobal.co.uk
+44 (0) 20 8939 1650

PLEASE
RECYCLE

Copyright © 2021 NAVEX Global Inc. All Rights Reserved.