Our thinking

2023 Global compliance risk benchmarking survey

In collaboration with

KPMG

 

Industry perspectives on the state of compliance today and effective strategies for managing compliance risk within the changing regulatory landscape

 

Introduction

Darryl Lew
Partner
White & Case LLP
T: +1 202 626 3674

Matthew McFillin
Partner, Forensic Services
KPMG LLP
T: +1 267-256-2647

In today's fast-paced and interconnected world of global business, a robust and comprehensive compliance program is not merely a choice, but a critical imperative for any organization. Drawing on the opinions of 201 senior decision-makers from more than 30 countries.

White & Case LLP and KPMG LLP's "2023 Global compliance risk benchmarking survey" offers powerful insights into compliance practices across industries worldwide and strategies employed by companies to manage their compliance risks—from anti-corruption risk assessments, third-party management and employee risk awareness to environmental, social and governance (ESG) practices and cybersecurity.

Among the key findings are the importance of regular anti-corruption risk assessments and robust third-party management practices—essential components for creating a culture of compliance and transparency.

Use of data analytics is gaining momentum in compliance programs, though many companies are still in the developmental stage. Testing anti-corruption programs for effectiveness is crucial, as is consistent measurement of hotline awareness and effectiveness, along with addressing employee concerns about hotline integrity.

ESG has increasingly become an area of focus, but our respondents reveal a lack of consistency in addressing ESG risks. This inconsistency in approach can hinder the effective implementation of organization-wide policies and procedures and lead to uncertainty among employees. Clearer guidance and communication are essential in navigating the complexities of ESG and ensuring successful integration into business practices.

Looking ahead, cybersecurity takes center stage as the top compliance priority for the next 12 months, as safeguarding sensitive data and proactively addressing digital threats become more important than ever.

By proactively addressing these compliance challenges, organizations can ensure ethical business practices, mitigate risks and safeguard their reputation in an increasingly complex regulatory environment. We hope you will find our "2023 Global compliance risk benchmarking survey" an insightful read.

Key insights at-a-glance

Drawing on the opinions of 201 senior decision-makers from more than 30 countries, White & Case LLP and KPMG LLP's "2023 Global compliance risk benchmarking survey" offers insights into compliance practices across industries worldwide and strategies employed by companies to manage their compliance risks—from anti-corruption risk assessments, third-party management and employee risk awareness to ESG practices and cybersecurity.

In today’s fast-paced and interconnected world of global business, a robust and comprehensive compliance program is not merely a choice, but a critical imperative for any organization

Global compliance risk benchmarking survey: ABC risk assessments

tea garden

Global compliance risk benchmarking survey: Third-party management

labyrinth garden

Use of data analytics in compliance programs

mountain tea garden aerial

Global compliance risk benchmarking survey: Monitoring and review

labyrinth

Global compliance risk benchmarking survey: Compliance escalations

maze aerial view

Global compliance risk benchmarking survey: ESG

garden maze

Impact of remote working on compliance and investigations

aerial view of tea plantation

Looking to the future: Cybersecurity tops the list of compliance priorities for the next 12 months

garden maze

Survey methodology and demographics

corn maze
maze aerial view

Global compliance risk benchmarking survey: Compliance escalations

In collaboration with

KPMG

Insight
|
6 min read

Key Takeaways

01

Companies publicize reporting mechanisms in various ways

02

Companies are not consistently measuring hotline awareness and effectiveness

03

Employee comfort level with escalation and reporting mechanisms measured less than overall employee awareness

04

Employees' concerns focus on hotline integrity, not technical implementation

2%

Only 2% of organizations report having no formal compliance escalation mechanism

Most organizations have some form of procedure in place for reporting and escalating compliance issues, whether due to guidance from enforcement authorities or legal requirements. These procedures can range from informal chats with management to anonymous external hotlines.

The effectiveness of these mechanisms can be limited, however, if employees are not aware they exist or are hesitant to use them. Fear of retaliation and a lack of trust in the outcome of an investigation are often cited as common reasons for such reluctance.

The practice of reporting and escalation must be effectively embedded in the organization's culture, with a particular focus on the level of employee awareness and comfort in using these mechanisms. Identifying and addressing any deficiencies is also crucial.

Companies are publicizing reporting mechanisms in various ways

The responses show that resources matter. Organizations with revenues in excess of US$1 billion are more likely to promote reporting mechanisms than those below this threshold. Better resourced organizations tend to have more employees, and the responses show that those with more than 10,000 employees do more to ensure the effectiveness of their reporting mechanisms. Similarly, publicly listed companies do more to raise awareness of escalation and reporting mechanisms than do private companies.

Training is seen as the most effective way to raise awareness of reporting mechanisms: 84% of respondents said they achieve awareness of their reporting mechanisms through training.

Internal communications and reminders also featured prominently. Comparatively few organizations (30%) said that they use compliance champions or ambassadors.

A small number of organizations (2%) revealed that they do not have a formal compliance escalation mechanism.

Companies are not consistently measuring hotline awareness and effectiveness

The practice of reporting must be effectively embedded in the organization's culture

Despite the importance of employee awareness of reporting mechanisms, only half of respondents (51%) stated that their company measures employee awareness of those mechanisms. Conversely, 35% of the respondents stated that they do not track employee awareness. And a significant minority (14%) did not know whether any such testing occurred.

Large companies are significantly more likely to test employee awareness of hotline mechanisms than small companies. Approximately one-third (34%) of companies with less than US$250 million in revenues reported testing employee awareness of reporting mechanisms, compared to more than two-thirds (68%) of companies with more than US$10 billion per year.

Uncertainty about reporting mechanism testing also appears higher, however, in larger companies (17%) than in small companies (3%).

Of further interest is the number of frontline compliance personnel who did not know how or whether their organization monitors employee awareness of how to report concerns: 25% investigation directors; 19% Compliance and Ethics officers; and 33% legal teams.

The levels of uncertainty about these fundamental compliance functions seem surprisingly high and concerning given the surveyed population: the very personnel tasked with compliance and legal risk assessment. These responses suggest that a significant minority of respondents would have a limited ability to address questions from enforcement authorities about the effectiveness of their reporting procedures.

Companies that measure hotline awareness report greater confidence in whistleblower protections

Ensuring that employees are aware of reporting mechanisms in the first place is fundamental, but measuring employee comfort and experience with using hotlines is equally important in ensuring that such mechanisms are effective. While fewer companies reported measuring employee comfort with reporting mechanisms than with awareness, companies that measured employee comfort showed higher levels of confidence in the effectiveness of their anti-retaliation policies and procedures.

Companies that measured employee comfort with reporting mechanisms were much more likely to believe their anti-retaliation policies and procedures are effective (83%) than are companies that did not measure employee comfort (65%).

Employees' concerns focus on hotline integrity, not technical implementation

More needs to be done across all industries to give employees comfort that reports made in good faith will be taken seriously and acted upon, and that reporting parties will be adequately protected against retaliation

Survey responses indicate that employee confidence in the processes in place following submission of a report is lacking, which, in turn, creates a potential barrier to compliance escalations being made. The survey results suggest there is more to be done across all industries to give employees comfort that reports made in good faith will be taken seriously and acted upon, and that reporting parties will be adequately protected against retaliation.

The persistence of familiar deterrents to reporting—fear of retaliation, futility and anonymity concerns—suggests that many organizations struggle to constructively make use of this frontline, internal information resource.

Roughly half of respondents identified the same three reasons why employees are reluctant to report potential compliance issues: fear of retaliation (55%); concern that nothing will be done (50%); and concern that reporting is not anonymous (47%).

These concerns were more pronounced among the largest companies, where three-quarters (75%) of respondents cited employee fear of retaliation, and approximately two-thirds were concerned that reporting would not be anonymous (67%) or effective (63%).

Compliance escalations volumes: Benchmarking trends

Given that the number of escalations is likely to be a key metric for understanding how effectively reporting mechanisms are operating in practice, organizations may wish to track periodically the number and type of escalations as part of their monitoring processes.

Almost one-quarter of respondents (23%) stated that they did not know the volume of escalations in their organization.

Approximately two-thirds (67%) of respondents had fewer than 499 compliance escalations per year, with the largest percentage indicating that they typically received between one and 99 escalations (43%).

Escalations seem to increase roughly in proportion to the organization's size. More than half of companies with 499 or fewer compliance escalations a year had fewer than 20 Compliance and Ethics team members. Meanwhile, 72% of companies with 1,000 or more compliance escalations per year had more than 50 Compliance and Ethics team members.

This result is not necessarily cause for concern, as more escalations are reasonably to be expected in bigger companies and may, in fact, be indicative of a healthy reporting culture. Larger organizations also may have additional resources deployed to address the escalation of compliance concerns, resulting in greater familiarity across the business with reporting mechanisms.

Overall, companies with larger Compliance and Ethics teams reported higher levels of confidence that hotline policies and procedures are working effectively.

While the financial services industry has historically faced significant scrutiny of its compliance performance, it may not be leading the way in promoting awareness of escalation mechanisms, according to the survey results. Instead, the pharmaceuticals/healthcare and energy & natural resources industries appear to surpass the financial services industry in this regard.

Typical hotline volumes vary dramatically by company size and industry. One-quarter of respondents reporting more than 1,000 escalations per year were from companies with more than 50,000 employees. No companies with fewer than 10,000 employees received escalations at this level. From an industry perspective, technology, media & telecommunications (14%), industrial manufacturing (8%) and pharmaceuticals/healthcare (7%) were most likely to report more than 1,000 escalations per year.

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2023 White & Case LLP

Top