Industry perspectives on the state of compliance today and effective strategies for managing compliance risk within the changing regulatory landscape
Introduction
Darryl Lew
Partner
White & Case LLP
T: +1 202 626 3674
Matthew McFillin
Partner, Forensic Services
KPMG LLP
T: +1 267-256-2647
In today's fast-paced and interconnected world of global business, a robust and comprehensive compliance program is not merely a choice, but a critical imperative for any organization. Drawing on the opinions of 201 senior decision-makers from more than 30 countries.
White & Case LLP and KPMG LLP's "2023 Global compliance risk benchmarking survey" offers powerful insights into compliance practices across industries worldwide and strategies employed by companies to manage their compliance risks—from anti-corruption risk assessments, third-party management and employee risk awareness to environmental, social and governance (ESG) practices and cybersecurity.
Among the key findings are the importance of regular anti-corruption risk assessments and robust third-party management practices—essential components for creating a culture of compliance and transparency.
Use of data analytics is gaining momentum in compliance programs, though many companies are still in the developmental stage. Testing anti-corruption programs for effectiveness is crucial, as is consistent measurement of hotline awareness and effectiveness, along with addressing employee concerns about hotline integrity.
ESG has increasingly become an area of focus, but our respondents reveal a lack of consistency in addressing ESG risks. This inconsistency in approach can hinder the effective implementation of organization-wide policies and procedures and lead to uncertainty among employees. Clearer guidance and communication are essential in navigating the complexities of ESG and ensuring successful integration into business practices.
Looking ahead, cybersecurity takes center stage as the top compliance priority for the next 12 months, as safeguarding sensitive data and proactively addressing digital threats become more important than ever.
By proactively addressing these compliance challenges, organizations can ensure ethical business practices, mitigate risks and safeguard their reputation in an increasingly complex regulatory environment. We hope you will find our "2023 Global compliance risk benchmarking survey" an insightful read.
Key insights at-a-glance
Drawing on the opinions of 201 senior decision-makers from more than 30 countries, White & Case LLP and KPMG LLP's "2023 Global compliance risk benchmarking survey" offers insights into compliance practices across industries worldwide and strategies employed by companies to manage their compliance risks—from anti-corruption risk assessments, third-party management and employee risk awareness to ESG practices and cybersecurity.
Defining environmental, social and governance (ESG) remains a hurdle for more than one-third of companies
02
Larger companies are more likely to have ESG policies and procedures in place
03
Implementation of ESG policies varies significantly among companies
04
Companies also diverge widely in their ESG priorities for the next 12 months
05
Companies are assessing their ESG risks, but consensus is still developing on how
06
Compliance and Ethics teams play an increasing role in ESG programs, but not ESG strategy
ESG has increasingly become an area of focus, but responses indicate inconsistency in approaches to address ESG risks. In general, public companies and those with dedicated ESG resources appear to have a better understanding and implementation of ESG measures.
Defining "ESG" remains a challenge for more than one-third of companies
Almost four in ten respondents (38%) have not clearly defined "ESG."
Approximately half of the respondents (53%) said that their organization had clearly defined "ESG."
Companies in the energy & natural resources and technology, media & telecommunication sectors were most advanced in defining "ESG," with 67% and 61%, respectively, reporting that they have clearly defined it.
Larger companies are more likely to have clearly defined "ESG." This may be due to bigger companies being able to better afford dedicated ESG officers/teams. There is a decline in definitional confidence, however, with the largest companies (>US$50 billion), suggesting challenges maintaining a clear understanding of ESG as companies grow.
Given the emerging nature of ESG issues for many companies, almost one-fifth of respondents (17%) did not know who has primary responsibility for ESG within their organization.
Perhaps due to the multi- or inter-disciplinary nature of the issues falling under the ESG banner, survey responses from those who did identify an officer with primary responsibility for ESG yielded a range of responses for who has such responsibility. 37% reported having a Chief ESG Officer, committee or equivalent, while others placed responsibility for ESG with one or more other senior company leaders, such as the General Counsel (16%) and Chief Compliance Officer (10%).
Whereas a company's status as public or private was significantly correlated with whether the company had clearly defined "ESG," that characteristic does not appear relevant to who oversees ESG. Indeed, the survey indicated that private companies were as likely as public companies to have an ESG officer.
Larger companies (those with revenues exceeding US$1 billion) are more likely to have a dedicated Chief ESG Officer or equivalent instead of relying on the General Counsel or Chief Compliance Officer (which smaller companies tend to do).
Energy & natural resources is the sector most likely to have a Chief ESG Officer or equivalent (50%).
Larger companies are more likely to have ESG policies and procedures in place
As with responses to the question of who within the organization had primary responsibility for ESG oversight, almost one in five respondents (18%) did not know if their company had ESG policies and procedures. This response is consistent with the emerging nature of ESG issues at many companies, and indicates there is significant room in those organizations to increase clarity and understanding surrounding ESG and its implications.
Larger companies are more likely to have ESG policies, with 58% of companies with revenues exceeding US$50 billion reporting that they have ESG policies, compared to 40% of companies with revenues below US$250 million. Even so, approximately 42% larger companies have no ESG policies, or do not know if there are ESG policies in place.
Notably, uncertainty about whether a company has policies and procedures to address ESG risks increased as revenue increased, suggesting opportunities for greater awareness-building in those companies.
From an industry perspective, companies in the energy & natural resources industry and industrial manufacturing industry were most likely to have policies and procedures to address ESG risks (with 78% and 66% of respondents, respectively, answering positively), whereas companies in the financial services sector were least likely to have such policies and procedures (45% of respondents answered positively).
Implementation of ESG policies varies significantly among companies
ESG covers a wide range of policies affecting all companies. We asked respondents to clarify which policies they have implemented that relate to their ESG risks.
No one ESG topic clearly stands out above the rest as being a current area of focus for a majority of respondents. The top-three choices were: health and safety (44%); diversity and inclusion (42%); and privacy and data protection (42%).
Two industries in which health and safety issues are particularly important—energy & natural resources and industrial manufacturing—appear to account for the prominence of health and safety in the responses.
48% of respondents did not identify a specific ESG policy, which may indicate that ESG goals and particular policies are not aligned.
Companies also diverge widely in their ESG priorities for the next 12 months
While not selected by a majority of respondents, diversity and inclusion is nonetheless the highest-priority ESG topic for organizations generally over the next 12 months, although there was some divergence among industries.
When asked about the top ESG priorities for the following 12 months, no one topic was selected by a majority of respondents.
The top-five ESG priorities that companies reported were: diversity and inclusion (46%); climate change and pollution mitigation (38%); privacy and data protection (27%); strategic sustainability oversight and compliance (22%); and health and safety (19%).
More than one-third of respondents (36%) from consumer & retail identified waste management as the highest-priority topic for their organization over the next 12 months, which is more than three times higher than any other industry group, whereas almost half (44%) of respondents in technology, media & telecommunications identified privacy and data protection as their highest priorities.
More than half of companies with revenues of US$1 billion or more (53%) cited diversity and inclusion as a top priority.
Meanwhile, 16% of companies with less than US$1 billion in revenues did not know their ESG priorities for the next 12 months.
Only one in three companies (35%) provide ESG training to employees; the majority of companies (56%) do not train employees on ESG matters. Once a company surpasses US$250 million in revenues, however, the likelihood increases of it training employees on ESG matters.
Among industries, companies in the energy & natural resources sector were the most likely to provide training on ESG matters, with 50% of respondents answering in the affirmative. The lowest rate of ESG training across industries was pharma/healthcare, with less than three in ten (29%) stating they conduct ESG training.
Companies are assessing their ESG risks, but consensus is still developing on how
The most popular method of identifying ESG risks among respondents (45%) was through the performance of risk and/or impact assessments.
ESG gap analyses (33%) and internal audits (27%) were the other top choices.
More than one-third (34%) of respondents either stated that ESG risks were not assessed or did not know how they were assessed.
Smaller companies were significantly less likely to take steps to identify ESG risks.
27% of companies with less than US$250 million in revenues did not assess ESG risks, compared to 9% of companies with more than US$1 billion in revenues.
Compliance and Ethics teams play an increasing role in ESG programs, but not ESG strategy
61% of respondents stated that their Compliance and Ethics function played a role in managing ESG risks. Almost one-quarter (23%) of respondents stated that their Compliance and Ethics function played no role in managing ESG issues. It remains to be seen if the Compliance and Ethics function assumes greater responsibility for ESG issues as jurisdictions impose or increase ESG-related reporting responsibilities and enforcement, or as litigation risk correspondingly increases as well.
Among industries, the Compliance and Ethics function appears to be most active in managing ESG issues at consumer & retail companies, and least active at pharma/healthcare companies.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.