Home > Risk > A definitive risk and compliance benchmark report

A definitive risk and compliance benchmark report

Navex bills itself, in all modesty (!), as “the worldwide leader in integrated risk and compliance management software and services that help organizations manage risk, address regulatory compliance requirements and foster an ethical workplace culture”. I am sure that every other software vendor and consultancy firm agrees that Navex is #1!

They have just released their Definitive Risk and Compliance Benchmark Report, a publication with a modest name to match their modest branding.

Does it live up to that billing?

One of the things that always bothers me about surveys and the resulting reports is that they ask the providers of information about its value rather than the consumers. They ask the risk, audit, compliance, and other practitioners rather than the business leaders.

Value is only assessed through the eyes of the buyer. The seller can say whatever they like, but it’s all about what the buyer is willing to pay.

Let’s face it: most buyers of risk, audit, and compliance services shell out the money reluctantly.

But, back to their report. Here are some excerpts and I will follow them with comments:

  • Ninety-two percent (92%) of respondents said their organization behaved ethically all or most of the time. Over a third (36%) described their organizations as ethical all the time. This positive view is not shared by the public. In a recent Gallup poll, business executives were considered high or very high in honesty and ethics by only 20% of respondents. In a Deloitte global survey of professional millennials, business fared a bit better, with 49% saying that business leaders operate ethically.
  • Corporate responsibility is not a corporate priority. In the Deloitte global survey of professional millennials, a majority were critical of businesses for focusing primarily on maximizing profits instead of giving a higher priority to pursuing “socially useful” objectives. Although millennials are not alone in their growing concern for more corporate social responsibility, it ranked last amongst R&C concerns.
  • Compliance professionals prioritize workplace culture, but don’t act.
  • Overall, fewer than a third (32%) of R&C programs prioritize preventing and detecting harassment and discrimination, while just one in ten (10%) of respondents said detecting and preventing retaliation was a high priority.
  • Programs in highly regulated industries are more likely to deprioritize activities aimed at reducing harassment and discrimination.
  • Over two-thirds (68%) of respondents identified data privacy and cybersecurity as a top R&C concern, consistent across all maturities. Respondents also listed enhancing data privacy, cybersecurity, and the protection of personal identifiable information (PII) as top priorities. Nearly two-thirds (64%) listed this issue as one of their top two priorities; over a third (35%) ranked it as their number one priority. This was consistent across all maturities
  • Nearly a third (31%) of respondents experienced a data privacy or cybersecurity breach in the past three years.
  • Nearly half (47%) of respondents describe financial integrity and fraud as a “top concern,” up 11% from 2019. Bribery & corruption concerns also rose to 39%.
  • For the first time, this year’s benchmark survey explored the topic of risk integration. Identifying six key types of risk – compliance, IT, operational, reputational, third-party, and financial – we asked respondents how their R&C programs did (or didn’t) manage these concerns. Overall, compliance risk remains the central focus of the vast majority (88%) of R&C programs. This is followed by IT and operational risks at 57% and 53% respectively. No form of risk is managed by fewer than 40% of R&C programs.
  • Overall, a plurality (23%) of programs cite their CCO as primarily responsible for integration strategy.
  • The CRO role is still an emerging one. More than half (53%) of programs do not have a CRO. Of those that do, half (47%) have constructed this role as a dedicated FTE.
  • Overall, respondents believe their risk and compliance programs are well-supported by leadership, with nearly two-thirds (64%) saying they have program buy-in, oversight and commitment from senior management.
  • Over half (56%) of respondents say their R&C program periodically reports to a board that also oversees it.
  • Organizational risk assessments are a core evaluative R&C program tool. The practice of regular assessments is now widespread, with two-thirds (66%) of programs conducting periodic assessments of their organization’s risk profile.
  • A little over half (56%) of programs have audits to measure compliance program effectiveness.


  1. This is not a risk and compliance report. It’s pretty much ignores any form of risk management.
  2. It does have some decent data on compliance programs.
  3. It is unfortunate that the respondents work at organizations that do not recognize the importance of social responsibility, the harm that can arise if it is ignored and the benefits that can accrue when it is given a priority.
  4. It is even more unfortunate that so little is being done about sexual harassment and assault in the workplace.
  5. Action is not being taken to address culture, even when it is recognized as a problem.
  6. These guys have no clue but are happy to profess expertise in “risk integration”.
  7. Even though the regulators call for compliance to be risk-based, these experts don’t seem to understand or adhere to those practices.

I will let you decide whether the authors are working for the leader.

However, as I said, there is some interesting material and data on ethics and compliance programs.

I welcome your comments.

  1. August 1, 2020 at 10:35 AM

    Interesting that social responsibility ranked last among R&C concerns, while over two thirds of respondents were concerned with cybersecurity and over one half were were concerned with fraud. Since one of the biggest weaknesses in any security system is disgruntled employees, I can’t help feeling there’s a disconnect here.

    • Norman Marks
      August 1, 2020 at 10:42 AM

      Huge disconnect!

  1. July 31, 2020 at 2:58 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: