Risk and compliance (R&C) leaders have long understood that a well-functioning R&C program is an engine that drives strong corporate cultures and a range of positive business outcomes. Yet, NAVEX survey data indicates that regulatory compliance – “checking the box” – remains a comparatively stronger priority, suggesting many R&C professionals have an opportunity to improve their focus on R&C as a driver of culture-related goals.
Asked to rate the individual importance of multiple separate compliance issues to their organization, 66% of respondents said “regulatory compliance” was “absolutely essential” – the greatest level of importance possible among six response options, according to data in NAVEX’s 2022 Definitive Risk & Compliance Benchmark Report. That compares to the 39% that chose the same high priority level for the issue of “organizational culture.”
This divergence at the highest level of prioritization suggests that some R&C leaders should question whether they are doing enough to leverage the cultural outcomes made possible through their program.
The business value of compliance
While the distinction at the highest level of priority is clear, overall, it also seems apparent that the issues of regulatory compliance and organizational culture are both important to the vast majority of respondent organizations. A full 97% ranked regulatory compliance as at least “important,” with 91% indicating at least the same levels of importance for organizational culture.
Clearly, regulatory compliance is not optional. Organizations must comply with the requirements relevant to the jurisdictions in which they do business or face the risk of punitive enforcement and reputational harm. Given this black-and-white dynamic, it’s perhaps not surprising that respondents ranked regulatory compliance as such a high priority.
In many jurisdictions, those regulations include a requirement to offer an internal whistleblowing program through which employees or others can communicate reports of misconduct without fear of reprisal. This is a core function for many R&C programs, ideally allowing users to confidently make reports and inquiries in whatever manner presents the lowest barrier for engagement.
Yet a trusted mechanism to report alleged misconduct and make inquiries does much more than check a box – research shows that it is simply good business.
A landmark 2020 study showed that compliance generates business value by offsetting costs of litigation and regulatory penalty. The study looked at anonymized NAVEX incident reporting data for approximately two million organizations, demonstrating in numbers what many R&C professionals would readily assert about their program’s value.
The study’s findings were a profound validation that the business value of R&C work goes beyond simple satisfaction of regulatory requirements. They are an artifact of something many R&C professionals would likely consider truth – that risk and compliance programs do more than satisfy the important goal of satisfying regulatory requirements.
Strong R&C programs support ethical cultures by providing the connective tissue – the GRC information system (GRCIS) and practices – that empower employees, the organization and others to act ethically. Put simply, organizations with a strong reputation for prioritizing ethics send a signal that misconduct is not tolerated.
Strong R&C programs generate a number of familiar business outcomes. Consider:
- Prospective and current employees value an ethical workplace where they can feel safe, respected and heard, translating to stronger recruitment, retention and productivity.
- Unethical employees, prospective applicants or third parties whose actions could put the organization at risk are more likely to avoid organizations with a strong reputation for prioritizing ethics.
- Consumers are more likely to do business with ethical organizations. That extends to the sharing of sensitive data in certain industries and relationships, where ethical organizations are more likely to take the protection of customer and partner data seriously.
- Shareholders are increasingly pressuring organizations to demonstrate a commitment to ethics, and those with ethical cultures are more likely to be able to defend that they have made an ethical choice at every level of scrutiny.
- An ethics, regulatory, data protection or other failure involving a third-party vendor is not only less likely to occur in the first place, but less likely to create reputational or other risk for the client organization with strong R&C assessment and monitoring.
For the 39% of NAVEX survey respondents who ranked “culture” with the greatest possible importance as a compliance issue, the payoff of an ethical and compliant culture is likely playing out for their organization. With pride in their employer, internal workers are referring top talent. Consumers are more loyal, more interested in trying the product or service, and are spending more. Investors are paying attention, wanting to put their dollars behind something more than a simple return. Employees trust the incident response program, and they use it. Litigation costs are lower. The list goes on.
What if my organization is in the other 61%?
Again, it is important to note that more than 9 out of 10 respondents chose subjectively positive rankings for the importance of culture as a compliance issue at their organization – either “important,” “very important” or “absolutely essential.” Rounded up to the nearest percent, only 6% chose “somewhat important,” and a measly 2% chose “not important.” The options are naturally up to interpretation, but the numbers still appear to paint an encouraging picture that most organizations grasp and value the role R&C plays in culture.
Still, in light of the 61% who did not choose the highest level of “absolutely essential” for culture, a scenario emerges of questions R&C professionals may ask in an effort to potentially increase the impact their program has at their organization.
Is HR communicating the organization’s risk and compliance efforts as tool to recruit and retain ethical workers? Are consumers aware of how vigorously suppliers are vetted to ensure workers are treated fairly? Do employees know that their company’s values are not simply lip service, but part of a robust channel through which they can feel safe and heard when raising a red flag?
It is likely for many of those 61% of respondents that the program elements already exist to support, and realize the benefits of, an ethical and compliant culture. Almost certainly, “by accident,” many programs are already achieving some of those cultural outcomes. Yet many R&C professionals likely face a strong opportunity to further support their organizations by putting a greater emphasis on the importance of organizational culture as a compliance issue.
For more information on opportunities and obstacles around risk and compliance, download our 2022 Risk & Compliance Benchmark Report.