Skip to content.

Secondary navigation

Contact us
State of Risk & Compliance Report cover image of a white building corner with NAVEX orange arrows pointing in a circle overlay

State of Risk & Compliance Report

2024
Read the report

Introduction

NAVEX has been collecting and delivering leading-edge market benchmark reports to the risk and compliance (R&C) industry since 2010. In 2019, we published our first-ever “Definitive Compliance Benchmark Report,” a comprehensive review of R&C programs that offered key findings, analysis and insight to help organizations measure, evaluate and advance their programs. This 2024 State of Risk & Compliance Report represents our latest efforts to provide this research freely to practitioners in a range of R&C disciplines. 

NAVEX partnered again with independent research firm The Harris Poll to survey over 1,000 R&C professionals from a wide range of industries about the design, priorities and performance of their programs. Read on to learn what our analysis reveals about your own organization and R&C program.

Survey Participants

2024 research was conducted online by The Harris Poll on behalf of NAVEX among 1,066 nonacademic professionals knowledgeable about risk and compliance. The survey was conducted between February 12 – March 18, 2024.

See more in full report
Job functions of survey participants in NAVEX’s 2024 State of Risk & Compliance Report. 40% are in risk & compliance specifically, followed by finance, infosec and HR. Countries of survey participants in NAVEX’s 2024 State of Risk & Compliance Report. Most (55%) are from the US followed by UK (12%), Germany (11%) and France (11%). Job levels of survey participants in NAVEX’s 2024 State of Risk & Compliance Report. Most (39%) are director/senior management level, followed by other management (30%) and C-level (21%). Number of employees in companies surveyed for NAVEX’s 2024 State of Risk & Compliance Report. Companies span the SMB and enterprise space. Most companies (36%) are under 1,000 employees, followed by 1,000-2,499 (16%), 2,500-5,999 (15%) and 10,000-49,999 (15%).

Executive Summary

NAVEX’s annual State of Risk & Compliance Report provides a bevy of findings with which readers can benchmark their programs and compare their operations against global trends. As always, we ensure responses shed light on some of the foundational elements of effective programs.  We also invited respondents to help us explore some of the important forces shaping our professions and organizations. 

Below are some of the notable storylines our teams identified from this year’s survey data.

Findings

  • Stronger maturity holds for a second year, yet some risk and compliance program elements still lacking
    How mature are corporate risk and compliance programs? NAVEX’s 2024 State of Risk & Compliance Report shares how maturity has changed over the last three years, with most surveyed organizations at the adapting (27%) or managing (28%) phase in 2024. The scale goes from underdeveloped (6%) to optimizing (22%).

    Using the five-level Framework for E&C Program Excellence from the nonprofit Ethics & Compliance Initiative, responses for this year’s survey suggested stability in the drift toward greater indicated levels of maturity first seen in 2023. While year-over-year comparisons are inherently imprecise due to annual changes in our question set and respondent base, this appears to signal continued confidence in many risk and compliance programs. Fifty percent of respondents said their program was in one of the top-two maturity tiers of either Managing or Optimizing. Only 22% said their program was in one of the two lower tiers of Underdeveloped or Defining. 

    While most respondents appeared to express confidence in their program maturity, it’s worth noting that several areas of our survey revealed a surprising lack of some critical R&C program elements. Only 61% of respondents said their organization has a hotline or whistleblower internal reporting channel, for example. Fewer – 55% - said their organization has a non-retaliation policy. Sixty-four percent said training on ethics and code of conduct was planned in the next two-to-three years. 

    It is encouraging to see many respondents to this year’s survey expressing positive confidence in their R&C program maturity for a second year. Yet the indicated lack of some important program elements such as those outlined above suggests some organizations may not as mature as they think they are. Throughout this report, we indicate several areas where readers should pause to ensure they are including the presence of important program elements in their self-assessment going forward.

  • Nearly one-quarter of Compliance programs split across departments

    Where do compliance programs sit within organizations? NAVEX 2024 State of Risk & Compliance Report survey respondents said their compliance program was split across multiple departments.

    Nearly one-quarter of respondents who are knowledgeable about ethics & compliance (23%) said their compliance program was split across multiple departments. This was the most common response, yet our analysts would have expected this share to be even higher. It is quite common for compliance obligations to be shared across HR, IT, Risk, Finance and potentially other functions. This highlights the importance of close relationships between these functional areas. 

    Twenty-one percent said their organization’s compliance program rested within Legal, and 20% said it was an independent function reporting to the CEO and/or board of directors.  

    Three percent said their program is within Finance – a potential red flag as these functions may be better able to facilitate effective governance when operating independently.

  • Most say employees would report misconduct internally

    How likely are employees to report misconduct? 77% of NAVEX 2024 State of Risk & Compliance Report survey respondents said their employees would most likely make a report of misconduct internally.

    The majority of respondents – 77% - said their employees would most likely make a report of misconduct internally. Fourteen percent said employees would most likely turn to an external entity such as a regulatory or the media to make a report. Only 9% said employees were unlikely to make a report at all.

  • Lack of whistleblowing hotline or internal reporting channel, non-retaliation policy comes as surprise 

    What are the most common components of a successful whistleblowing and incident management program? Case management and investigation processes top the list at 62%, followed by a hotline or reporting channel (61%) and non-retaliation policy (55%). (NAVEX 2024 State of Risk & Compliance Report)

    As in years past, a concerningly low share (61%) of respondents who are knowledgeable about ethics and compliance said their organization has a hotline or whistleblower internal reporting channel. Only 55% said their organization has a non-retaliation policy.

    With the caution that direct year-over-year comparisons are imprecise due to changes to survey structure and differing respondent bases, these numbers do represent an improvement over 2023. At that time, only 51% of respondents said they had a hotline or whistleblower internal reporting channel, and 51% said they had a nonretaliation policy.

    Internal reporting is a central pillar for any effective compliance program. Those reports can bring misconduct to light that would otherwise be free to damage the organization and its culture. The ability to speak up without fear of reprisal also helps broadcast to employees and others that the organization takes ethics seriously. While it is possible more organizations are implementing internal reporting programs compared to last year, the numbers indicated in this survey are still concerningly low.

  • Leadership encouragement of ethics is strongest at the top – yet some troubling behaviors persist

    Do senior executives encourage ethical behavior? According to NAVEX 2024 State of Risk & Compliance Report survey respondents, 68% do. However, only about half model proper ethical behavior (52%) or persist in their compliance commitment when faced with competing interests (50%).

    Generally, the share of respondents that are knowledgeable about ethics & compliance who indicated positive behaviors was greatest regarding senior executives. Over two-thirds of respondents (68%) said senior executives have encouraged compliance and ethics within their organization. Sixty-one percent said the same about middle management, and 56% said so about first-line managers and supervisors. Half (50%) of respondents said senior executives have persisted in a commitment to ethics in the face of competing objectives, a share that declines to 44% for the front line. 

    The picture is not entirely straightforward – senior executives were said to tolerate greater compliance risks in pursuit of new business objectives and/or greater revenues (30%) slightly more commonly than other levels of leadership (29% of middle management and 27% of first-line managers and supervisors). There were also slightly more commonly said to have impeded compliance personnel from effectively implementing their duties (15% of senior executives, 14% of middle management, and 11% of first-line managers and supervisors).

  • Two-thirds of boards receive periodic updates on compliance matters

    How much do Corporate Boards of Directors want to know about risk and compliance initiatives? A lot. According to NAVEX 2024 State of Risk & Compliance Report survey respondents, 66% of Boards receive periodic updates on compliance matters while 58% of Boards oversee the compliance program.

    Two-thirds of respondents who are knowledgeable about ethics & compliance (66%) said their board receives periodic reports on compliance matters. Of concern is that one-third did not say the same – 100% of boards should receive periodic reports on compliance matters. 

    Fifty-eight percent said the board has oversight of the compliance program. Fewer than half of respondents (30%-42%) affirmed any of the other board compliance activities on the list, and near the bottom, only 30% said the board was highly engaged in the compliance program. 

    While changes to this year’s survey and respondent base complicate a simple year-over-year comparison, the share of respondents who said their board receives periodic reports on compliance matters was slightly greater in 2024 than in 2023 – 66% versus 62%. A somewhat greater share of respondents said the board has oversight of the compliance program – 58% versus 52%. Not all comparisons were positive – for example, the share of respondents who said members of their board have compliance experience and/or expertise was a bit lower, 41% versus 48%. These comparisons may reflect any number of drivers, but may provide readers fodder for internal conversations as to how the relationship between Compliance and their boards of directors is trending.

  • Most say Compliance has influence on business decisions

    What influence do corporate compliance programs have on business decisions? At top-performing companies – a lot. According to NAVEX 2024 State of Risk & Compliance Report survey respondents, 81% say compliance has a moderate or strong influence on business decisions.

    More than four out of five respondents who are knowledgeable about ethics and compliance (81%) said their organization’s compliance program is either “strong” or “moderate” in its influence on business decisions. Only 17% said the program has limited influence.

  • Most have strategy for third-party due diligence, though some use the same approach in every case

    How do organizations approach third-party risk? According to NAVEX 2024 State of Risk & Compliance Report survey respondents, 36% take a risk-based approach to third parties, followed by 25% that conduct the same due diligence across all third-parties regardless of risk level.

    A large majority of respondents who are knowledgeable about Ethics & Compliance – 91% - said their organization has some kind of strategy for third-party due diligence. Most common (36%) was to use a risk-based approach to apply different levels of due diligence based on risk throughout the engagement. 

    Concerningly, a quarter of respondents (25%) said their organization conducts the same due diligence across all third parties regardless of risk level. This is certainly less effective than a risk-based approach – for example, it may place undue burden on third parties with a low risk level.

Readers of this report are likely to walk away feeling hopeful for the reach and influence of risk and compliance.  

  • Many respondents indicated their program has a strong level of maturity. 
  • Leaders are generally embracing ethical behaviors and a commitment to compliance.  
  • Employees are said to be likely to report misconduct, most often internally 
  • Most say compliance has an influence on business decisions 

Yet there are always areas to improve. One resounding signal is the apparent lack of respondents who indicated their organization has an internal reporting program or non-retaliation policy. These are some of the foundational elements of a strong R&C program, providing signals about risk while demonstrating to employees and others that the organization takes ethics seriously. Some also have room to mature in applying differing levels of third-party risk management depending on the corresponding level of risk.

We hope readers leverage these findings and others in our full report to better understand how their programs compare to peers, as well as to meaningfully engage with other business units that play a role in success for risk and compliance. In the end, the benefit is likely to be reduced risks, better business results, more efficient processes and, ultimately, a stronger, more ethical organizational culture.

Meet the authors

  • Carrie Penman on green background

    Carrie Penman

    Chief Risk and Compliance Officer

    NAVEX

  • Aaron Aab headshot on red background

    Aaron Aab

    Associate Vice President, Customer Support

    NAVEX

  • Eric Gneckow headshot on blue background

    Eric Gneckow

    Content Marketing Manager

    NAVEX

  • Andy Harmsen headshot on green background

    Andy Harmsen

    Associate Data Manager

    NAVEX

  • Isabella Oakes headshot on red background

    Isabella Oakes

    Data Scientist Specialist

    NAVEX

  • Anders Olson headshot on blue background

    Anders Olson

    Senior Data Scientist

    NAVEX

  • Dan Buckwell headshot on green background

    Dan Buckwell

    Business Intelligence Architect

    NAVEX