What’s new in the compliance industry and how can compliance leaders keep up with their peers? Sabrina Serafin interviews Carrie Penman, Chief Risk & Compliance at NAVEX Global, a worldwide leader in integrated risk and compliance management software services. Carrie presents the most interesting findings for NAVEX Global’s annual risk & compliance benchmark report as well as additional advice for compliance leaders.
Culture of Compliance | Keeping Up with Compliance Trends
This transcript was assembled by hand and may contain some errors.
It has been edited for readability.
Sabrina Serafin: Welcome to Frazier & Deeter Culture of Compliance podcast series where we discuss compliance as a competitive advantage in today’s marketplace. I’m Sabrina Serafin, Partner with Frazier & Deeter’s Process, Risk & Governance Practice.
Today, we’re excited to be talking to Carrie Penman, Chief Risk & Compliance Officer at NAVEX Global, a worldwide leader in integrated risk and compliance management software and services. As Chief Risk & Compliance Officer, Carrie leads the company’s formal risk management processes.
In 2020, Carrie was awarded the inaugural Lifetime Achievement Award for Excellence in Compliance by Compliance Week Magazine. Carrie also received the ECI’s Carol R. Marshall Award for Innovation and Corporate Ethics for an extensive career contributing to the advancement of the ethics and compliance field worldwide. Carrie, welcome to the podcast.
Carrie Penman: Hi Sabrina, Thank you so much for inviting me to participate.
Sabrina Serafin: We’re excited to have you here today because we specifically want to talk about compliance trends.
And I’d like to start by talking a bit about NAVEX Global’s risk and compliance benchmarking report. In case some of our listeners are not familiar with it, can you tell us about the survey and the purpose of the report?
Carrie Penman: Absolutely so, NAVEX actually publishes two major benchmarking reports a year. One is on hotline benchmarking, which actually analyzes the data that we take in from close to probably a million and a half reports from organizations’ hotlines annually.
But the report that you’re asking specifically about, our second major report, is our annual risk and compliance benchmark report. That’s where we partner with an independent research firm, and we survey risk and compliance professionals. To some extent at a global capacity, but the majority of the respondents were from North America, we had over 1,000 respondents to the most recent survey that we conducted.
The survey report itself is pretty detailed. There’s a lot of data to assist compliance officers and benchmarking. But, some of the specific insights that I think will be of most interest to the audience today, I think, are around the areas of some of the top priorities of risk and compliance decision makers.
How organizations evaluate the effectiveness or the performance of their programs. Also, the use of technology, which is expanding greatly to impact program design and effectiveness. And then also, I think some interesting findings around senior management’s view of programs and their influence on program outcomes.
So, that’s just a little bit of background about the survey itself.
Sabrina Serafin: You mentioned interesting findings, so thank you for the background. What were the most surprising trends from the most recent benchmark report? Especially anything that resulted from the pandemic. Can you tell us about anything that didn’t surprise you?
Carrie Penman: That’s a great question. For the most part, we do tend to see fairly consistent findings year over year, but there were definitely some key takeaways, and a couple of surprising ones, that we had from the survey. First and foremost, we’re seeing a significant maturity of the risk and compliance sector that’s occurring.
This year we actually do a calculation, if you will, of program maturity. The number of mature and advanced programs grew by 29% while the number of those programs that we would have defined as reactive or basic declined by 35%. That’s really great news. I mean, risk and compliance is a fairly young profession, relatively speaking, and so, to see the rapid maturity really coming to fruition is great.
I would say the most surprising finding was that the pandemic did not significantly disrupt risk and compliance. But it did impact the risk and compliance program priorities. So, that’s probably not a surprise, but I think it was really an opportunity in terms of the pandemic for compliance to really step up and demonstrate the value of the data that we hold, the connection that we have with employees, particularly around the way they report, or what are some of the issues that employees report and what they were reporting on.
There were many compliance officers that I spoke with during the pandemic, who were probably several times a week, giving real time updates to leadership on where some of the hot spots were, where were they having difficulties in the organization, where perhaps were folks lacking PPE. It actually almost became a lifeline between employees and their organizations and it happened, through their compliance program and specifically around their hotline.
That was probably I would say, among the most surprising, but what we did see, however, was a shift in some of the focus. And again, that part probably is not surprising, but business continuity ranked as the number two priority for risk and compliance professionals. And that was right behind, no surprise here, data privacy, data protection, data security.
So, it certainly was an issue for all organizations as employees move to remote work was focusing on “Let’s make sure we can continue operations” and “Let’s make sure that we don’t have a data breach or a hack.”
Perhaps, a little disappointing is it was to the detriment of priorities, such as diversity and ESG. Those concerns took a little bit of a backseat. In fact, ESG was very much last. I know one of your prior podcast was specifically around ESG, and the importance that organizations are placing on that, so I think compliance officers have an opportunity to catch up here.
Sabrina Serafin: You mentioned hotline benchmarking, you mentioned that you report on it. How do you explain the value and importance of internal reporting and whistleblowing to those who may overlook it? Because it does sound like it’s become more of, like you said, a lifeline for employees.
Carrie Penman: Absolutely. You know I cringe whenever I hear leaders say that they’re proud that they received no reports on their on their hotline, right? That is not good news.
Organizations should expect to receive a pretty consistent level of reporting and I would say that the data that risk and compliance teams have from their hotlines and then correlated with other data points, maybe things like audit findings or other types of data points that will allow you to make correlations, really is some of the most predictive opportunities that organizations have to provide an early warning of potential problems, particularly in large organizations, in organizations that might have broad geographic diversity.
And you know, certainly my experience is that the further an operation is away from the mothership you know, potentially, the more challenges they may have with regard to culture, so I think that explaining the value is to help leaders understand that it really is the canary in the coal mine.
And I mentioned to you when we first spoke, how important it is, I think that your focus on this podcast is around culture, because the culture messages you know it’s just a great opportunity for organizations to be able to catch cultural problems and to be aware of what’s happening in real time.
And I think as well, you know, probably some of the most interesting data actually comes out of some of the more mundane reports. If you will, the “my boss is mean to me” reports. When you start to see some of the spiking of “my boss is mean to me,” and some of the HR related reports that that’s a real red flag to a potential culture issue in a department or in a particular geography, and it often leads to finding of more serious issues for organizations.
So, maybe one final point on the data, just to put an exclamation point on it, some ongoing research from George Washington University, Professor Kyle Welch has shown that organizations that receive more reports have a higher return on assets. They have lower settlement costs on litigation and experience less negative media. And, there really wasn’t a point where it would drop back off.
So, organizations that receive more reports that have a culture where employees are comfortable speaking up is actually a good thing.
Sabrina Serafin: That’s a great example, thank you for sharing that. We always like to include pragmatic advice for organizations that are trying to adapt to the trends, particularly in compliance, so what advice, do you have for those risk and compliance teams who are trying to build a strong speak up culture.
Carrie Penman: Yup, that is just so important, because if employees are fearful to speak up, you know, I always tell folks when I’m speaking with them “bad news doesn’t age well.”
When it comes to some pragmatic advice, I guess, I would say two things, there are two primary reasons why employees don’t report to their organization. The top reason is the belief that nothing will be done about their report, so “why should I stick my neck out if they’re not going to do anything with the information anyway,” and the second is fear of retaliation. These are the two areas, I think, are most important for organizations to address.
With regard to the belief that nothing will be done, I think it’s really important to talk about the recording system. What happens when an employee files or report, how you’ll communicate with them, how much information you’ll be able to share back with them.
Many organizations actually publish either data or sanitized cases to demonstrate that employees have indeed used the system, have made the report and the organization has taken it seriously and taking appropriate action.
And then the second issue, around fear of retaliation, and, I think, this is one organizations have a lot of work to do in the area of addressing fear of retaliation.
You know, I think it’s something that we think about what we tell employees to do, right. “If you have a question or concern talk to your manager.” That’s always the first line of defense. “Talk to your manager.” But, so few organizations actually train their managers and first line supervisors on how to respond to receiving a report and how to manage receiving report and also how to recognize and stop potential retaliation.
So, I think that educating on retaliation, educating on what it looks like and, of course, you know, taking disciplinary action for those who may conduct retaliation in the workplace. It’s just, there has to be a no tolerance for that. But it’s, I think, that is the one issue that is holding back risk and compliance officers from being successful, and that is managing your retaliation.
Sabrina Serafin: Thank you for that advice and given your many career achievements, I wanted to close with a question about leadership.
Earlier, you’d mentioned the results of the survey demonstrated the maturity of risk and compliance programs, but you did point out that it’s still an early stage career opportunity for many people. What advice do you have for risk and compliance professionals who are in the early stages of their careers?
Carrie Penman: So, good question. I think, probably the most important advice is to know the business and know the business leaders. Really spend time talking with them about their risk areas and don’t talk about “check the” box exercises. Talk about risk management, talk about strategy, talk about the role of compliance in, you know, in helping the organization and the business be successful and help leaders see that compliance as a strategic investment, rather than a necessary evil.
Maybe the second piece of advice I would give is to be open to new ideas and responsibilities, because… For example, there’s a great discussion happening right now as to whether or not ESG should fall under the oversight purview of compliance, and I think that it’s a great opportunity, but the profession isn’t sure about this yet. And one of the reasons is probably one of the findings that I didn’t mention in the earlier discussion about the survey, is that, you know, resources are tight.
And a lot of compliance officers are seeing ESG as “Oh my gosh. Another responsibility that I need to take on with without appropriate resources” and “It’s another high-risk area for our organization” and “how can I manage it all.”
Obviously, it needs to come with the appropriate resources, but I think ESG is a natural fit for compliance, and I think compliance officers really need to be open to these new ideas.
And then my final piece of advice is to focus on people and culture. Back to where you started with this podcast, that culture matters and that we’re working with people and, that’s in the end, where we need to have our most influences on people and on the culture of organization.
So, I would say, those are probably my top three pieces of advice I hope that’s helpful.
Sabrina Serafin: That’s great Carrie, and thank you so much for being with us today to share your perspective with our listeners.
Carrie Penman: Thank you so much Sabrina for inviting me, really nice to be here, and thanks again for having me on.
Sabrina Serafin: To our audience, thank you for listening to Frazier & Deeter’s Culture of Compliance podcast. And this episode rounds out this season of the culture of compliance, it will be taking a short hiatus please be on the lookout for more information on our next season.