Professional Documents
Culture Documents
Global Compliance Risk Benchmarking - 2023
Global Compliance Risk Benchmarking - 2023
compliance risk
benchmarking survey
Industry perspectives on the state of compliance today
and effective strategies for managing compliance risk
within the changing regulatory landscape
Contents
Third-party management
Page 7
Compliance escalations
Page 16
Survey methodology
and demographics
Page 32
Insights from the
2023 Global compliance
risk benchmarking survey
I
n today’s fast-paced and interconnected world of global business, a robust and comprehensive
compliance program is not merely a choice, but a critical imperative for any organization.
Drawing on the opinions of 201 senior decision-makers from more than 30 countries,
White & Case LLP and KPMG LLP’s “2023 Global compliance risk benchmarking survey” offers powerful
insights into compliance practices across industries worldwide and strategies employed by companies
to manage their compliance risks — from anti-corruption risk assessments, third-party management and
employee risk awareness to environmental, social and governance (ESG) practices and cybersecurity.
Among the key findings are the importance of regular anti-corruption risk assessments and robust
third-party management practices — essential components for creating a culture of compliance
and transparency.
Use of data analytics is gaining momentum in compliance programs, though many companies are still
in the developmental stage. Testing anti-corruption programs for effectiveness is crucial, as is consistent
measurement of hotline awareness and effectiveness, along with addressing employee concerns about
hotline integrity.
ESG has increasingly become an area of focus, but our respondents reveal a lack of consistency
in addressing ESG risks. This inconsistency in approach can hinder the effective implementation of
organization-wide policies and procedures and lead to uncertainty among employees. Clearer guidance
and communication are essential in navigating the complexities of ESG and ensuring successful
integration into business practices.
Looking ahead, cybersecurity takes center stage as the top compliance priority for the next 12 months,
as safeguarding sensitive data and proactively addressing digital threats become more important
than ever.
By proactively addressing these compliance challenges, organizations can ensure ethical business
practices, mitigate risks and safeguard their reputation in an increasingly complex regulatory environment.
We hope you will find our “2023 Global compliance risk benchmarking survey” an insightful read.
Don’t know 3%
Use of data analytics is becoming more
0% 20% 40% 60% 80% commonplace, but most companies are
still developing their approach
Compliance teams under pressure to approve heightened
risk third parties How developed is your organization’s use of Result
data analytics for compliance risks?
Has your organization’s Compliance and Ethics function ever been
pressured to approve the engagement of a third party you believe
presented an unacceptable corruption risk profile?
Developing (e.g., patchwork of scalable system
processes and manual processes) 45%
20%
Yes, on more than one occasion
or more than one third party
Yes, once
Rudimentary (e.g., non-scaling, manual
processes and workbooks) 24%
15%
10%
13%
Advanced (e.g., integrated monitoring, reporting
and automation across systems) 9%
12%
10% 8%
11% Planned or aspirational (e.g., not implemented)
5%
8%
5% 0% 0%
9%
3% 3%
0% N/A – do not utilize data analytics for compliance
Financial Pharma/ Technology, Energy Industrial Consumer Other
services healthcare media & & natural manufacturing & retail
telecom resources
Three in ten respondents state that their anti-corruption programs are not regularly tested for effectiveness
How often does your organization…
Annually Periodically, but less frequent than annually As and when a specific risk is identified Never Don’t know
Roughly half of respondents identified the same three reasons why employees are
reluctant to report potential compliance issues: fear of retaliation (55%); concern that
Yes Don’t know No
nothing will be done (50%); and concern that reporting is not anonymous (47%).
For which topics does your organization have policies and procedures to address ESG risks?
Deforestation/biodiversity 8% 23%
Don’t
Modern slavery/human trafficking Pay equity No ESG policy specified know
35% 22% 48% 4%
Cybersecurity tops the list of compliance priorities for the next 12 months
What is the biggest compliance issue facing your organization in the following 12 months?
35%
17%
10% 10% 8% 6% 5% 5% 4%
Cybersecurity Privacy/ Sanctions ESG Don’t know Fraud Corruption Competition/ Other
data protection antitrust
T
he risk assessment process
is important to establishing a
well-designed and effective How often does your organization conduct a
compliance program tailored to the 79% documented anti-corruption risk assessment?
unique risks a particular company
faces. The risk assessment achieves
a number of important compliance
objectives for a company, including:
More than
three-quarters of
Annually 47%
respondents (79%)
report conducting
Fostering discovery of relevant
risks, processes and controls
documented
anti-corruption
On an ad hoc or irregular basis 17%
risk assessments
Educating leadership about
compliance concerns
At regular intervals, but less frequent
than annual 14%
Promoting preventive and
1%
More frequent than annually
early detection strategies over
reactive strategies
Identifying business strengths N/A – no risk assessment planned or performed 11%
and stakeholders
Facilitating satisfaction of Don’t know 9%
corporate director obligations
Source: 2023 Global compliance risk benchmarking survey
MOST COMPANIES CONDUCT
REGULAR ANTI-CORRUPTION
RISK ASSESSMENTS
More than three-quarters of
respondents (79%) conduct
documented anti-corruption risk
assessments, and almost half (48%) COMPANIES CONDUCTING
conduct these assessments annually ANTI-CORRUPTION RISK
or more frequently. ASSESSMENTS REPORT MORE
Almost one in five companies ENGAGED BOARDS
(18%) with fewer than 10,000 Anti-corruption risk assessments
employees did not conduct an are a foundational element of an The risk assessment
anti-corruption risk assessment and
do not plan to conduct one.
effective compliance program.
They help companies identify
process is important
Companies in the energy & natural and prioritize risk and provide an to establishing a well-
resources and pharma/healthcare
industries are most likely to conduct
important means of communicating
internally, including with senior
designed and effective
risk assessments, with 94% and management and the board, about compliance program
93% of respondents in these the anti-corruption compliance
industries, respectively, conducting program and how best to deploy
risk assessments. resources to manage and mitigate
Companies in the financial services risk. Having senior management and
and technology, media & telecom the board appropriately informed
industries were comparatively less about and engaged on compliance
likely to report that they conducted issues is important in establishing
(15%) or planned to conduct (17%) and maintaining the company’s
risk assessments. overall culture of compliance and
“tone at the top.”
100% 7% 100% 6%
27% 20% 27%
80% 24% 80%
60% 60%
41% 36%
40% 40%
69% 73%
20% 32% 20% 36%
0% 0%
Respondents performing N/A – no assessment Respondents performing N/A – no assessment
risk assessments planned or performed risk assessments planned or performed
A
pproximately 90% of
Foreign Corrupt Practices
Act (FCPA) enforcement Has your organization’s Compliance and Ethics function ever been
matters between 1978 and 2023 pressured to approve the engagement of a third party you believe
identified a third-party intermediary, presented an unacceptable corruption risk profile?
such as a sales agent, consultant 2%
or distributor, as part of the
bribery scheme.1
9%
Under the FCPA, willful blindness Yes, on more than one occasion
or awareness of a high probability or more than one third party
that improper payments are being
Yes, once
made by a third party may be 28%
interpreted as knowledge of a corrupt No
60%
payment and provide the basis for
Don’t know
liability for companies and individuals.
The behavior of third parties is
also highly relevant under the laws
of other countries. For example,
20%
under UK law, companies are liable
for bribery offenses committed by 15%
their “associated persons.” These are 13%
people who in any capacity provide 10%
10% 8%
services on a company’s behalf. 5% 11%
Liability is strict, and a company’s 8%
5% 3% 3% 0% 0%
only defense is to show that it 0%
had in place adequate procedures Financial Pharma/ Technology, Energy Industrial Consumer Other
to prevent the commission of services healthcare media & & natural manufacturing & retail
telecom resources
the bribery offense. The role of
compliance in third-party risk Source: 2023 Global compliance risk benchmarking survey
management is therefore critically
important to the overall effectiveness
of a company’s anti-corruption
compliance program. companies (14%) included provisions
Respondents indicate that to shift the cost of failed compliance
companies employ a variety audits to the third party.
of contractual anti-corruption
protections and strategies. The most COMPLIANCE TEAMS REPORT
commonly used anti-corruption FEELING PRESSURE TO Third-party risk management is
compliance provisions in third-party
agreements are anti-corruption
APPROVE HEIGHTENED RISK
THIRD PARTIES
critically important to the
compliance representations and 11% of respondents reported they overall effectiveness of an anti-
warranties (64%) and related audit
(61%) and termination (66%) rights.
have been pressured to approve
the engagement of a third party
corruption compliance program
More than half of respondents presenting an unacceptable
(56%) also contractually require third corruption risk, with 9% reporting Source: Third-Party Intermediaries Disclosed in FCPA-Related
1
parties to cooperate with compliance that it happened more than once or Enforcement Actions, Foreign Corrupt Practices Act Clearing-
inquiries. But only a small minority of with more than one third party. house, Stanford Law School
diligence. While 42% of companies Source: 2023 Global compliance risk benchmarking survey
involve the relevant business unit
in conducting compliance due
diligence, 14% said that they only
use the relevant business unit for
compliance diligence. A further 15%
of respondents did not know who
performs compliance diligence at
their company.
Just under one-quarter of Enforcement authorities pay close attention to the methods
respondents (24%) outsource
third-party compliance diligence to
companies use in performing compliance due diligence—
an external vendor. and the personnel responsible for performing it
Does the Compliance and Ethics function Don’t Yes, for all Yes, only for certain third parties
No
within your organization have a defined know third parties using risk-based criteria
28%
role in approving potential third parties? 7% 18% 47%
Don’t
Can your organization’s Compliance No Yes
know
and Ethics function prevent the 15% 75%
11%
engagement of a third party?
Does your organization require third parties to Which type of anti-corruption training does
complete anti-corruption training? your organization require third parties
to complete?
Anti-corruption
21% Yes, but only for certain
training of
their own
third parties using risk-
based criteria 28%
Our organization’s Third-party
anti-corruption anti-corruption
53% 9% Yes, for all third parties training web-based training
No
75% 7%
16%
Don’t know Not sure
7%
21%
B
eing informed is the first
step to being prepared. For
decades, corporate counsel How developed is your organization’s use of data
and compliance professionals 78% analytics for compliance risks?
have developed tools, systems
and analytical approaches to
improve the efficacy and scale of
compliance oversight and controls.
of respondents
report using
Developing (e.g., patchwork of scalable system
processes and manual processes) 45%
data analytics for
Technology has allowed companies compliance risks
to integrate compliance concepts
Rudimentary (e.g., non-scaling, manual
processes and workbooks) 24%
and requirements into core business
operations like never before. The
“compliance by design” revolution has
Advanced (e.g., integrated monitoring, reporting
and automation across systems) 9%
resulted in the growth of data analytics
tools, key performance indicators and
dashboards to help compliance teams
Planned or aspirational (e.g., not implemented) 12%
monitor day-to-day business activities
for risk and identify potential issues N/A – do not utilize data analytics for compliance 9%
before they arise. These innovations
have also resulted in significant cost
Source: 2023 Global compliance risk benchmarking survey
savings for companies and more
precision in targeting risk-based
anti-corruption activities.
In a nod to the increasingly clear
value of data analytics, in 2020 the
US Department of Justice’s Criminal Data maturity ranking by company size
Division updated its “Evaluation of (revenues (US$))
Corporate Compliance Programs” to
direct prosecutors to consider how
companies collect and analyze data as
part of their compliance programs. The Less than $10 billion 13% 17% 27% 36% 7%
US Department of Justice’s Criminal
Division encouraged prosecutors to 2%
assess how compliance teams use $10 billion to less
data analysis techniques to review 26% 57% 14%
than $50 billion
business data and identify potential
compliance concerns. One can expect 4%
an increased focus by enforcement
$50 billion or more 8% 75% 13%
authorities on whether and to
what extent corporate counsel and
0% 20% 40% 60% 80% 100%
compliance professionals are engaged
with and deriving data from real-time
business operations.
N/A – Planned or Rudimentary Developing Advanced
Our survey asked companies to not used aspirational
describe the current state of their
data analytics programs, and where Source: 2023 Global compliance risk benchmarking survey
they are headed.
SLIGHTLY MORE THAN HALF OF respondents unsure of the frequency A MINORITY OF COMPANIES USE
COMPANIES REPORT TESTING of anti-corruption program reviews, SOPHISTICATED TECHNIQUES
THE EFFECTIVENESS OF THEIR and 15% of respondents unsure TO TEST ANTI-CORRUPTION
ANTI-CORRUPTION PROGRAMS of the frequency of compliance PROGRAM EFFECTIVENESS
ON A REGULAR BASIS program testing. Companies are more likely to use
Important elements of an effective traditional anti-corruption program
compliance program are periodically ANTI-CORRUPTION PROGRAM testing techniques including the use
reviewing the contents of the TESTING: TRENDS BY of internal audits (60%); review of
program against evolving risks COMPANY SIZE compliance training and certifications
and regulatory requirements, and The largest companies prefer to test (50%); and review of hotline
monitoring/testing the program to on a periodic or annual basis. usage (40%).
identify and improve deficiencies. Three in four companies with Conversely, less than one-third
While a significant majority of revenues exceeding US$50 billion of respondents reported using
companies (74%) reported regularly (75%) conduct periodic or annual more sophisticated techniques for
reviewing the content of their testing, with 50% preferring periodic evaluating compliance program
anti-corruption programs, only 55% testing. No company in this size effectiveness with respect to day-to-
regularly tested their programs class reported “never” testing its day operations, such as transaction
for effectiveness. anti-corruption program. testing (32%) and third-party
Notably, 9% of companies In comparison, smaller companies audits (24%).
stated that they have never were more likely to test on an ad hoc Only one in five (20%) said that
tested the effectiveness of their basis, if at all. 16% of companies they evaluate employee requests to
anti-corruption program. with less than US$1 billion in annual Compliance and Ethics teams for
Responses also show uncertainty revenues reported “never” testing consultation or approval.
among companies regarding the their anti-corruption program. Less
frequency of anti-corruption program than half (45%) of these companies
reviews and testing, with 12% of perform periodic or annual reviews.
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Annually Periodically, but less frequent than annually As and when a specific risk is identified Never Don’t know
100%
9% 13%
19%
21%
60% 30%
50%
40% 26%
17%
20%
28% 28% 25%
0%
Less than $1 billion to $50 billion
$1 billion $50 billion or more
Screening/review of employee
electronic communications and/ 11%
or calendars
M
ost organizations have
some form of procedure
in place for reporting How are staff, contractors and other responsible
and escalating compliance issues, 2% individuals made aware of your organization’s
compliance escalation/reporting mechanisms?
whether due to guidance from
enforcement authorities or legal
requirements. These procedures Only 2% of
organizations 77%
can range from informal chats report having no
with management to anonymous formal compliance Training 84%
external hotlines. escalation
mechanism 90%
The effectiveness of these
mechanisms can be limited,
however, if employees are not 76%
aware they exist or are hesitant Anti-corruption
policy and/or 83%
to use them. Fear of retaliation code of ethics
and a lack of trust in the outcome 89%
of an investigation are often
cited as common reasons for
68%
such reluctance. Internal
The practice of reporting and communications 76%
and reminders
escalation must be effectively 83%
embedded in the organization’s
culture, with a particular focus on the
level of employee awareness and 58%
comfort in using these mechanisms. Internal
69%
website
Identifying and addressing any
80%
deficiencies is also crucial.
EMPLOYEES’ CONCERNS FOCUS What are the top reasons cited by employees, if any, for concerns
ON HOTLINE INTEGRITY, NOT with using escalation/reporting mechanisms?
TECHNICAL IMPLEMENTATION
Survey responses indicate that
employee confidence in the 55%
Fear of retaliation
processes in place following 75%
submission of a report is lacking,
which, in turn, creates a potential
barrier to compliance escalations Concern that nothing 50%
being made. The survey results will be done 63%
suggest there is more to be
done across all industries to give
Concern reporting 47%
employees comfort that reports is not anonymous 67%
made in good faith will be taken
seriously and acted upon, and that
reporting parties will be adequately Lack of familiarity
29%
protected against retaliation. with reporting
channels/processes 25%
The persistence of familiar
deterrents to reporting — fear of
retaliation, futility and anonymity Do not know how to access 13%
concerns—suggests that reporting mechanisms 13%
many organizations struggle
to constructively make use
of this frontline, internal 8%
Do not know
information resource. 0%
Roughly half of respondents All respondents
identified the same three reasons
2% Respondents with >US$50 billion in revenues
why employees are reluctant to No answer
0%
report potential compliance issues:
fear of retaliation (55%); concern
that nothing will be done (50%);
and concern that reporting is not 0% 20% 40% 60% 80%
anonymous (47%).
Source: 2023 Global compliance risk benchmarking survey
0 20% 11% 3% 0% 0% 6%
Don’t know 0 1 to 99 100 to 499 500 to 999 1,000 or more
E
SG has increasingly
become an area of focus,
but responses indicate
Does your organization...
inconsistency in approaches to 38% ...clearly define “ESG”?
address ESG risks. In general,
public companies and those with
dedicated ESG resources appear Almost four in
ten respondents
to have a better understanding and (38%) have not 38% Yes
implementation of ESG measures. clearly defined
ESG 53% Don’t know
DEFINING “ESG” REMAINS A No
CHALLENGE FOR MORE THAN 9%
ONE-THIRD OF COMPANIES
Almost four in ten respondents
(38%) have not clearly
defined “ESG.” “Yes” response by industry
Approximately half of the
respondents (53%) said that Energy & natural resources 67%
their organization had clearly
defined “ESG.” Technology, media & telecom 61%
Companies in the energy & natural
resources and technology, media Consumer & retail 55%
& telecommunication sectors were
most advanced in defining “ESG,” Financial services 52%
with 67% and 61%, respectively,
reporting that they have clearly Industrial manufacturing 50%
defined it.
Larger companies are more likely Pharma/healthcare 45%
to have clearly defined “ESG.” This
may be due to bigger companies Other 33%
being able to better afford
0% 10% 20% 30% 40% 50% 60% 70%
dedicated ESG officers/teams.
There is a decline in definitional
confidence, however, with the “Yes” response by company size (US$)
largest companies (>US$50 billion),
$1 billion to >$50 billion
suggesting challenges maintaining
a clear understanding of ESG as
$10 billion
54%
companies grow.
57% $250 million
to $1 billion
41%
$10 billion to
$50 billion
67% <$250 million
37%
LARGER COMPANIES ARE MORE Source: 2023 Global compliance risk benchmarking survey
LIKELY TO HAVE ESG POLICIES
AND PROCEDURES IN PLACE
As with responses to the question
of who within the organization Does your organization…
had primary responsibility for
…have policies and procedures to address ESG risks?
ESG oversight, almost one in
five respondents (18%) did not
know if their company had ESG
policies and procedures. This
response is consistent with the 29%
No
emerging nature of ESG issues at
many companies, and indicates Don’t know
there is significant room in those 53%
organizations to increase clarity and Yes
understanding surrounding ESG and 18%
its implications.
Larger companies are more likely
to have ESG policies, with 58% of
companies with revenues exceeding Source: 2023 Global compliance risk benchmarking survey
US$50 billion reporting that they
60%
60% 54%
54%
50% 48% 50%
50%
43% 46%
41% 47%
45% 45% 42%
40% 40% 43%
37% 41% 41% 42%
30%
20%
8%
10% 7%
3% 4%
0%
0%
Less than $250 million to $1 billion to less $10 billion to less $50 billion or more
$250 million less than $1 billion than $10 billion than $50 billion
MODEST INCREASES IN
COMPLIANCE INVESTMENTS
AND EFFORTS DURING COVID-19
In your opinion, how has remote working during the COVID-19
Responses show that, overall,
pandemic affected...
compliance teams experienced a
slight uptick in budgets, headcount
and compliance activities during the ...compliance budgets
13% 36% 20% 31%
COVID-19 pandemic. (last 12 months)
Respondents were more than
twice as likely to report an increase in
compliance budgets than a decrease ...number of escalations 15% 53% 6% 25%
(31% versus 13%).
Companies were more likely to
report an increase in compliance
...compliance headcount 11% 63% 4% 22%
escalations (25%) than a
decrease (15%).
Respondents were twice as likely ...compliance
to increase compliance headcount communications 15% 42% 3% 40%
(22%) as decrease it (11%) during and training
this period.
Consistent with these findings, Decrease No change Don’t know Increase
four in ten respondents stated
that they increased compliance
Source: 2023 Global compliance risk benchmarking survey
communications and training
during COVID-19.
COMPLIANCE ESCALATIONS
INCREASED FOR SMALL AND Similarly, more than 50% of
MEDIUM-SIZED COMPANIES companies that regularly receive
DURING COVID-19— high escalation volumes (i.e.,
AND DECLINED FOR THE 500+ escalations per year) stated
LARGEST COMPANIES that they experienced a decline in
The greatest decline in escalations
occurred at companies with more
compliance escalations. COVID-19 normalized remote
Compliance teams at these
than 50,000 employees. While companies may wish to explore interview/meeting practices
respondents were more likely to
report an increase in compliance
whether these declines were
related to a general decrease
that were episodic before
escalations than a decrease, in high-risk activities during the the pandemic
the trend was reversed for the COVID-19 pandemic and/or whether
largest companies. One in four remote working may have caused
respondents with more than 50,000 an underreporting of compliance
employees reported a moderate issues, which, in turn, could inform
or significant decrease (26%) in thinking about remote work policies
compliance escalations during the going forward.
COVID-19 pandemic.
DEDICATED COMPLIANCE
HEADCOUNT REMAINS LEAN
AT SMALL AND MID-SIZED
Excluding internal audit, how many people in your company are
COMPANIES
responsible for carrying out the Compliance and Ethics function?
A majority of respondents (58%)
Fewer than 10,000 Between 10,000 and More than 50,000
reported having fewer than 20
employees 50,000 employees employees
dedicated Compliance and Ethics staff.
55% of companies with between 2%
10,000 and 50,000 employees 18% 21%
22%
reported having fewer than 20
dedicated compliance personnel. 47%
More than two in ten (21%)
27% 53%
companies with more than 50,000 76% 33%
employees reported having fewer than
20 dedicated compliance personnel.
This would suggest a maximum
ratio of 2,500 employees per single Fewer than 20 51 to 100 More than 100
member of the Compliance and
Ethics function. Source: 2023 Global compliance risk benchmarking survey
COMPANIES ANTICIPATE
EXPANDING THE USE OF REMOTE
TECHNOLOGIES FOR INTERNAL
INVESTIGATIONS OVER THE NEXT In internal investigations, what percentage of the following activities
12 MONTHS were/will be conducted remotely in the following time periods?
COVID-19 normalized remote
Remote interviews
interview/meeting practices that Before Feb. 2020 6% 24% 39% 12% 19%
were episodic before the pandemic.
Before February 2020, only 30%
Feb. 2022 to Aug. 2022 36% 38% 8% 15% 2%
of respondents conducted most or
all interviews remotely, and 13%
of respondents conducted most The next 12 months 48% 14% 16% 20% 2%
or all meetings with government
authorities remotely.
February 2020 – August 2022:
government authorities
74% of respondents conducted most Before Feb. 2020 9% 4% 38% 27% 21%
Meetings with
6% 5% 5% 4%
Fraud Corruption Competition/ Other
antitrust
Less than $250 million $1 billion to $10 billion to less $50 billion or General Counsel and/or 42%
$250 million to $1 billion $10 billion than $50 billion more Chief Compliance Officer
Member of Legal 9%
Company size by headcount
Member of other 3%
functions
20% 30% 29% 21%
Other senior executive 3%
Fewer than 1,001 to 10,000 10,001 to 50,000 More than 50,000
1,000 employees employees employees employees
Other 4%
0% 10% 20% 30%
LON0422026_24