Cybersecurity and data privacy captured the two top spots in respondents’ list of E&C concerns, according to the 2019 Definitive Corporate Compliance Benchmark Report.
Data security and privacy breaches have become a daily worry for most organizations and research shows that most organizations have poor cybersecurity defenses and abundant amounts of unprotected data, making them easy targets for attacks and data loss.
But, only two thirds of organizations are managing policies and conducting training in cyber security, data privacy and confidential information, likely due to flat budgets. Additionally, many organizations believe their board members are not a source of risk for cybersecurity issues and that they understand the problem well enough to avoid missteps.
Other key findings include:
- Less than half of respondents (46 percent) have implemented third party due diligence programs.
- Organizations are struggling to address issues that have dominated news cycles in recent years, including: harassment, bribery/corruption, data privacy/security and conflicts of interest. Though #MeToo is arguably the most forceful movement to hit the workforce in recent history, 48 percent of respondents said their organization has made no changes as a result.
- Only 71 percent of respondents overall and 91 percent of advanced programs offered an anonymous reporting channel – something every organization should have at this point in the evolution of E&C programs.
- Technology use is less common in small organizations’ programs and those at the low end of program maturity. However, it is one of the key drivers of a successful program. Overall, 85 percent of respondents currently use one or more automated solutions in their programs. Those that use up to five of these solutions demonstrate better prevention of violations and more program accomplishments as they add each automated solution.
- Regarding policy and procedure management, 85 percent of respondents said a “centralized repository with easy access to the most current versions” was valuable or very valuable. More than three out of four (78 percent) rated “improved version control, reduced redundancy or increased accuracy of policies” just as valuable.
- Budget and allocated resources are largely flat for most E&C programs, though one in five expects some modest budget increases. A third of organizations have a budget less than $50,000, and half have four or fewer FTEs dedicated to E&C.
- Third-party risk management solutions lag in perceived value and implementation. E&C programs are depending mostly on proven, core program elements policies, codes of conduct, training and internal reporting systems – to help manage these risks.