《伟凯(White & Case):2023全球合规风险基准调查报告(英文版)(36页).pdf》由会员分享,可在线阅读,更多相关《伟凯(White & Case):2023全球合规风险基准调查报告(英文版)(36页).pdf(36页珍藏版)》请在三个皮匠报告上搜索。
1、2023 Global compliance risk benchmarking surveyIndustry perspectives on the state of compliance today and effective strategies for managing compliance risk within the changing regulatory landscape ContentsInsights from the“2023Global compliance risk benchmarking survey”Page 12023 Global compliance r
2、isk benchmarking survey:Key insights at-a-glancePage 2ABC risk assessmentsPage 5Third-party managementPage 7Use of data analytics in compliance programsPage 12Monitoring and review Page 14Compliance escalations Page 16Environmental,social and governance(ESG)Page 22Impact of remote working on complia
3、nce and investigationsPage 28Looking to the future:Cybersecurity tops the listof compliance priorities for the next 12 monthsPage 31Survey methodology and demographics Page 32IIKPMG White&Case1In todays fast-paced and interconnected world of global business,a robust and comprehensive compliance prog
4、ram is not merely a choice,but a critical imperative for any organization.Drawing on the opinions of 201 senior decision-makers from more than 30 countries,White&CaseLLP and KPMG LLPs“2023 Global compliance risk benchmarking survey”offers powerful insights into compliance practices across industries
5、 worldwide and strategies employed by companies to manage their compliance risksfrom anti-corruption risk assessments,third-party management and employee risk awareness to environmental,social and governance(ESG)practices and cybersecurity.Among the key findings are the importance of regular anti-co
6、rruption risk assessments and robust third-party management practicesessential components for creating a culture of compliance andtransparency.Use of data analytics is gaining momentum in compliance programs,though many companies are still in the developmental stage.Testing anti-corruption programs
7、for effectiveness is crucial,as is consistent measurement of hotline awareness and effectiveness,along with addressing employee concerns about hotline integrity.ESG has increasingly become an area of focus,but our respondents reveal a lack of consistency in addressing ESG risks.This inconsistency in
8、 approach can hinder the effective implementation of organization-wide policies and procedures and lead to uncertainty among employees.Clearer guidance and communication are essential in navigating the complexities of ESG and ensuring successful integration into business practices.Looking ahead,cybe
9、rsecurity takes center stage as the top compliance priority for the next 12 months,as safeguarding sensitive data and proactively addressing digital threats become more important than ever.By proactively addressing these compliance challenges,organizations can ensure ethical business practices,mitig
10、ate risks and safeguard their reputation in an increasingly complex regulatory environment.We hope you will find our“2023 Global compliance risk benchmarking survey”an insightful read.Darryl Lew Matthew McFillinPartner,White&Case LLP Partner,Forensic Services,KPMG LLPInsights from the 2023Global com
11、pliance risk benchmarking survey1 2023 Global compliance risk benchmarking surveyUse of data analytics is becoming more commonplace,but most companies are still developing their approachHow developed is your organizations use of data analytics for compliance risks?Result Developing(e.g.,patchwork of
12、 scalable system processes and manual processes)45%Rudimentary(e.g.,non-scaling,manual processes and workbooks)24%Advanced(e.g.,integrated monitoring,reporting and automation across systems)9%Planned or aspirational(e.g.,not implemented)12%N/A do not utilize data analytics for compliance9%Compliance
13、 teams under pressure to approve heightened risk third partiesHas your organizations Compliance and Ethics function ever been pressured to approve the engagement of a thirdparty you believe presented an unacceptable corruption risk profile?Yes,on more than one occasion or more than one third party Y
14、es,onceFinancial servicesPharma/healthcareTechnology,media&telecomEnergy&natural resourcesIndustrial manufacturingConsumer&retailOther 3%10%3%8%11%8%0%0%13%5%0%5%10%15%20%Periodically,but less frequent than annually Annually As and when a specific risk is identified Never Dont knowHow often does you
15、r organizationThree in ten respondents state that their anti-corruption programs are not regularly tested foreffectivenessreview the content of its anti-corruption compliance program?test the effectiveness of its anti-corruption compliance program?0%30%50%70%90%40%60%80%100%20%10%43%31%13%12%1%28%27
16、%22%9%15%In todays fast-paced and interconnected world of global business,a robust and comprehensive compliance program is not merely a choice,but a critical imperative for anyorganizationUse of third parties cited as the biggest corruption risk companies faceWhat do you view as the greatest anti-co
17、rruption risk facing your company?0%20%40%60%80%Securing government permits or other approvals13%Import/export of goods14%Lack of employee awareness about anti-corruption risks29%Interactions with government customers/investors24%Lobbying and advocacy activities10%Charitable and political contributi
18、ons9%Dont know3%Responding to government inquiries,inspections,audits13%Gifts and entertainment35%Pressure to meet sales targets36%Use of third parties59%2023 Global compliance risk benchmarking survey:Key insights at-a-glanceDrawing on the opinions of 201 senior decision-makers from more than 30 co
19、untries,White&CaseLLP and KPMG LLPs“2023 Global compliance risk benchmarking survey”offers insights into compliance practices across industries worldwide and strategies employed by companies to manage their compliance risksfrom anti-corruption risk assessments,third-party management and employee ris
20、kawareness to ESG practices and cybersecurity.2KPMG White&CaseAlmost four in ten of respondents have not clearly defined ESGDoes your organizationclearly define“ESG”?Dont know No Yes53%38%9%Fear of retaliation tops the list of reasons for employee reluctance to use reporting mechanismsWhat are the t
21、op reasons cited by employees,if any,for concerns with using escalation/reporting mechanisms?Respondents with US$50billion in revenue All respondentsRoughly half of respondents identified the same three reasons why employees are reluctant to report potential compliance issues:fear of retaliation(55%
22、);concern that nothing will be done(50%);and concern that reporting is not anonymous(47%).0%20%40%60%80%Fear of retaliation55%75%Concern that nothing will be done50%63%Concern reporting is not anonymous47%67%Lack of familiarity with reporting channels/processes29%25%Do not know how to access reporti
23、ng mechanisms13%13%Dont know0%8%No answer0%2%Cybersecurity tops the list of compliance priorities for the next 12 monthsWhat is the biggest compliance issue facing your organization in the following 12 months?35%17%10%10%8%Cybersecurity Privacy/data protectionSanctions ESG Dont know Fraud Corruption
24、 Competition/antitrustOther 6%5%5%4%ESG covers a wide range of policiesFor which topics does your organization have policies and procedures to address ESG risks?Health and safety44%Diversity and inclusion42%Human rights37%Labor standards37%Modern slavery/human trafficking35%Pay equity22%Natural reso
25、urce management/efficiency34%Climate change and pollution mitigation31%Waste management31%Strategic sustainability oversight and compliance29%48%Deforestation/biodiversityPolitical contributions and lobbying34%Board composition and structure33%Executive compensation23%Privacy and data protection42%D
26、ont know4%SocialEnvironmentalGovernanceNo ESG policy specified8%3 2023 Global compliance risk benchmarking survey5ABC risk assessmentsThe risk assessment process is important to establishing a well-designed and effective compliance program tailored to the unique risks a particular company faces.The
27、risk assessment achieves a number of important compliance objectives for a company,including:Fostering discovery of relevant risks,processes and controls Educating leadership about compliance concerns Promoting preventive and early detection strategies over reactivestrategies Identifying business st
28、rengths andstakeholders Facilitating satisfaction of corporate director obligationsMOST COMPANIES CONDUCT REGULAR ANTI-CORRUPTION RISK ASSESSMENTS More than three-quarters of respondents(79%)conduct documented anti-corruption risk assessments,and almost half(48%)conduct these assessments annually or
29、 morefrequently.Almost one in five companies(18%)with fewer than 10,000 employees did not conduct an anti-corruption risk assessment and do not plan to conduct one.Companies in the energy&natural resources and pharma/healthcare industries are most likely to conduct risk assessments,with 94%and 93%of
30、 respondents in these industries,respectively,conducting risk assessments.Companies in the financial services and technology,media&telecom industries were comparatively less likely to report that they conducted(15%)or planned to conduct(17%)riskassessments.The risk assessment process is important to
31、 establishing a well-designed and effective compliance program KEY FINDINGSn Most companies conduct regular anti-bribery and corruption(ABC)risk assessments n Companies conducting anti-corruption risk assessments report more engaged boards n Use of third parties cited as the biggest corruption risk
32、How often does your organization conduct a documented anti-corruption risk assessment?Annually47%On an ad hoc or irregular basis17%At regular intervals,but less frequent than annual14%More frequent than annually1%N/A no risk assessment planned or performed11%Dont know9%Source:2023 Global compliance
33、risk benchmarking surveyCOMPANIES CONDUCTING ANTI-CORRUPTION RISK ASSESSMENTS REPORT MORE ENGAGED BOARDSAnti-corruption risk assessments are a foundational element of an effective compliance program.They help companies identify and prioritize risk and provide an important means of communicating inte
34、rnally,including with senior management and the board,about the anti-corruption compliance program and how best to deploy resources to manage and mitigate risk.Having senior management and the board appropriately informed about and engaged on compliance issues is important in establishing and mainta
35、ining the companys overall culture of compliance and“tone at the top.”More than three-quarters of respondents(79%)report conducting documented anti-corruption riskassessments79%5 2023 Global compliance risk benchmarking surveyOur organizations board is adequately engaged in discussions about ouranti
36、-corruption compliance program and resourcesanti-corruption risksSource:2023 Global compliance risk benchmarking survey Neutral Disagree Agree100%80%60%40%20%0%Respondents performing risk assessmentsRespondents performing risk assessmentsN/A no assessment planned or performedN/A no assessment planne
37、d or performed69%7%24%27%41%32%Neutral Disagree Agree100%80%60%40%20%0%73%6%20%27%36%36%What do you view as the greatest anti-corruption risk facing yourcompany?0%20%40%60%80%Securing government permits or other approvals13%Import/export of goods14%Lack of employee awareness about anti-corruption ri
38、sks29%Interactions with government customers/investors24%Lobbying and advocacy activities10%Charitable and political contributions9%Dont know3%Responding to government inquiries,inspections,audits13%Gifts and entertainment35%Pressure to meet sales targets36%Use of third parties59%Source:2023 Global
39、compliance risk benchmarking surveyOur results show that respondents that perform risk assessments were more than twice as likely to agree with the proposition that their boards are adequately engaged with respect to their anti-corruption compliance programs,resources and risks.Conversely,respondent
40、s not conducting anti-corruption risk assessments were approximately four times more likely to disagree with the proposition that their boards are adequately engaged withthese topics.USE OF THIRD PARTIES CITED AS THE BIGGEST CORRUPTION RISK COMPANIES FACE Use of third parties is seen as the most sig
41、nificant corruption risk(59%)amongrespondents.For all industries other than financial services,use of third parties is seen as the biggest risk.Companies from the pharmaceuticals/healthcare industry and the technology,media&telecommunications industry consider this risk to be particularly significan
42、t,scoring 83%and 72%,respectively.As the size of the organization increases(both by revenue and number of employees),it is more likely to consider the use of third parties as the biggest corruption risk.This may be because larger entities engage with a wider range of third parties.Use of third parti
43、es is seen as the most significant corruption risk(59%)among respondents59%6KPMG White&CaseHas your organizations Compliance and Ethics function ever been pressured to approve the engagement of a thirdparty you believe presented an unacceptable corruption risk profile?Source:2023 Global compliance r
44、isk benchmarking survey Yes,on more than one occasion or more than one third party Yes,once No Dont knowFinancial servicesPharma/healthcareTechnology,media&telecomEnergy&natural resourcesIndustrial manufacturingConsumer&retailOther 3%10%3%8%11%8%0%0%13%5%20%15%10%5%0%60%28%9%2%Third-party management
45、Approximately 90%of Foreign Corrupt Practices Act(FCPA)enforcement matters between 1978 and 2023 identified a third-party intermediary,such as a sales agent,consultant or distributor,as part of the briberyscheme.1 Under the FCPA,willful blindness or awareness of a high probability that improper paym
46、ents are being made by a third party may be interpreted as knowledge of a corrupt payment and provide the basis for liability for companies andindividuals.The behavior of third parties is also highly relevant under the laws of other countries.For example,under UK law,companies are liable for bribery
47、 offenses committed by their“associated persons.”These are people who in any capacity provide services on a companys behalf.Liability is strict,and a companys only defense is to show that it had in place adequate procedures to prevent the commission of the bribery offense.The role of compliance in t
48、hird-party risk management is therefore critically important to the overall effectiveness of a companys anti-corruption compliance program.Respondents indicate that companies employ a variety of contractual anti-corruption protections and strategies.The most commonly used anti-corruption compliance
49、provisions in third-party agreements are anti-corruption compliance representations and warranties(64%)and related audit(61%)and termination(66%)rights.More than half of respondents(56%)also contractually require third parties to cooperate with compliance inquiries.But only a small minority of KEY F
50、INDINGSn Compliance teams under pressure to approve heightened risk third parties n Compliance policies and procedures related to third-party risk management gain traction n Most companies perform risk-based diligence on third parties both at the beginning of the relationship and periodically therea
51、fter n Most companies have Compliance and Ethics teams involved in reviewing and approving potential third parties n Only a minority of companies require anti-corruption training for third parties n Opportunities exist to tighten contractual anti-corruption protections and strategiesThird-party risk
52、 management is critically important to theoverall effectiveness of an anti-corruption compliance programcompanies(14%)included provisions to shift the cost of failed compliance audits to the third party.COMPLIANCE TEAMS REPORT FEELING PRESSURE TO APPROVEHEIGHTENED RISK THIRD PARTIES11%of respondents
53、 reported they have been pressured to approve the engagement of a third party presenting an unacceptable corruption risk,with 9%reporting that it happened more than once or with more than one third party.1 Source:Third-Party Intermediaries Disclosed in FCPA-Related Enforcement Actions,Foreign Corrup
54、t Practices Act Clearing-house,Stanford Law School7 2023 Global compliance risk benchmarking surveyDoes your organization Dont know No YesSource:2023 Global compliance risk benchmarking surveyhave a written policy regarding employee engagement with and interaction with third parties?require third pa
55、rties to complete anti-corruptiontraining?require third parties to attest that they are in compliance with your third-party code of conduct or similar policy?perform risk-based compliance diligence on third parties?include compliance-related audit clauses in written agreements with third parties as
56、appropriate?87%4%9%have a code of conduct for third parties?conduct audits on third parties to assess compliance with anti-corruption requirements?74%30%66%85%61%63%39%20%8%23%53%19%7%16%10%6%17%COMPLIANCE POLICIES AND PROCEDURES RELATED TO THIRD-PARTY RISK MANAGEMENT ARE GAINING TRACTIONMost respon
57、dents(87%)have written policies regarding employee engagement/interaction with thirdparties.Almost three-quarters of respondents(74%)have a code of conduct for third parties,and two-thirds(66%)of those respondents require third parties to attest to their compliance with the code of conduct or simila
58、r policy.More than half of respondents(53%)do not require third parties to complete anti-corruption training.The majority of respondents(85%)perform risk-based compliance diligence on third parties.While 91%of respondents include some form of anti-corruption provision in their agreements with third
59、parties,39%of respondents do not use audit clauses in written agreements with third parties with a heightened risk profile,and 20%do not conduct compliance audits on third parties.8KPMG White&CaseWhen does your organization perform risk-based compliance diligence on third parties?0%10%20%30%40%50%60
60、%70%80%90%100%Before contracting 85%Before contracting,and periodically thereafterSource:2023 Global compliance risk benchmarking surveyWho performs risk based third-party compliance due diligence for your organization?Source:2023 Global compliance risk benchmarking surveyCompliance and Ethics teamR
61、elevant business unitExternal diligence vendorProcurement/third-party risk management teamOutside counselLegalIT/cyberOtherDont know/no answer57%24%4%2%42%7%3%2%15%Does your organization perform risk-based compliance diligence on thirdparties?Response by industryConsumer&retail45%Financial services8
62、5%Energy&natural resources 95%Pharma/healthcare100%100%80%60%40%20%0%Source:2023 Global compliance risk benchmarking surveyIndustrial manufacturing84%Technology,media&telecom84%55%MOST COMPANIES ARE PERFORMING RISK-BASED DILIGENCE ON THIRD PARTIES BOTH AT THE BEGINNING OF THE RELATIONSHIP AND PERIOD
63、ICALLYTHEREAFTEROn average,most respondents(85%)report that their organizations perform risk-based compliance diligence on third parties.Of these,more than half(55%)said that they perform risk-based diligence on third parties before contracting with them and also periodically thereafter,whereas the
64、remaining 30%stated that risk-based diligence only takes place before contracting with third parties.While 85%or more of companies across most industries reported performing risk-based compliance due diligence on third parties,the consumer&retail industry was an outlier,with only 45%of respondents r
65、eporting doing so.AT MOST COMPANIES,COMPLIANCE AND ETHICS TEAMS PERFORM COMPLIANCEDILIGENCE Enforcement authorities pay attention to the methods companies use in performing compliance due diligence,as well as the personnel who are responsible for performing it.Authorities generally expect to see inv
66、olvement from the second line of defense in performing diligence,as business units may not have the expertise to assess third parties or the independence to reject them on compliance grounds.Authorities also consider whether information received from third parties and business teams on questionnaire
67、s is corroborated using independent sources,such as public records searches.Most respondents(57%)reported that their Compliance and Ethics teams perform third-party compliance diligence.While 42%of companies involve the relevant business unit in conducting compliance due diligence,14%said that they
68、only use the relevant business unit for compliance diligence.A further 15%of respondents did not know who performs compliance diligence at theircompany.Just under one-quarter of respondents(24%)outsource third-party compliance diligence to an externalvendor.Enforcement authorities pay close attentio
69、n to the methods companies use in performing compliance due diligenceandthe personnel responsible for performing it9 2023 Global compliance risk benchmarking surveyWhat methods does your organization use to perform risk-based compliance diligence on third parties?0%20%40%60%80%Search of public recor
70、ds and media83%63%Questionnaire completed by the third parties79%62%Questionnaire completed by someone within the organization58%40%Interviews of third-party representatives25%25%Enhanced diligence/investigations4%3%Other8%2%Audits0%1%Dont know/no answer13%16%Source:2023 Global compliance risk bench
71、marking survey All respondents Respondents with US$50billion in revenues Responses show that a majority of companies consider multiple sources of information as part of compliance diligence.Leading methods for screening potential vendors include using questionnaires completed either by the third par
72、ties(62%)or in-house(40%),as well as public records/media searches(63%).MOST COMPANIES HAVE ETHICS AND COMPLIANCE TEAMS INVOLVED IN REVIEWING AND APPROVING POTENTIAL THIRDPARTIESWhile nearly two-thirds of respondents(65%)reported that their Compliance and Ethics function has a defined role in review
73、ing and approving potential third parties,more than one in five(28%)respondents stated that their Compliance and Ethics function does not have one.Among companies that define a role for Compliance and Ethics teams in approving third parties,47%do so based on the third partys risk profile,while 18%in
74、dicated that this function reviews all potential third parties irrespective of risk.While the vast majority(75%)of respondents reported that their Compliance and Ethics function is authorized to prevent the engagement of a third party,a minority(15%)said this function lacks that authority.A MINORITY
75、 OF COMPANIES REQUIRE ANTI-CORRUPTION TRAINING FOR THIRD PARTIESAnti-corruption training is generally viewed as an important tool to ensure third parties understand their obligations under applicable laws and relevant contract clauses,and to reinforce the consequences of non-compliance.These finding
76、s indicate room for growth for companies to enhance their approach to third-party risk management.Less than one-third of respondents(30%)require third parties to complete anti-corruption training,while more than half of respondents(53%)do not require such training.Among the 30%of respondents that re
77、quire third-party anti-corruption training,75%require third parties tocomplete their own organizations anti-corruption training.LESS THAN ONE-QUARTER OF COMPANIES PERFORM REGULAR COMPLIANCE AUDITSON THIRDPARTIESThird-party compliance audits are an emerging area of focus for compliance leaders and en
78、forcement authorities.They can have particular importance in jurisdictions such as the UK,where a company can face criminal liability for failing to prevent bribery by third parties performing services for or on its behalf.When performed proactively,compliance audits can help companies increase awar
79、eness of compliance requirements and deficiencies among third parties and help prevent serious incidents of non-compliance before they arise.When performed reactively in response to a triggering event,these audits can help company counsel gather evidence and evaluate potential resolution strategies,
80、including litigation and disclosure.In both cases,the compliance audit is an important tool in giving teeth to a companys contractual anti-corruption compliancerequirements.While more than half of respondents(62%)audit third parties to assess compliance with anti-corruption requirements,only 22%of r
81、espondents audit third parties regularly,whether annually(11%)or less frequently(11%).40%of respondents report auditing third parties only based on triggeringevents.COMPANIES PREDOMINANTLY USE ANTI-CORRUPTION PROVISIONS IN THIRD-PARTY AGREEMENTS,BUT OPPORTUNITIES EXIST TO TIGHTEN AGREEMENTSA company
82、s ability to gather information and hold third parties accountable with respect to potential anti-corruption concerns can often hinge on the contractual protections that a companys legal team initially incorporated into its agreements with third parties.Whilein general most companies(91%)reported us
83、ing some anti-corruption clauses in More than half of respondents(62%)audit third parties to assess compliance with anti-corruption requirements62%10KPMG White&CaseHow frequently does your organization conduct audits on third parties to assess compliance with anti-corruption requirements?Source:2023
84、 Global compliance risk benchmarking surveyIrregularly,based on triggering eventsDont knowN/A do not perform auditsRegularly,but not annually11%Regularly,on an annual basis11%Regularly17%21%22%40%Does your organization require third parties to complete anti-corruption training?Source:2023 Global com
85、pliance risk benchmarking surveyWhich type of anti-corruption training does your organization require third parties tocomplete?Yes,but only for certain third parties using risk-based criteria Yes,for all third parties No Dont know53%21%9%16%Anti-corruption training of their ownThird-partyanti-corrup
86、tion web-based trainingNot sureOur organizations anti-corruption trainingRisk-based compliance diligence on third partiesSource:2023 Global compliance risk benchmarking surveyDoes the Compliance and Ethics function within your organization have a defined roleinapproving potential third parties?0%20%
87、40%60%80%100%No28%Dont know7%Have you ever been pressured to approve a third-party engagement presenting an unacceptable corruption risk profile?Dont know28%No60%Yes,once9%Can your organizations Compliance andEthics function prevent the engagement of a third party?Dont know11%No15%Yes 75%Yes,only fo
88、r certain third parties using risk-based criteria47%Yes,for all third parties18%Yes,once 2%75%7%28%7%third-party agreements,certain contractual provisions that typically support and encourage enforcement of those clauses are not being used bycompanies.39%did not include compliance audit clauses,and
89、86%did not include provisions to shift the cost of failed compliance audits to the third party.32%did not include provisions to allow termination of a third party in the event of non-compliance.11 2023 Global compliance risk benchmarking surveyData maturity ranking by company size (revenues(US$)Sour
90、ce:2023 Global compliance risk benchmarking survey Developing Rudimentary Advanced Planned or aspirational N/A not usedLess than$10billion$50billion or more13%17%$10billion to less than$50billion 7%27%36%100%80%60%40%20%0%2%57%14%13%75%8%4%26%How developed is your organizations use of data analytics
91、 for compliance risks?Developing(e.g.,patchwork of scalable system processes and manual processes)45%Rudimentary(e.g.,non-scaling,manual processes andworkbooks)24%Advanced(e.g.,integrated monitoring,reporting and automation across systems)9%Planned or aspirational(e.g.,not implemented)12%N/A do not
92、utilize data analytics for compliance9%Source:2023 Global compliance risk benchmarking surveyUse of data analytics incompliance programsBeing informed is the first step to being prepared.For decades,corporate counsel and compliance professionals have developed tools,systems and analytical approaches
93、 to improve the efficacy and scale of compliance oversight and controls.Technology has allowed companies to integrate compliance concepts and requirements into core business operations like never before.The“compliance by design”revolution has resulted in the growth of data analytics tools,key perfor
94、mance indicators and dashboards to help compliance teams monitor day-to-day business activities for risk and identify potential issues before they arise.These innovations have also resulted in significant cost savings for companies and more precision in targeting risk-based anti-corruption activitie
95、s.In a nod to the increasingly clear value of data analytics,in 2020 the US Department of Justices Criminal Division updated its“Evaluation of Corporate Compliance Programs”to direct prosecutors to consider how companies collect and analyze data as part of their compliance programs.The US Department
96、 of Justices Criminal Division encouraged prosecutors to assess how compliance teams use data analysis techniques to review business data and identify potential compliance concerns.One can expect an increased focus by enforcement authorities on whether and to what extent corporate counsel and compli
97、ance professionals are engaged with and deriving data from real-time business operations.Our survey asked companies to describe the current state of their data analytics programs,and where they are headed.KEY FINDINGSn Use of data analytics is becoming more commonplace,but most companies are still d
98、eveloping their approach n Growing convergence in how data analytics is deployed in compliance programs of respondents report using data analytics for compliance risks 78%12KPMG White&CaseHow does your organization currently use data analytics in its complianceprogram?Self-identified as“advanced”All
99、 respondentsSource:2023 Global compliance risk benchmarking survey60%20%80%40%100%0%Reporting,visualizations and/or dashboarding58%56%Managing training and certification requirements55%72%Identifying third parties for heightened screening and diligence48%72%Performing risk-based transaction monitori
100、ng and testing47%89%Tracking and managing compliance requests and approvals39%72%Enhancing risk assessments89%58%APPROXIMATELY ONE IN FIVE COMPANIES DO NOT CURRENTLY USE DATA ANALYTICS FOR COMPLIANCE AND ETHICS Few companies(9%)viewed themselves as being advanced in using data analytics for their co
101、mpliance programs.Most companies(69%)reported having a rudimentary or developing data analytics strategy.By comparison,approximately one-fifth(21%)of respondents do not currently use data analytics for their compliance programs.Adoption of data analytics was lowest among smaller companies,with appro
102、ximately 30%of companies earning less than US$10billion in revenues annually not using data analytics for compliance,compared to less than 5%of companies earning more than US$10billion per year.AMONG COMPANIES USING DATA ANALYTICS,THERE IS GROWING CONVERGENCE IN HOW THEY DEPLOY DATA ANALYTICS IN COM
103、PLIANCEPROGRAMSOverall,our survey shows that most companies are using data analytics to support core compliance program activities.Over half of respondents reported using data analytics to enhance risk assessments(58%);develop reports,visualizations and/or dashboards(58%);and manage training and cer
104、tification requirements(55%).Notably,the 9%of companies that self-identified as having“advanced”data analytics programs were more likely to use data analytics in areas that relate to management of real-time business risk.For instance,these respondents were almost twice as likely to report using data
105、 analytics to perform risk-based transaction monitoring and testing(89%)than the average(47%).They also were more likely to use data analytics to identify third parties for heightened screening and diligence(72%)than the average(48%);and to track and manage compliance requests and approvals(72%)than
106、 the average(39%).13 2023 Global compliance risk benchmarking surveyHow often does your organization Periodically,but less frequent than annually Annually As and when a specific risk is identified Never Dont knowreview the content of its anti-corruption compliance program?test the effectiveness of i
107、ts anti-corruption compliance program?0%30%50%70%90%40%60%80%100%20%10%43%31%13%12%1%28%27%22%9%15%Source:2023 Global compliance risk benchmarking surveyMonitoring and review SLIGHTLY MORE THAN HALF OF COMPANIES REPORT TESTING THE EFFECTIVENESS OF THEIR ANTI-CORRUPTION PROGRAMS ON A REGULAR BASISImp
108、ortant elements of an effective compliance program are periodically reviewing the contents of the program against evolving risks and regulatory requirements,and monitoring/testing the program to identify and improve deficiencies.While a significant majority of companies(74%)reported regularly review
109、ing the content of their anti-corruption programs,only 55%regularly tested their programs foreffectiveness.Notably,9%of companies stated that they have never tested the effectiveness of their anti-corruptionprogram.Responses also show uncertainty among companies regarding the frequency of anti-corru
110、ption program reviews and testing,with 12%of KEY FINDINGSn Most companies review the content of their anti-corruption programs,but do not test the programs regularly for effectiveness n Larger companies prefer to test on a periodic or annual basis,with periodic testing being more popular overall n S
111、mallercompanies tend to test on an ad hoc basis,if at all n A minority of companies use sophisticated techniques to test anti-corruption programeffectiveness respondents unsure of the frequency of anti-corruption program reviews,and 15%of respondents unsure of the frequency of compliance programtest
112、ing.ANTI-CORRUPTION PROGRAM TESTING:TRENDS BY COMPANYSIZEThe largest companies prefer to test on a periodic or annual basis.Three in four companies with revenues exceeding US$50 billion(75%)conduct periodic or annual testing,with 50%preferring periodic testing.No company in this size class reported“
113、never”testing its anti-corruption program.In comparison,smaller companies were more likely to test on an ad hoc basis,if at all.16%of companies with less than US$1 billion in annual revenues reported“never”testing their anti-corruption program.Less than half(45%)of these companies perform periodic o
114、r annual reviews.A MINORITY OF COMPANIES USE SOPHISTICATED TECHNIQUES TO TEST ANTI-CORRUPTION PROGRAM EFFECTIVENESSCompanies are more likely to use traditional anti-corruption program testing techniques including the use of internal audits(60%);review of compliance training and certifications(50%);a
115、nd review of hotline usage(40%).Conversely,less than one-third of respondents reported using more sophisticated techniques for evaluating compliance program effectiveness with respect to day-to-day operations,such as transaction testing(32%)and third-party audits(24%).Only one in five(20%)said that
116、they evaluate employee requests to Compliance and Ethics teams for consultation orapproval.14KPMG White&Case How does your organization test the effectiveness of its anti-corruption program?Source:2023 Global compliance risk benchmarking survey20%40%60%0%Internal audits60%Review of training attendan
117、ce and certifications50%Hotline usage40%Transaction testing32%Third-party audits24%Employee sentiment surveys22%Monitoring employee requests for consultation and/or approvals20%Screening/review of employee electronic communications and/or calendars11%Dont know/N/A26%How often does your organization
118、test the effectiveness of its anti-corruption program?Source:2023 Global compliance risk benchmarking surveyRespondent size by annual revenues(US$)$1billion to$50billion28%26%21%7%19%Less than$1billion$50billion or more28%17%30%16%9%25%50%13%13%100%80%60%40%20%0%Periodically,but less frequent than a
119、nnually Annually As and when a specific risk is identified Never Dont know15 2023 Global compliance risk benchmarking surveyHow are staff,contractors and other responsible individuals made aware of your organizations compliance escalation/reporting mechanisms?Source:2023 Global compliance risk bench
120、marking surveyTraining77%84%90%Anti-corruption policy and/or code of ethics76%83%89%Internal communications and reminders68%76%83%Internal website58%69%80%Awareness events33%41%49%Compliance champions/ambassadors19%30%42%Other3%3%2%Companies with 10K employeesCompliance escalations Most organization
121、s have some form of procedure in place for reporting and escalating compliance issues,whether due to guidance from enforcement authorities or legal requirements.These procedures can range from informal chats with management to anonymous external hotlines.The effectiveness of these mechanisms can be
122、limited,however,if employees are not aware they exist or are hesitant to use them.Fear of retaliation and a lack of trust in the outcome of an investigation are often cited as common reasons for suchreluctance.The practice of reporting and escalation must be effectively embedded in the organizations
123、 culture,with a particular focus on the level of employee awareness and comfort in using these mechanisms.Identifying and addressing any deficiencies is also crucial.COMPANIES ARE PUBLICIZING REPORTING MECHANISMS IN VARIOUS WAYS The responses show that resources matter.Organizations with revenues in
124、 excess of US$1 billion are more likely to promote reporting mechanisms than those below this threshold.Better resourced organizations tend to have more employees,and the responses show that those with more than 10,000 employees do more to ensure the effectiveness of their reporting mechanisms.Simil
125、arly,publicly listed companies do more to raise awareness of escalation and reporting mechanisms than do private companies.2%Only 2%of organizations report having no formal compliance escalation mechanismKEY FINDINGSn Companies publicize reporting mechanisms in various ways n Companies are not consi
126、stently measuring hotline awareness and effectiveness n Employee comfort level with escalation and reporting mechanisms measured less than overall employee awareness n Employees concerns focus on hotline integrity,not technical implementation 16KPMG White&CaseDoes your organization measure employee
127、awareness of the escalation/reporting mechanism?Source:2023 Global compliance risk benchmarking survey Yes Dont know NoCompany size by revenues(US$)100%80%60%40%20%0%Less than$250 million$250 million to$1 billion$1 billion to$10 billionMore than$10 billion62%49%35%15%34%43%47%68%3%9%18%17%Does your
128、organization measureSource:2023 Global compliance risk benchmarking survey.employee awareness of the escalation/reporting mechanism(e.g.,hotline)?.employee level of comfort with using the escalation/reporting mechanism(e.g.,hotline)?No Dont know Yes35%14%51%36%44%21%Training is seen as the most effe
129、ctive way to raise awareness of reporting mechanisms:84%of respondents said they achieve awareness of their reporting mechanisms through training.Internal communications and reminders also featured prominently.Comparatively few organizations(30%)said that they use compliance champions or ambassadors
130、.A small number of organizations(2%)revealed that they do not have a formal compliance escalation mechanism.COMPANIES ARE NOT CONSISTENTLY MEASURING HOTLINE AWARENESS ANDEFFECTIVENESSDespite the importance of employee awareness of reporting mechanisms,only half of respondents(51%)stated that their c
131、ompany measures employee awareness of those mechanisms.Conversely,35%of the respondents stated that they do not track employee awareness.And a significant minority(14%)did not know whether any such testing occurred.Large companies are significantly more likely to test employee awareness of hotline m
132、echanisms than small companies.Approximately one-third(34%)of companies with less than US$250 million in revenues reported testing employee awareness of reporting mechanisms,compared to more than two-thirds(68%)of companies with more than US$10billion per year.Uncertainty about reporting mechanism t
133、esting also appears higher,however,in larger companies(17%)than in small companies(3%).Of further interest is the number of frontline compliance personnel who did not know how or whether their organization monitors employee awareness of how to report concerns:25%investigation directors;19%Compliance
134、 and Ethics officers;and 33%legal teams.The levels of uncertainty about these fundamental compliance functions seem surprisingly high and concerning given the surveyed population:the very personnel tasked with compliance and legal risk assessment.These responses suggest that a significant minority o
135、f respondents would have a limited ability to address questions from enforcement authorities about the effectiveness of their reportingprocedures.The practice of reporting must be effectively embedded in the organizations culture18KPMG White&CaseOur organizations policies and procedures to protect e
136、mployees who report suspected misconduct are working effectivelySource:2023 Global compliance risk benchmarking survey Agree Neutral Disagree14%10%65%83%21%7%100%80%60%40%20%0%NoYesWhat are the top reasons cited by employees,if any,for concerns with using escalation/reporting mechanisms?Source:2023
137、Global compliance risk benchmarking survey0%20%40%60%80%Concern that nothing will be done50%63%Concern reporting is not anonymous47%67%Lack of familiarity with reporting channels/processes29%25%Do not know how to access reporting mechanisms13%13%8%0%Fear of retaliation55%75%All respondents Responden
138、ts with US$50 billion in revenuesNo answer0%2%Do not knowCOMPANIES THAT MEASURE HOTLINE AWARENESS REPORT GREATER CONFIDENCE IN WHISTLEBLOWER PROTECTIONSEnsuring that employees are aware of reporting mechanisms in the first place is fundamental,but measuring employee comfort and experience with using
139、 hotlines is equally important in ensuring that such mechanisms are effective.While fewer companies reported measuring employee comfort with reporting mechanisms than with awareness,companies that measured employee comfort showed higher levels of confidence in the effectiveness of their anti-retalia
140、tion policies andprocedures.Companies that measured employee comfort with reporting mechanisms were much more likely to believe their anti-retaliation policies and procedures are effective(83%)than are companies that did not measure employee comfort(65%).EMPLOYEES CONCERNS FOCUS ON HOTLINE INTEGRITY
141、,NOT TECHNICAL IMPLEMENTATIONSurvey responses indicate that employee confidence in the processes in place following submission of a report is lacking,which,in turn,creates a potential barrier to compliance escalations being made.The survey results suggest there is more to be done across all industri
142、es to give employees comfort that reports made in good faith will be taken seriously and acted upon,and that reporting parties will be adequately protected against retaliation.The persistence of familiar deterrents to reportingfear of retaliation,futility and anonymity concernssuggests that many org
143、anizations struggle to constructively make use of this frontline,internal information resource.Roughly half of respondents identified the same three reasons why employees are reluctant to report potential compliance issues:fear of retaliation(55%);concern that nothing will be done(50%);and concern t
144、hat reporting is not anonymous(47%).19 2023 Global compliance risk benchmarking surveyHow many compliance escalations does your organization typically receive in a 12-month period through the escalation/reporting mechanism or other channels?Source:2023 Global compliance risk benchmarking surveyNumbe
145、r of annual escalationsSize of company(revenues in US$)Less than$250 million$250 million to$1 billion$1 billion to$10 billion$10 billion to$50 billion$50 billion or moreAll respondents020%11%3%0%0%6%1 to 9957%57%56%24%4%43%100 to 49910%5%18%26%38%18%500 to 9990%0%3%10%4%3%1,000 or more0%0%1%12%21%5%
146、Dont know13%27%19%29%33%23%These concerns were more pronounced among the largest companies,where three-quarters(75%)of respondents cited employee fear of retaliation,and approximately two-thirds were concerned that reporting would not be anonymous(67%)or effective(63%).COMPLIANCE ESCALATIONS VOLUMES
147、:BENCHMARKING TRENDSGiven that the number of escalations is likely to be a key metric for understanding how effectively reporting mechanisms are operating in practice,organizations may wish to track periodically the number and type of escalations as part of their monitoring processes.Almost one-quar
148、ter of respondents(23%)stated that they did not know the volume of escalations in theirorganization.Approximately two-thirds(67%)of respondents had fewer than 499 compliance escalations per year,with the largest percentage indicating that they typically received between one and 99 escalations(43%).E
149、scalations seem to increase roughly in proportion to the organizations size.More than half of companies with 499 or fewer compliance escalations a year had fewer than 20 Compliance and Ethics team members.Meanwhile,72%of companies with 1,000 or more compliance escalations per year had more than 50 C
150、ompliance and Ethics team members.This result is not necessarily cause for concern,as more escalations are reasonably to be expected in bigger companies and may,in fact,be indicative of a healthy reporting culture.Larger organizations also may have additional resources deployed to address the escala
151、tion of compliance concerns,resulting in greater familiarity across the business with reporting mechanisms.More needs to be done across all industries to give employees comfort that reports made in good faith will be taken seriously and acted upon,and that reporting parties will be adequately protec
152、ted againstretaliation20KPMG White&CaseCompliance escalations volume compared with Compliance and Ethics team sizeSource:2023 Global compliance risk benchmarking survey More than 100 people 51 100 people 21 50 people 11 20 people 1 10 people1 to 99100 to 499500 to 9991,000 or more010%10%10%70%9%6%13
153、%12%60%14%16%14%14%43%14%14%71%36%36%27%100%80%60%40%20%0%Source:2023 Global compliance risk benchmarking surveyExcluding HR/employment-related escalations,how many compliance escalations does your organization typically receive in a 12-month period through the escalation/reporting mechanism or othe
154、r channels?0%10%20%30%40%50%60%70%80%90%100%Dont know 0 1 to 99 100 to 499 500 to 999 1,000 or moreTechnology,media&telecomIndustrial manufacturingPharma/healthcareFinancial servicesEnergy&natural resourcesConsumer&retailOther28%6%17%3%14%33%24%3%24%10%7%31%22%10%58%8%2%6%11%50%33%44%11%33%11%21%42%
155、5%8%24%36%9%55%Our organizations policies and procedures to protect employees who report suspected misconduct are working effectively,byCompliance and Ethics team sizeSource:2023 Global compliance risk benchmarking survey Disagree Neutral Agree18%70%10%84%86%91%10%6%6%6%5%71%10%1 10 people11 20 peop
156、le21 50 people51 100 peopleMore than 100 peopleCompliance and Ethics team size16%Overall,companies with larger Compliance and Ethics teams reported higher levels of confidence that hotline policies and procedures are workingeffectively.While the financial services industry has historically faced sig
157、nificant scrutiny of its compliance performance,it may not be leading the way in promoting awareness of escalation mechanisms,according to the survey results.Instead,the pharmaceuticals/healthcare and energy&natural resources industries appear to surpass the financial services industry in this regar
158、d.Typical hotline volumes vary dramatically by company size and industry.One-quarter of respondents reporting more than 1,000 escalations per year were from companies with more than 50,000 employees.No companies with fewer than 10,000 employees received escalations at this level.From an industry per
159、spective,technology,media&telecommunications(14%),industrial manufacturing(8%)and pharmaceuticals/healthcare(7%)were most likely to report more than 1,000 escalations per year.21 2023 Global compliance risk benchmarking surveyESGESG has increasingly become an area of focus,but responses indicate inc
160、onsistency in approaches to address ESG risks.In general,public companies and those with dedicated ESG resources appear to have a better understanding and implementation of ESG measures.DEFINING“ESG”REMAINS A CHALLENGE FOR MORE THAN ONE-THIRD OF COMPANIES Almost four in ten respondents(38%)have not
161、clearly defined“ESG.”Approximately half of the respondents(53%)said that their organization had clearly defined“ESG.”Companies in the energy&natural resources and technology,media&telecommunication sectors were most advanced in defining“ESG,”with 67%and 61%,respectively,reporting that they have clea
162、rly defined it.Larger companies are more likely to have clearly defined“ESG.”This may be due to bigger companies being able to better afford dedicated ESG officers/teams.There is a decline in definitional confidence,however,with the largest companies(US$50 billion),suggesting challenges maintaining
163、a clear understanding of ESG as companies grow.KEY FINDINGSn Defining environmental,social and governance(ESG)remains a hurdle for more than one-third of companies n Larger companies are more likely to have ESG policies and procedures in place n Implementation of ESG policies varies significantly am
164、ong companies n Companies also diverge widely in their ESG priorities for the next 12 months n Companies are assessing their ESG risks,but consensus is still developing on how n Compliance and Ethics teams play an increasing role in ESG programs,but not ESG strategy38%Almost four in ten respondents(
165、38%)have not clearly defined ESGSource:2023 Global compliance risk benchmarking surveyDoes your organization.53%38%9%Yes Dont know No.clearly define“ESG”?“Yes”response by company size(US$)$50 billion$1 billion to$10 billion$10 billion to$50 billion67%57%54%41%37%“Yes”response by industryEnergy&natur
166、al resources Technology,media&telecom Consumer&retailFinancial servicesIndustrial manufacturingPharma/healthcareOther0%10%20%30%40%50%60%70%67%61%55%52%50%45%33%22KPMG White&CaseDoes your organizationSource:2023 Global compliance risk benchmarking surveyhave policies and procedures to address ESG ri
167、sks?No Dont know Yes29%53%18%Does your organization have a dedicated ESG officer,committee orequivalent?Yes response by industry Source:2023 Global compliance risk benchmarking surveyEnergy&natural resources50%Industrial manufacturing32%Financial services40%Other22%Technology,media&telecom 39%Consum
168、er&retail45%Pharma/healthcare31%OWNERSHIP OF ESG VARIES WIDELY BY COMPANYGiven the emerging nature of ESG issues for many companies,almost one-fifth of respondents(17%)did not know who has primary responsibility for ESG within theirorganization.Perhaps due to the multi-or inter-disciplinary nature o
169、f the issues falling under the ESG banner,survey responses from those who did identify an officer with primary responsibility for ESG yielded a range of responses for who has such responsibility.37%reported having a Chief ESG Officer,committee or equivalent,while others placed responsibility for ESG
170、 with one or more other senior company leaders,such as the General Counsel(16%)and Chief Compliance Officer(10%).Whereas a companys status as public or private was significantly correlated with whether the company had clearly defined“ESG,”that characteristic does not appear relevant to who oversees
171、ESG.Indeed,the survey indicated that private companies were as likely as public companies to have an ESG officer.Larger companies(those with revenues exceeding US$1 billion)are more likely to have a dedicated Chief ESG Officer or equivalent instead of relying on the General Counsel or Chief Complian
172、ce Officer(which smaller companies tend to do).Energy&natural resources is the sector most likely to have a Chief ESG Officer or equivalent(50%).LARGER COMPANIES ARE MORE LIKELY TO HAVE ESG POLICIES AND PROCEDURES IN PLACEAs with responses to the question of who within the organization had primary r
173、esponsibility for ESG oversight,almost one in five respondents(18%)did not know if their company had ESG policies and procedures.This response is consistent with the emerging nature of ESG issues at many companies,and indicates there is significant room in those organizations to increase clarity and
174、 understanding surrounding ESG and its implications.Larger companies are more likely to have ESG policies,with 58%of companies with revenues exceeding US$50 billion reporting that they Source:2023 Global compliance risk benchmarking survey40%30%20%10%0%Chief ESG Officer,committee or equivalentGenera
175、l CounselOther executive lead/groupChief Compliance OfficerShared executive responsibilityBusiness unit leadersNot designatedDont know37%14%12%10%4%2%2%17%Who in your organization has primary responsibility/oversight for ESG matters?24KPMG White&CaseSource:2023 Global compliance risk benchmarking su
176、rveyFor which topics does your organization have policies and procedures to address ESG risks?SocialNo ESG policy specifiedGovernanceEnvironmentalEnvironmentalHealth and safety44%Naturalresourcemanagement/efficiency34%Wastemanagement31%Privacy and data protection42%Politicalcontributionsand lobbying
177、34%Executive compensation23%Boardcompositionand structure33%Climatechange andpollutionmitigation31%Strategicsustainabilityoversightandcompliance29%Modern slavery/human trafficking35%Human rights37%Diversity andinclusion42%Pay equity22%Dont know4%48%Labor standards37%Deforestation/biodiversity8%have
178、ESG policies,compared to 40%of companies with revenues below US$250 million.Even so,approximately 42%larger companies have no ESG policies,or do not know if there are ESG policies in place.Notably,uncertainty about whether a company has policies and procedures to address ESG risks increased as reven
179、ue increased,suggesting opportunities for greater awareness-building in those companies.From an industry perspective,companies in the energy&natural resources industry and industrial manufacturing industry were most likely to have policies and procedures to address ESG risks(with 78%and 66%of respon
180、dents,respectively,answering positively),whereas companies in the financial services sector were least likely to have such policies and procedures(45%of respondents answeredpositively).IMPLEMENTATION OF ESG POLICIES VARIES SIGNIFICANTLY AMONGCOMPANIESESG covers a wide range of policies affecting all
181、 companies.We asked respondents to clarify which policies they have implemented that relate to their ESG risks.No one ESG topic clearly stands out above the rest as being a current area of focus for a majority of Results by company size by revenues(US$)and ESG policyDoes your organization have polic
182、ies and procedures to address ESG risks?Less than$250 million$250 million to less than$1 billion$1 billion to less than$10 billion$10 billion to less than$50 billion$50 billion or more No ESG policy specified Dont know Environmental Governance Social50%60%40%30%20%10%0%37%0%3%4%7%8%40%43%50%45%41%54
183、%46%41%50%42%42%41%47%43%45%54%60%Source:2023 Global compliance risk benchmarking survey48%25 2023 Global compliance risk benchmarking surveyDoes your organizationSource:2023 Global compliance risk benchmarking surveyprovide ESG training to employees?No Dont know Yes35%56%9%3%0%10%20%30%40%50%60%Of
184、the following ESG topics,which are the highest priority for your organization in the next 12 months?Modern slavery/human trafficking8%8%Human rights10%10%Privacy and data protection23%27%Climate change and pollution mitigation42%38%Diversity and inclusion53%46%Health and safety19%19%Waste management
185、10%10%Strategic sustainability oversight and compliance22%18%Natural resource management/efficiency16%15%Board composition and structure14%19%Pay equity6%10%Executive compensation4%5%Political contributions and lobbying3%1%Deforestation/biodiversity2%1%Dont know16%1%Labor standards9%14%All responden
186、ts Companies with over US$1 billion2%0%OtherSource:2023 Global compliance risk benchmarking surveyrespondents.The top-three choices were:health and safety(44%);diversity and inclusion(42%);and privacy and data protection(42%).Two industries in which health and safety issues are particularly importan
187、tenergy&natural resources and industrial manufacturingappear to account for the prominence of health and safety in the responses.48%of respondents did not identify a specific ESG policy,which may indicate that ESG goals and particular policies are not aligned.COMPANIES ALSO DIVERGE WIDELY IN THEIR E
188、SG PRIORITIES FOR THE NEXT12MONTHSWhile not selected by a majority of respondents,diversity and inclusion is nonetheless the highest-priority ESG topic for organizations generally over the next 12 months,although there was some divergence among industries.When asked about the top ESG priorities for
189、the following 12 months,no one topic was selected by a majority of respondents.The top-five ESG priorities that companies reported were:diversity and inclusion(46%);climate change and pollution mitigation(38%);privacy and data protection(27%);strategic sustainability oversight and compliance(22%);an
190、d health and safety(19%).More than one-third of respondents(36%)from consumer&retail identified waste management as the highest-priority topic for their organization over the next 12 months,which is more than three times higher than any other industry group,whereas almost half(44%)of respondents in
191、technology,media&telecommunications identified privacy and data protection as their highest priorities.More than half of companies with revenues of US$1 billion or more(53%)cited diversity and inclusion as a top priority.Meanwhile,16%of companies with less than US$1 billion in revenues did not know
192、their ESG priorities for the next 12 months.26KPMG White&CaseSource:2023 Global compliance risk benchmarking surveyRespondents not identifying ESG risks,by size30%20%10%0%Less than$250 million$250 million to$1 billionCompany size by revenues(US$)$1 billion to$10 billionESG risks not assessed$10 bill
193、ion or more27%14%9%9%Source:2023 Global compliance risk benchmarking surveyHow does your organization identify key ESG risks?20%27%14%5%20%13%12%33%45%16%22%13%22%Risk and/or impact assessmentsESG gap analysisInternal auditsDont knowSupplier declarationsThird-party diligenceSite visitsThird-party au
194、ditsInvestigationsIndustry auditsOtherDont knowESG risks are not assessedESG TRAININGOnly one in three companies(35%)provide ESG training to employees;the majority of companies(56%)do not train employees on ESG matters.Once a company surpasses US$250 million in revenues,however,the likelihood increa
195、ses of it training employees on ESG matters.Among industries,companies in the energy&natural resources sector were the most likely to provide training on ESG matters,with 50%of respondents answering in the affirmative.The lowest rate of ESG training across industries was pharma/healthcare,with less
196、than three in ten(29%)stating they conduct ESG training.COMPANIES ARE ASSESSING THEIR ESG RISKS,BUT CONSENSUS IS STILL DEVELOPING ON HOWThe most popular method of identifying ESG risks among respondents(45%)was through the performance of risk and/or impact assessments.ESG gap analyses(33%)and intern
197、al audits(27%)were the other top choices.More than one-third(34%)of respondents either stated that ESG risks were not assessed or did not know how they were assessed.Smaller companies were significantly less likely to take steps to identify ESG risks.27%of companies with less than US$250 million in
198、revenues did not assess ESG risks,compared to 9%of companies with more than US$1 billion in revenues.COMPLIANCE AND ETHICS TEAMS PLAY AN INCREASING ROLE IN ESG PROGRAMS,BUT NOT ESG STRATEGY61%of respondents stated that their Compliance and Ethics function played a role in managing ESG risks.Almost o
199、ne-quarter(23%)of respondents stated that their Compliance and Ethics function played no role in managing ESG issues.It remains to be seen if the Compliance and Ethics function assumes greater responsibility for ESG issues as jurisdictions impose or increase ESG-related reporting responsibilities an
200、d enforcement,or as litigation risk correspondingly increases as well.Among industries,the Compliance and Ethics function appears to be most active in managing ESG issues at consumer&retail companies,andleast active at pharma/healthcare companies.What role does your organizations Compliance and Ethi
201、cs function play in managing ESG issues?Source:2023 Global compliance risk benchmarking surveyPlays a roleDoes not play a roleDont know61%23%16%27 2023 Global compliance risk benchmarking surveySource:2023 Global compliance risk benchmarking surveyIn your opinion,how has remote working during the CO
202、VID-19 pandemic pliance budgets(last 12 months).number of pliance pliance communications and training Decrease No change Dont know Increase13%36%53%63%42%20%6%4%3%31%25%22%40%15%11%15%Impact of remote working on compliance and investigationsMODEST INCREASES IN COMPLIANCE INVESTMENTS AND EFFORTS DURI
203、NG COVID-19Responses show that,overall,compliance teams experienced a slight uptick in budgets,headcount and compliance activities during the COVID-19 pandemic.Respondents were more than twice as likely to report an increase in compliance budgets than a decrease(31%versus 13%).Companies were more li
204、kely to report an increase in compliance escalations(25%)than a decrease(15%).Respondents were twice as likely to increase compliance headcount(22%)as decrease it(11%)during this period.Consistent with these findings,four in ten respondents stated that they increased compliance communications and tr
205、aining during COVID-19.COMPLIANCE ESCALATIONS INCREASED FOR SMALL AND MEDIUM-SIZED COMPANIES DURING COVID-19AND DECLINED FOR THE LARGESTCOMPANIESThe greatest decline in escalations occurred at companies with more than 50,000 employees.While respondents were more likely to report an increase in compl
206、iance escalations than a decrease,the trend was reversed for the largest companies.One in four respondents with more than 50,000 employees reported a moderate or significant decrease(26%)in compliance escalations during the COVID-19 pandemic.KEY FINDINGSn Modest increases in compliance investments a
207、nd efforts during COVID-19 n Compliance escalations increased for small and medium-sized companies during COVID-19and declined for the largest companies n Compliance and Ethics headcount stayed even during COVID-19,with pronounced growth in financial institutions,consumer&retail and technology,media
208、&telecommunications n Dedicated compliance headcount remains lean at small and mid-sized companies n Companies anticipate expanding the use of remote technologies for internal investigations during the next 12 months Similarly,more than 50%of companies that regularly receive high escalation volumes(
209、i.e.,500+escalations per year)stated that they experienced a decline in complianceescalations.Compliance teams at these companies may wish to explore whether these declines were related to a general decrease in high-risk activities during the COVID-19 pandemic and/or whether remote working may have
210、caused an underreporting of compliance issues,which,in turn,could inform thinking about remote work policies going forward.COVID-19 normalized remote interview/meeting practices that were episodic before thepandemic28KPMG White&CaseExcluding internal audit,how many people in your company are respons
211、ible for carrying out the Compliance and Ethics function?Fewer than 20 51 to 100 More than 100Source:2023 Global compliance risk benchmarking surveyFewer than 10,000 employees76%22%2%More than 50,000 employees33%21%47%Between 10,000 and 50,000 employees27%53%18%Source:2023 Global compliance risk ben
212、chmarking surveyIn internal investigations,what percentage of the following activities were/will be conducted remotely in the following time periods?6%24%39%12%19%36%38%8%15%2%48%14%16%20%2%Before Feb.2020Feb.2022 to Aug.2022The next 12 monthsRemote interviews9%4%38%27%21%23%25%35%8%9%31%7%40%14%7%B
213、efore Feb.2020Feb.2022 to Aug.2022The next 12 monthsMeetings with government authorities All(100%)50%or more Less than half None(0%)Dont knowSource:2023 Global compliance risk benchmarking surveyHow has remote working during the COVID-19 pandemic affected compliance escalations volume?Percentage cit
214、ing decrease in escalations 0 to 99 escalations peryear 100 to 499 escalations peryear 500+escalations per year56%10%22%Fewer than 10,000 employees10,001 to 50,000 employeesMore than 50,000 employees8%21%26%9%2%5%22%36%19%61%41%51%Company size(headcount)Decrease No change Dont know IncreaseDEDICATED
215、 COMPLIANCE HEADCOUNT REMAINS LEAN AT SMALL AND MID-SIZED COMPANIESA majority of respondents(58%)reported having fewer than 20 dedicated Compliance and Ethics staff.55%of companies with between 10,000 and 50,000 employees reported having fewer than 20 dedicated compliance personnel.More than two in
216、ten(21%)companies with more than 50,000 employees reported having fewer than 20 dedicated compliance personnel.This would suggest a maximum ratio of 2,500 employees per single member of the Compliance and Ethics function.COMPANIES ANTICIPATE EXPANDING THE USE OF REMOTE TECHNOLOGIES FOR INTERNAL INVE
217、STIGATIONS OVER THE NEXT 12 MONTHSCOVID-19 normalized remote interview/meeting practices that were episodic before the pandemic.Before February 2020,only 30%of respondents conducted most or all interviews remotely,and 13%of respondents conducted most orall meetings with government authorities remote
218、ly.February 2020 August 2022:74%of respondents conducted most or all interviews remotely,and 48%of respondents conducted most or all meetings with government authorities remotely.Next 12 months:62%of respondents anticipate conducting most or all interviews remotely,and 38%of respondents anticipate c
219、onducting most or all meetings with government authorities remotely.30KPMG White&CaseLooking to the future:Cybersecurity tops the listof compliance priorities for the next 12 monthsCybersecurity is seen as the biggest compliance issue across the board(scoring 35%)for both public and private companie
220、s,andforcompanies of all sizes.It was also the focus for all industries,other than technology,media&telecom,which considers privacy and data protection as its main priority.Source:2023 Global compliance risk benchmarking surveyWhat is the biggest compliance issue facing your organization in the foll
221、owing 12 months?Cybersecurity35%Corruption5%Privacy/data protection17%Dont know10%Competition/antitrust5%Sanctions10%6%Fraud8%Other4%ESG31 2023 Global compliance risk benchmarking surveyAnnual revenue(US$)Less than$250million$250million to$1billion$1billion to$10billion$10billion to less than$50bill
222、ion$50billion or more15%18%34%21%12%Listing statusCompany industry0%10%30%20%Financial services30%Industrial manufacturing19%Technology,media&telecom18%Pharma/healthcare14%Energy&natural resources9%Consumer&retail5%Other4%Company size by headcountFewer than 1,000 employees1,001 to 10,000 employees10
223、,001 to 50,000 employeesMore than 50,000 employees20%29%30%21%Respondents roleOther senior executive3%Member of other functions3%Member of Legal9%Member of Compliance and Ethics43%General Counsel and/or Chief Compliance Officer42%Public60%Private40%Survey methodology and demographics Survey methodol
224、ogyWhite&Case LLP and KPMG LLP developed a survey questionnaire consisting of 65 questions.Questionnaires were made available using several different methods,including social media and direct email contact.Potential participants received a link to an online survey platform,which allowed completion o
225、n both desktop and mobile formats.Participants could save their progress in the survey,but were encouraged to complete it in one sitting.Data was collected without identifying the respondent over a period of four months,from June to September of 2022.A total of 201respondents from companies with hea
226、dquarters across 34countries and six continents completed the survey,and 40%ofrespondents were headquartered outside of the United States.*Percentages in graphs may not sum to 100%due to roundingDemographics 201 respondents Headquarters in 34 countries across six continents 40%headquartered outside
227、of the United States 60%publicly listed companies 50%US-listed and 10%non-US-listed 28%with business operations on one continent;40%reported operations on six continents Respondents occupied various positions within their respective organizations and represented companies from more than six distinct
228、 industries that ranged in size from fewer than 1,000 employees to more than 50,000 employees,and in revenues from less than US$250 million to more than US$50 billion.32KPMG White&CaseLON0422026_2334KPMG White&CaseMatthew McFillinPartner,Forensic ServicesKPMG LLPT +1 267 256 2647E Joshua Rusenko Dir
229、ector,Forensic ServicesKPMG LLPT +1 408 367 5744E Darryl LewPartner,White&Case LLPT +1 202 626 3674E Courtney Hague Andrews Partner,White&Case LLPT +1 213 620 7721 E Anneka Randhawa Partner,White&Case LLPT +44 20 7532 1521 E The information contained herein is of a general nature and is not intended
230、 to address the circumstances of any particular individual or entity.Although we endeavor to provide accurate and timely information,there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.No one should act upon
231、such information without appropriate professional advice after a thorough examination of the particular situation.KPMG LLP does not provide legal services.2023 KPMG LLP,a Delaware limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated w
232、ith KPMG International Limited,a private English company limited by guarantee.All rights reserved.The KPMG name and logo are trademarks used under license by the independent member firms of the KPMG global organization.In this publication,White&Case means the international legal practice comprising
233、White&Case LLP,a New York State registered limited liability partnership,White&Case LLP,a limited liability partnership incorporated under English law and all other affiliated partnerships,companies and entities.This publication is prepared for the general information of our clients and other interested persons.It is not,and does not attempt to be,comprehensive in nature.Due to the general nature of its content,it should not be regarded as legal advice.ATTORNEY ADVERTISING.Prior results do not guarantee a similar outcome.2023 White&Case LLP