This blog post is an excerpt from Hyperproof’s 2020 IT Compliance Benchmark Report. The 2020 IT Compliance Survey gathered 526 responses during November 2019. All respondents are directly involved in organizational decisions regarding cybersecurity, data privacy and compliance.
At this time when data breaches, user privacy violations, and misinformation have become pervasive in our society, organizations must be proactive in building credibility and maintaining trust with their stakeholders (e.g., customers, employees, partners, suppliers, investors, etc.). In this coming decade, winning organizations will be ones that stand out as beacons of ethical behavior. To achieve such ambitious goals, compliance has to move beyond the realm of specialists and become a part of everybody’s job.
At the end of the day, a compliance program is only effective when it impacts the way leaders and employees make decisions large and small. Moving forward, information security, privacy, and compliance professionals must learn how to solicit cooperation from all employees.
So, how can organizations foster an ethical culture? What tools are they using to encourage leaders and employees to comply with internal policies and established standards?
In this survey, we evaluated the use of four tools: 1) Training, 2) published guidelines on the consequences of non-compliance, 3) disciplinary action against those who have violated policies, standards and laws, and 4) incentive compensation tied to compliance results.
In order to improve compliance, organizations must offer compliance training to help employees understand the rules and regulations, what your company’s standards are, and what they can do to maintain a strong culture. Furthermore, when employees understand why certain things are done a certain way and why that’s important, they are more likely to become allies to the compliance team and notify them when something goes wrong.
So, what topics are organizations currently offering in their training programs?
Data privacy, data protection, and security awareness training were offered by at least three-quarters of all respondents. Further, over half of all respondents reported that they offer ethics/anti-corruption/conflict of interest training. Financial regulation, discrimination, and sexual harassment training were offered by just under half of all organizations. Forty-one percent of all respondents said they also offer training on specific requirements for their industry.
Guidelines and Disciplinary Actions
86 percent of surveyed organizations say their company has published clear guidelines on the consequences of non-compliance. Nine percent of respondents said their company has not yet published any information on the consequences of non-compliance. Meanwhile, 5 percent of all respondents said they are not sure.
Compliance policies only have teeth when they are enforced consistently and when those who don’t follow the policy are appropriately disciplined.
In our survey, the majority of respondents (77 percent) agreed or strongly agreed that their organization consistently takes disciplinary actions against employees who break the rules. However, small organizations (between 50 to 249 employees) were somewhat less likely to agree that they take consistent disciplinary action against rule-breakers than larger organizations.
Interestingly, over a quarter of all respondents from small organizations (between 50 to 249 employees) selected “neither agree nor disagree” to this prompt, which is a higher rate than respondents from other segments. It’s likely that small organizations do not have established processes around discipline as compared to larger organizations.
We’ve all heard of organizations that turn a blind eye to bad behavior from certain individuals because they are considered too valuable to be replaced. In developing this survey we wanted to understand whether there is a difference in the enforcement of disciplinary actions by job level. So, we also asked respondents whether their organization consistently takes disciplinary action against leaders (VP level and above) who break the rules.
We did not find significant differences in how often organizations take disciplinary measures against leaders (VP level and above) versus rank-and-file employees.
Compensation Tied to Compliance Results
Variable pay (i.e., incentives), when done right, can steer people towards certain positive behaviors and outcomes and away from negative ones. In our survey, we asked respondents whether any portion of the compliance team’s total compensation is tied to compliance results.
We found that over half of all respondents (52 percent) said a portion of their compliance team’s total compensation is tied to results. However, small firms (50 to 249 employees) responded “yes” at a much lower rate as compared to mid-size (250 to 999 employees) and large firms (1000 to 2499 employees).
The proportion that answered affirmatively to this question is high, based on what Hyperproof has seen in the market. While activities metrics are easy to come by (e.g., number of audits completed this quarter), actual compliance results and outcomes (e.g., “How did compliance activities reduce specific identified risks?”) are fairly difficult to measure. Given that we did not ask additional questions to understand how the respondents defined “compliance results”, we are careful about making inferences. However, at the very least, this finding directionally supports the idea that many organizations view compliance as a serious business function.
We also asked the question “For employees outside of the compliance team, is there any portion of their total compensation that’s tied to compliance results?” For this question, the proportion that said “Yes” is lower than the previous question. Additionally, about 11 percent of respondents said they don’t know.
To get more benchmarks on how organizations are keeping up with the ever-evolving risk landscape through compliance efforts, download our 2020 IT Compliance Benchmark Report.
The post Survey Results: How Organizations Can Foster a Culture of Ethics and Compliance appeared first on Hyperproof.
*** This is a Security Bloggers Network syndicated blog from Hyperproof authored by Jingcong Zhao. Read the original post at: https://hyperproof.io/resource/compliance-culture-survey-results/