Compliance management software, also known as governance, risk and compliance (GRC) software, may still seem like a luxury to businesses that track compliance using spreadsheets, paper and other basic methods.
However, if these businesses knew how their employees view compliance requirements, they might think twice about the necessity of a comprehensive, software-based approach to compliance management.
Thus we surveyed 110 employees across a variety of industries to better understand the (in many cases) daily violations of company policy they commit.
What we found is widespread consensus among employees that software is necessary to address the complexity and variety of regulations affecting the post-recession workplace.
- Software implementation of controls is far and away the most popular compliance management method among employees, favored by 73 percent of our sample.
- Twenty-one percent of employees without software-guided compliance training report being unclear on company policy. This drops to 5 percent for employees with annual training.
- Less than half of our sample (49 percent) report never having violated company policy, while 21 percent report daily to weekly violations.
- An unmanageable number of applicable regulations is the most common reason for compliance violations, cited by 38 percent of our sample.
- Out of the top industries in our sample, employee compliance violations are most common in banking/finance, and least common in manufacturing.
Let’s now take a look at the results of our survey in detail to understand how compliance management systems can ease some of the burdens that keep employees from complying with company policies.
Employees Want Controls Embedded in Workflows via Software
One of the most striking findings our survey uncovered is the significant preference for automating workflows with software:
Compliance processes for preventive action, accident reporting etc. can be tracked in a variety of tediously manual ways, particularly at smaller organizations. GRC platforms that offer workflow modules, templates and governance features can streamline such inefficient, paper-based processes.
This functionality proves to be massively popular among the employees in our sample. Support for traditional compliance methods is practically nonexistent in 2017.
Of course, not all compliance processes can be automated via GRC software. Some compliance workflows will need to be automated in other systems (e.g., manufacturing processes that require a quality management system).
With that being said, however, the automation of policy management workflows (for policy creation, revision, approval etc.) can still help to ease the burden on employees by ensuring that policies are consistently documented and implemented.
Software-Guided Training Significantly Impacts Employee Awareness of Policies
We’ve already seen that employees cite the number of applicable policies as the top compliance challenge they face. The compliance training modules included in GRC platforms help to diminish this challenge via online, software-guided courses on compliance issues with both out-of-the-box and custom content.
We asked the employees in our sample how clear they are on their company’s policies across a number of compliance areas, and we also asked them how frequently they receive software-guided training on compliance.
When we cross-reference responses to these two questions, a striking pattern emerges:
The only employees in our sample who report being totally unclear on company policy are those employees who don’t get any software-guided training on compliance, period.
Moreover, the number of employees who report being “somewhat unclear” on company policy drops significantly with semi-annual or annual training on compliance.
While we didn’t ask about other forms of compliance training in comparison to software, the above chart is a good indicator of the impact that training modules can have on employees’ awareness of applicable policies.
1 in 5 Employees Admits to Daily or Weekly Policy Infractions
If you’ve got kids, you probably know that even when rules get broken, the party breaking them doesn’t always fess up.
With this caveat in mind, fewer than half of the respondents in our fully anonymous survey think we’ll believe them when they say they never violate company policy:
There are two conclusions we should immediately draw about the above graph:
- If this is the frequency of conscious violations, then total violations are even higher, since employees can’t very well report the violations they’re not aware of.
- Given human nature, some of the respondents in our sample are knowingly violating company policy more often than they report.
Even after drawing these conclusions, 21 percent of respondents admitting to daily or weekly policy violations is still very high.
Compliance management software can reduce both conscious and unconscious violations via training modules, automated workflows and compliance surveys.
Compliance Requirements Too Numerous for Employees to Manage
Of course, the chart we just examined raises the question of why employees are violating company policy so frequently. When we asked this question of the employees who admit to violations, we discovered that some respondents in our sample have good excuses for lapsing in compliance efforts:
Perhaps the most striking finding in this chart is that more than a third of our sample is having difficulty in coping with the number of applicable regulations.
When we add in the 16 percent of the sample that have issues with the complexity of applicable regulations, we can see that overall, the diversity and complexity of compliance requirements creates the potential for violations for over half of our respondents.
Compliance management software assists here in a variety of ways, such as:
- Policy normalization features reduce the number of policies employees have to contend with by mapping emerging requirements to existing policies, aggregating similar policies etc.
- Policies can be mapped to controls to enhance visibility into the implementation of policies.
Compliance Violations More Common in Banking and Finance Than Other Industries
We’ve seen that the quantity of regulations is a major problem for employees. This problem may be behind a rather disturbing trend evident in our findings.
Despite the recent, heavily publicized scandal at Wells Fargo, banking remains the least compliant industry among the top industries (i.e., those with nine or more respondents) in our sample:
We can quickly see that the only employees in our top industries that report violating company policy multiple times a day are in banking and finance.
Moreover, despite the huge number of regulations affecting this industry, fewer than one in five employees in banking/finance report never violate company policy. This is the smallest percentage of any of our top industries by a dramatic margin.
Employees in health care and education are more than two times as likely to report never violating organizational policies than banking employees. This jumps to three times for retail and manufacturing employees.
The high percentage of respondents in this group reporting daily violations (one-third overall) testifies to the continuing prevalence of noncompliant processes in the industry and the necessity for automated controls embedded in workflows.
We can also see that health care remains plagued by compliance issues, despite the massive potential for litigation in the industry.
Employees Most Frequently Violate Policies Relating to Online and Workplace Conduct
We did ask employees in our sample about the specific policies that they violate at work. Unsurprisingly, no respondents fessed up to violations of financial policies, despite our reassurances that our survey was anonymous. However, we see a large percentage reporting violations of policies relating to workplace conduct:
While IT needs to get involved in preventing online security violations, compliance management software can still help with managing company policy on this point.
Far more disturbing is the high percentage of employees reporting violations of workplace conduct policies, given the hefty settlements often paid out in cases of workplace harassment and discrimination.
Data privacy violations are also disturbingly high. As we’ve seen in cases such as the Target hack, such violations can have devastating consequences.
Risk-averse companies should explore software-guided training courses in these areas, in light of the impact on employee awareness we already discussed. Automated workflows can also help to streamline processes such as incident reporting, thereby increasing employee compliance.
If you have any questions about our survey methodology or findings, you can email me at firstname.lastname@example.org.