Gartner: Compliance reporting needs new value proposition

Image by eamesbot via Freepik

August 2, 2022

Employees are likely to report misconduct — but only if they believe it will work out well for them, according to a survey by Gartner, Inc.

The Gartner survey of 901 employees in April showed that in a new normal of lower misconduct reporting since the pandemic, compliance leaders need to understand what drives employees to report misconduct.

Recent NAVEX research, 2022 Incident Management Benchmark Study, supports those findings — reporting volume remains lower than pre-pandemic levels, with reporting levels tracking to COVID cases. In 2021, fewer people submitted anonymous reports internally — choosing instead to provide their name — than in any prior year. This decline is accelerating, as the median anonymous reporting rate fell to an all-time low of 50% in 2021 from 56% in 2020 and 62% a decade ago indicating less fear of retaliation, according to NAVEX.

Chris Audet, senior director, research in the Gartner Legal, Risk & Compliance practice, says, “Employees understand it is what they are supposed to do but, in many cases, they aren’t sure that doing so will work out well for them or their teams, so they choose to keep quiet.”

Often, compliance assumes that employees will report misconduct as it’s “simply the right thing to do.” Leaders tend to play this by emphasizing how misconduct reporting helps the company, Gartner says.

It turns out, however, that approximately 50% of employees take a pragmatic approach to reporting and only report misconduct if there is a low risk of retaliation or benefits added to themselves. “Compliance leaders typically focus on driving trust in reporting and emphasizing anti-retaliation policies,” says Audet. “But often highlighting the ways that a speak up culture can benefit individual employees or their teams is overlooked.” and this is the most important factor driving a decision to report.”

What will drive an employee’s personal responsibility to report, Gartner says, is a new value proposition that has three core components to it: trust, safety and benefit.

While trust and safety in reporting are routinely addressed by compliance through such things as anti-retaliation policies, compliance teams rarely create or emphasize a personal benefit for the individual reporting or their teams.

“Addressing the benefit of reporting is a big untapped opportunity for compliance leaders,” says Audet. “It is the biggest single factor driving a sense of personal responsibility to report, yet employee perceptions in this area are typically negative. It is rarely a prominent component of speak up messaging from compliance teams.”

Risk, security and compliance leaders should further encourage a speak up culture and grow trust to continue to improve internal reporting processes and awareness.

For more information, visit gartner.com.

Maria Henriquez joined Security Magazine in 2019 as its Associate Editor. Since then, she has been covering the security industry and reporting on issues affecting enterprise security leaders, to include cybersecurity, leadership and management, risk and resilience and pressing security challenges facing the industry.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.