Abstract
Corporations must comply with various laws and regulations, subject to their markets and industry. To manage their compliance risks, corporations are expected to design and implement compliance programs based on risk assessments. This study investigates the impact of risk assessments on the implementation of recommended practices in Corporations’ Compliance Programs (CCPs). Through survey interviews with compliance officers from 93 Forbes 2000 companies, the research examines the relationship between risk levels and 33 recommended practices across Anti-Bribery & Corruption, Data Privacy, and Third-Party compliance risks. Contrary to the initial hypothesis, findings reveal that only nine practices significantly relate to risk levels, including rule-based policies and compliance training testing. Unexpectedly, several practices showed negative relations, particularly in the Third-Party compliance domain, suggesting that higher risk levels do not always lead to broader implementation of recommended practices. The study uncovers mixed results in the Anti-Bribery & Corruption CCP, limited risk-based alignment in the Third-Party CCP, and better alignment in the Data-Privacy CCP. These findings suggest that the relationship between risk and compliance implementation is domain-specific and may be influenced by whether the risk is perceived as core (e.g., Data Privacy) or non-core (e.g., Third-Party). They highlight the need for improved regulatory alignment with corporate practices and further exploration of CCP impacts on risk management. This study offers a novel empirical contribution by systematically examining the link between risk levels and the implementation of specific compliance practices across three compliance areas, providing a granular benchmark for future research.
Theoretical Background
Introduction
Corporations face diverse legal requirements based on their location, market, and industry. Non-compliance risks include financial penalties, legal consequences, and reputational damage. Prosecutors consider a company's preventive efforts, known as Corporations’ Compliance Programs (CCPs), when deciding on charges. Effective CCPs help identify and mitigate risks, potentially saving organizations from costly legal battles and fines.
While regulatory guidelines emphasize the importance of risk assessments in shaping CCPs, there is limited empirical evidence on their actual influence on compliance practices (Benedek & Bognár, 2024). This study examines the relationship between risk levels and the implementation of recommended practices in Anti-Bribery & Corruption, Data Privacy, and Third-Party risks. The research aims to investigate whether corporate risk assessments significantly influence CCP implementation, addressing the question: To what extent does risk assessment impact the effectiveness of corporate compliance programs?
This study contributes to the literature by offering a granular, empirical analysis of 33 specific compliance practices across three risk domains, using data from 93 multinational corporations. Unlike prior studies that have focused broadly on compliance frameworks or enterprise risk management (ERM), this research directly tests the linkage between assessed risk levels and the actual implementation of compliance practices. In doing so, it builds upon and extends recent work by providing a detailed, practice-level benchmark that highlights where regulatory expectations align or diverge from corporate behavior.
Regulators’ Guidelines on Risk Assessment in Compliance Programs
In recent years, several regulatory guidelines in the U.S. have been issued to outline how corporations’ Compliance Programs (CCPs) should be evaluated during prosecutorial considerations. A fundamental indication of regulators’ expectations regarding CCPs can be found in Section 8B2.1 of the United States Sentencing Guidelines (USSG), which describes the minimum actions corporations must take to establish an effective compliance program. Key pillars covered by these guidelines emphasize the importance of conducting risk assessments, establishing adequate standards and policies, and implementing effective training programs and other assurance activities (e.g., reporting and monitoring).
To elaborate on the U.S. Sentencing Guidelines (USSG) requirements, the Criminal Division in the U.S. Department of Justice (DoJ) issued the Evaluation of Corporate Compliance Program guidelines, widely regarded as the most comprehensive statement on compliance program evaluation (Armour et al., 2019). These guidelines specify factors that prosecutors should consider when investigating a corporation and determining whether to bring charges or negotiate pleas. Organizations are advised to begin by conducting risk assessments to identify, assess, and define their risk profile. Based on these assessments, they should develop tailored policies, procedures, and training programs. The guidelines emphasize the importance of a robust risk management process, including risk-tailored resource allocation, periodic updates, and a ‘Lessons Learned’ process that incorporates insights from within the company and industry. Additionally, the DoJ expects corporations to manage emerging risks and adopt practices that leverage technology to enhance compliance materials’ engagement with relevant employees through training systems that support visualization techniques like animations and videos. Furthermore, the guidelines provide specific examples of how the risk assessment process should inform the design of CCPs. For instance, they highlight the use of policies to mitigate identified risks by tailoring the policies content (rule-based vs. principle-based 1 ) to affect the norm (Kahneman et al., 2021) and the importance of risk-based training, such as defining the training population (functions and seniority).
Additionally, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) has established a comprehensive Sanctions Compliance Program (SCP) framework that provides robust guidance for organizations under U.S. jurisdiction and foreign entities engaged in U.S.-related business. This framework emphasizes a risk-based approach, requiring organizations to develop tailored compliance strategies that address their unique risk profiles across their business (subsidiaries). Central to the framework are five essential components: management commitment, risk assessment, internal controls, testing and auditing, and training. The approach mandates organizations to form targeted policies, engage in strategic third-party risk management, implement rigorous control mechanisms, and design adaptive training programs. By focusing on comprehensive risk assessment and continuous monitoring, the framework enables organizations to develop dynamic compliance strategies that can effectively mitigate sanctions-related risks, while ensuring regulatory alignment and operational resilience in an increasingly complex global business environment. For example, the framework emphasizes tailored training programs, especially for high-risk employees. It recommends adapting content to geographic scope (i.e., subsidiaries), aligning frequency with risk assessments, and taking prompt action based on monitoring results, including additional training or corrective measures for relevant personnel.
In an example of the industry specific implementation, can be found in the U.S. Department of Health and Human Services Office of Inspector General (OIG) who has issued tailored guidance for the healthcare sector, including the General Compliance Program Guidance (GCPG) and Measuring Compliance Program Effectiveness resource guides. These documents outline the best practices and key elements for healthcare organizations to enhance their compliance programs and meet regulatory standards. The OIG guidance aligns with the DoJ's approach, emphasizing seven key components: clear policies, compliance leadership, training, communication, enforcement, risk assessment, and issue response. This guidance stresses leadership accountability, regular risk assessments, role-specific training, audits, compliance incentives, and structured responses to non-compliance.
Furthermore, various G20 countries have adopted similar guidelines. The UK Bribery Act 2010 outlines six anti-bribery principles, including risk assessments, senior-level commitment, and compliance monitoring. Germany's Corporate Governance Code recommends ethical governance, internal risk management, and supervisory board oversight. Japan's Financial Services Agency issued a Corporate Governance Code promoting sustainable growth through compliance and risk management principles.
Classification of Recoomended Practices According to Regulatory or Standards.
Classification of Recoomended Practices According to Regulatory or Standards.
Control Variables.
Nuanced Risk Assessment View: Comparative Mean Scores.
Notes: Scale of Likelihood: Very Low (1), Low (2), Medium (3), and High (4). Scale of Impact: Low (1), Medium (2), High (3), and Very High (4). Scale of overall assessment: 1–4: low risk (group 1), 6–9 : medium risk (group 2), 10–12: high risk (group 3), and over 12 : very high risk (group 4).
Prewett and Terry (2018) highlight the importance and challenges of implementing risk management in corporations. Without detailed regulations, market players often set internal standards (Halliday & Scott, 2010). Prewett and Terry (2018) found that about 60% of surveyed organizations implemented Enterprise Risk Management (ERM) using the COSO framework. The literature emphasizes that integrating ERM into corporate practice not only mitigates risks but also aligns with strategic goals and drives innovation and growth. Regulators 2 also emphasize the importance of a holistic approach like ERM. This process of creating benchmarks in the absence of regulated standards has led to the development of internal corporate norms for risk assessment within compliance programs.
The COSO ERM framework emphasizes the critical role of risk assessments in shaping corporate policies, training, and compliance monitoring. It defines risk as ‘the possibility that events will occur and affect the achievement of strategy and business objectives’. For example, the framework highlights compliance training as a key element for managing risks, recommending root-cause analysis when appropriate training is lacking, considering training volume as a performance indicator, and emphasizing employee engagement in formal and informal training (COSO ERM Framework). The Society of Corporate Compliance and Ethics & Health Care Compliance Association (SCCE & HCCA) published a dedicated COSO ERM framework for compliance risk management, detailing how risk management should guide CCP implementation. This includes using risk assessment results to inform policy creation, tailoring training programs to identify risks, and designing compliance monitoring systems around key risks. This structured approach ensures alignment of compliance efforts with the organization's most significant risks, promoting effective risk management across the enterprise. The COSO ERM framework distinguishes between inherent risk (defined as the level of risk prior to the implementation of mitigation measures) and residual risk, which reflects the remaining exposure after such measures are applied. In the context of this study, mitigation measures are represented by the design and implementation of corporate compliance programs.
The ISO 3 31000 standard (Anton & Nucu, 2020) also outlines principles and guidelines for risk management, emphasizing that risk assessments should inform policies, training, and monitoring systems. It defines risk level using likelihood and consequences. The standard states that risk assessments should guide policy creation, address identified risks and align with organizational risk appetite (the amount and type of risk an organization is willing to accept in pursuit of its objectives). Training is highlighted as a key element in managing risk, with knowledge assessment being crucial. The standard mandates legal and regulatory compliance and emphasizes ongoing monitoring and review, focusing on high-priority risks identified through assessments. By integrating risk assessment into these areas, organizations can align risk management with strategic goals and maintain resilience in a dynamic environment.
Additional ISO (37301) standard focuses on Compliance Management Systems (CMS), and provides a comprehensive framework for organizations to establish, implement, maintain, and improve their CMS. The standard employs a risk-based approach and follows the Plan-Do-Check-Act cycle, emphasizing continuous improvement. Key components include leadership commitment, compliance policy, risk assessment, and performance evaluation. ISO 37301 is applicable across various industries and organization sizes, integrating seamlessly with other ISO management systems. By implementing this standard, organizations can effectively mitigate compliance risks, enhance reputation, and demonstrate commitment to ethical business practices (Benedek & Bognár, 2024). The standard's global recognition and certifiable nature offer potential competitive advantages in today's complex regulatory environment.
To conclude, regulatory guidelines and standards stress the importance of risk assessments in compliance programs, expecting outcomes to inform policies, training, and monitoring. As guidelines provide the ‘what’ and standards the ‘how’, corporate implementation remains understudied. While prior studies have explored general compliance frameworks, this study uniquely examines the empirical linkage between risk assessment levels and the implementation of specific practices across three compliance areas. Table 1 describes the classification of recoomended practices according to regulatory or standards.
Emerging Compliance Risks
As detailed, the regulators’ guidelines and standards emphasize the importance of considering emerging risks (rather than only known risks) in the risk assessment process to address upcoming challenges. A past studies (Apooyin, 2025; Haelterman, 2022; Soane, 2025) also highlights the significance of aligning risk management practices with an organization's broader objectives, especially as businesses navigate a complex and evolving legal and regulatory landscape.
Complying with anti-corruption and anti-bribery regulations has been a challenge for corporations, especially in multinational businesses. These regulations require organizations not to offer benefits to public officials to secure any improper advantage over their competitors. 4 Since 2000, enforcement actions have increased significantly in this area. The volume of prosecutions under the U.S. Foreign Corrupt Practices Act (FCPA), has been greater than any other prosecutions in the U.S. (Vento, 2020). During 2000–2020, the DoJ enforced sanctions totaling 19B USD. Most of these sanctions (66%) involved criminal charges. During 2016–2020, the total value of FCPA sanctions was 10B USD (accounting for 52% of FCPA sanctions since 2000), which signals that this legal field is evolving. Additionally, in some G20 countries (e.g., Japan), there are various laws relating to anti-corruption in the corpus juris. Nevertheless, they do not have anti-corruption laws covering all types of corruption such as the UK Bribery Act 2010 (Shimomura, 2020). The evolving landscape of sanctions and regulations has amplified bribery risk over the years, presenting a growing challenge for corporations, particularly multinational entities.
Another evolving risk for corporations is related to interactions with third parties. In today's complex global business environment, organizations increasingly rely on third parties for various services, driven by the need to reduce costs and access specialized skills (Rodman, 2001). This trend introduces third-party risks, including data breaches, operational failures, financial malfeasance, and regulatory non-compliance. Implementing a robust Third-Party Risk Management (TPRM) program is crucial for corporations to effectively identify, assess, and mitigate these risks. The importance of compliance programs in this area is underscored by the fact that approximately 90% of FCPA fines in the past decade were related to violations conducted through third parties. The DoJ guidelines emphasize the need to evaluate compliance program effectiveness regarding third parties and conduct ongoing monitoring through due diligence, training, and audits. However, these guidelines primarily focus on internal mitigation rather than external risk transfer methods such as insurance and indemnification agreements.
Furthermore, regulations regarding Data Privacy (DP) have also increased significantly in the U.S. and Europe over the past few years, mainly as a result of the development of technologies that enable easier collection and processing of personal data. These regulations may focus on customers, patients, vendors, employees, or other third parties whose information is held by the organization. This includes the General Data Protection Regulation 2016/679 (GDPR) regulation within the EU, the General Data Protection Law (GDPL) in Brazil in 2020, the California Consumer Privacy Act (CCPA), and the 2020 version of the California Privacy Rights Act (CPRA).
The diverse regulations surrounding Anti-Bribery & Corruption, Data Privacy, third-party actions, and emerging risks underline the need for robust compliance practices in corporations, particularly in a multinational environment. These requirements, however, vary by industry. For example, pharmaceutical companies prioritize safeguarding patient data and preventing bribery & corruption, while the banking sector focuses on client data protection and anti-money laundering measures. These industry-specific needs must be addressed through risk-based compliance program.
Theory Development
Many studies emphasize the critical role of risk management in modern businesses, arguing that organizations with robust risk management practices are better positioned to achieve higher levels of performance, competitiveness (Khan and Rehman, 2018), and strategy (Viscelli et al., 2017). The literature specifically highlights that strong corporate governance is essential for managing risks, particularly in complex and dynamic business environments (McCrae & Balthazor, 2000). It argues that integrating risk management into corporate governance frameworks ensures accountability, transparency, and sustainability in decision-making processes. Beasley et al. (2015) argue that while ERM has become more recognized across industries, there is still a gap between having ERM frameworks in place and embedding ERM into the organization's decision-making processes. They conclude that embedding ERM into the corporate governance framework can enhance long-term organizational resilience and help businesses better navigate uncertainties. Other studies (Frigo & Anderson, 2011) echo that corporations face increasingly complex global risks, due to the large geographical landscape and the dynamics of markets.
The ISACA framework (2021) echoes the importance of having synergies between risk management and corporate compliance. It highlights that the CCP acts as a mitigation action to reduce corporate risks. Compliance officers are responsible for managing and performing the CCP. Thus, they should be able to appropriately identify and assess non-compliance risks. These officers are usually in charge of or greatly involved in the execution of the compliance program, including the design of policies, managing training programs, and executing monitoring activities. They may not have the expertise or the knowledge on how to enhance CCP to address the risks (Trevino et al., 2014; Weber & Fortun, 2005). However, they are responsible for identifying the challenges and the gaps through risk assessment.
Past studies have raised concerns about corporate compliance activities, suggesting that they are more ‘cosmetic’ than effective (Warren et al., 2014). Other professional literature has pointed out that corporations may conceptualize compliance activities as ‘check-the-box’ exercises, widely considered to be a waste of resources (Armour et al., 2019). These studies may not only indicate the level of the management's engagement in aligning with the regulations, but also the perception of management concerning legal norms. Furthermore, corporations believing they comply in good faith may face regulatory enforcement. This can lead to less collaboration and adoption of only minimum compliance requirements (Gunningham, 2017). Moreover, the fact that there are limited legal requirements for risk assessment to be implemented in compliance programs may lead to the de-prioritization of developing a self-approach to address it, even if the organization was sanctioned.
The literature found that while implementing the risk management process there is no ‘one size that fits all’, i.e., corporations may mitigate risks differently considering the relevant risk area.
Different approaches to mitigate risks depend on the level of risk a corporation is willing to take to achieve their objectives. According to Alix et al. (2015), the level of risk that a corporate is willing to take is called ‘Risk appetite’. Different approaches represent different risk appetites. They explain the importance of defining risk appetite as a key element in strategic decision-making and enterprise risk management (ERM). They also describe the challenges of setting and managing risk appetite, e.g., having clear communication of the risk appetite, balancing the risk appetite with the dynamic nature of the environment. As de Zwart (2021) emphasizes, the development of a clear risk appetite statement is a core responsibility of corporate boards and a foundational element of effective risk governance. This perspective supports the notion that variations in risk appetite may explain differences in the implementation of compliance practices across organizations. Berner and Campbell (2021) found that the approach to addressing risks depends on the resources that the corporation invests to mitigate them. As a result, allocation of different resources may cause different approaches to manage risks with a similar risk level. Therefore, it is vital for corporations to detect gaps between the risk level and the actual implementation of CCP to address these risks.
Even though there is a significant risk of non-compliant action in corporations, only a few studies have been conducted on implementing CCP elements. As a result, the knowledge about the practical implementation of CCP elements (e.g., compliance training) is limited (Minbaeva, 2005). This study asks whether risk assessment impacts corporations in their corporate compliance program practice. If so, what is the direction of the effect? Meaning, do we expect to see practices in corporations that are more aligned with the regulators’ guidelines and standards, due to the differences in the risk level? In other words, does Risk Assessment Matter in Corporate Compliance Programs?
While regulatory guidelines emphasize the importance of conducting risk assessments as a foundation for designing effective compliance programs, they do not explicitly specify whether such assessments should refer to inherent risk (prior to mitigation) or residual risk (after mitigation measures are applied). However, given that these guidelines consistently instruct corporations to tailor their compliance programs based on the assessed level of risk, it is reasonable to interpret this as a reference to inherent risk. In this context, the assumption guiding this study is that the higher the inherent risk level identified by the corporation, the greater the expected implementation of mitigation measures, namely, the adoption of recommended practices that characterize an effective compliance program.
This study expects to find a direct relationship between the inherent risk level and the extent to which CCP elements are implemented in accordance with the recommended practices by regulators and standards. This assumption refers to the specific risk and CCP areas, e.g., Data Privacy, Anti-Bribery & Corruption, Third-Party. This means that corporations adopt a similar risk appetite for compliance risks.
Hypothesis: There is a positive relationship between risk assessment (including risk impact and risk likelihood) and the implementation of recommended compliance practices. The higher the risk level is, the more recommended compliance practices are implemented.
Method
To assess the hypothesis, this study employs an empirical quantitative approach to investigate the relationship between risk assessment (level of risk) and the implementation of recommended CCP practices by corporations, i.e., whether the practice implemented, and if yes, the extent to which it is conducted (e.g., frequency, volume). Information was collected through survey interviews with compliance officers. Statistical analysis was employed to examine the potential connections and underlying patterns between these variables.
Participants
The study population comprises compliance officers from 93 corporations on the Forbes 2000 list, referencing a previous study by Weber & Wasieleski (2013) that examined CCP implementation in 61 Fortune 500 companies. Both lists include corporations based on their sales, market value, assets, and profits, helping to control the sample's diversity.
Measures
To empirically assess the hypothesized connections between the level of risk (independent variable) and the implementation of compliance practices (dependent variable), a series of quantitative measures were employed. This section details the operationalization of the dependent and independent variables used in the analysis, which were subsequently tested using Pearson correlation, t-tests, and regression models, including ANOVA. While Pearson correlations were used to assess bivariate associations, regression models were employed to estimate conditional relationships between variables, controlling for other factors. Accordingly, regression results are interpreted as estimated relations (rather than simple correlations), as they are derived from models that incorporate error terms and satisfy assumptions such as orthogonality between predictors and residuals.
Independent Variables (Risk Assessment)
The independent variable in this study is the level of inherent risk assessed by compliance officers, focusing on specific compliance risks measured according to the COSO standard. Feedback from compliance officers during survey interviews determined the likelihood and impact of these risks, based on the most recent compliance training topics (out of the three selected areas). The assessment considered various impact parameters, including financial loss and employee turnover, rated on a scale from Low (1) to Very High (4). Likelihood was similarly rated, with overall risk levels categorized into four groups: low (1–4), medium (6–9), high (10–12), and very high (over 12). This structured approach enables organizations to evaluate and manage compliance risks effectively. Appendix 2 details the answer options for the risk assessment.
Dependent Variables (Compliance Practice)
The answer to the practices was defined in accordance with possible feedback. In questions that were concluded based on a fact (the possible answers were either yes or no), or details of the practice. In questions that were concluded based on an evaluation by a compliance officer, the possible answers were based on a scale. Trevino et al. (1999) used a five-item scale (1–5) to assess feedback from compliance officers concerning compliance programs. Therefore, I used the same method to collect feedback and analyze the data. The scores of each practice, group of practices, and overall score were calculated, per corporation, and per CCP area. The higher the score in each practice, the more the corporation implemented it.
The Cronbach's Alpha of the questionnaire within the measurement method is 0.7520 (n = 93). The results of Cronbach's Alpha tests support the reliability of this measurement method.
The dependent variable in this study is the extent to which corporations adopt recommended practices, assessed through survey interviews with compliance officers. These practices, derived from regulators’ guidelines, were categorized using the AD&DIE model (Assessment Needs, Design & Develop, Implement, and Evaluate) to enhance compliance training effectiveness (Jamali, 2010). The Assessment Needs phase includes practices such as conducting compliance risk assessments, tailoring training content by role or seniority, and the existence of formal compliance policies. These policies were considered as part of the needs assessment phase, as they reflect the organization's initial response to identified risks and form the foundation for subsequent compliance activities. The Design & Development phase covers the use of real-life case studies, translation of training materials into local languages, and the ability of subsidiaries to adapt content to local needs. The Implementation phase includes practices such as senior management involvement in training delivery, the use of animations or professional actors, and the deployment of ad-hoc training in response to critical incidents. In this context, “implementation” refers to the operationalization of compliance practices, including the actual rollout of training programs and the extent to which they are actively delivered and supported within the organization. Finally, the Evaluation phase encompasses testing practices (e.g., mandatory tests, minimum scores, manager visibility), escalation procedures for non-participation, employee surveys, and monitoring of training effectiveness. This categorization enables a systematic examination of how each practice aligns with the respective phase of the compliance training lifecycle and supports a more nuanced understanding of the depth and maturity of compliance program adoption. It facilitates a holistic view of practices, identifying gaps and improving alignment with organizational objectives. The study employed a five-item scale for feedback collection based on Trevino & Weaver's (1999) method. Each practice's score reflects its implementation level within the corporation. The reliability of the measurement method is supported by a Cronbach's Alpha of 0.7520 (n = 93). Appendix 1 details the practices, answer options, and the group classifications. This structured approach allows for a comprehensive evaluation of compliance practices across various corporations and provides insights into their effectiveness in managing compliance risks.
Control Variables
To ensure the sample accurately represents the population, several control variables were considered, including the location of headquarters, corporate resources (sales, assets, value), compliance officers’ experience (minimum one year), industry, and the officer's position (headquarters or subsidiary). This data was collected from public information i.e., F2000, and corporations’ website. The implementation of different Compliance Control Programs (CCPs) may depend on the legal domain's risk level for each corporation, thus affecting CCPs in specific risk areas. Three compliance areas were predefined: Anti-Bribery & Corruption, Data Privacy, and Third-Party Risk, with approximately 30 samples from each area. A coefficient relation test was conducted to explore potential associations between control variables (e.g., assets, revenue, market value) and the independent variables. These tests were intended to examine general patterns and ensure sample representativeness. No formal moderation or mediation analysis was performed.
All questions focused on corporate-level practices unless specified for subsidiaries. For example, policies pertain to corporate documentation, while training refers to materials distributed from headquarters (Weber & Wasieleski, 2013). Table 2 desctibes the control variables description, source, and values type.
Procedure
To collect the data, I contacted compliance officers via the LinkedIn 5 application to coordinate a video conference/telephone survey interview in English, during 2021–2022. The average duration of the interviews was 45 min. To ensure that the sample properly represents the population, I approached compliance officers from the Forbes 2000 list in the order of the ranking (top-down) based on the corporation's industry that the compliance officers were employed. The interviews were held through the ZOOM, MS Teams application or by phone. Following this procedure, overall, during the sampling process, compliance officers from 426 corporations were approached. Out of these, 93 agreed to participate in the study and were interviewed (22% response rate), referring to Watson & Weaver (2003) with the acceptable response rate of 10%. To ensure that feedback was relevant, accurate, and valuable for the study's purpose, the survey interview referred to the last training that the compliance officers had attended. This training was always directly related to the compliance area selected for the interview (i.e., Anti-Bribery & Corruption, Third-Party, or Data Privacy), ensuring alignment between the officer's responses and the specific risk assessment and practice implementation discussed.
Results
Descriptive Statistics
Frequencies of the Sample (Control Variables)
The study's sample (n = 93) reflects 5% of the Forbes 2000 population. It encompasses compliance officers from corporations in seven industries, covering 87.6% of the population. The sample included the representation of compliance officers from seven industries that cover 87.6% of the corporations in the population. Also, the sample represents 14% of the population's sales, 9% of assets, 13% of market value, and 11% of profit. Out of the 93 compliance officers, 32 (34.4%) provided feedback regarding Anti-Bribery & Corruption CCP; 29 (31.2%) regarding Third-Party (i.e., trade compliance and anti-money laundering) CCP; and 32 (34.4%) regarding Data Privacy CCP. The frequencies of the data on Forbes 2000 and the sample regarding the industry, the location of the corporate headquarters, and the location of the compliance officers (per continent) are presented in Appendices 3 and 4.
Frequencies of the Risk Assessment (Independent Variables)
The study analyzed risk assessments provided by compliance officers across three key compliance areas: Anti-Bribery & Corruption, Third-Party, and Data Privacy. Risk likelihood and impact were evaluated using a four-point scale (as per COSO). Detailed frequency distributions of the risk assessments are presented in Appendix 2 for further analysis. The analysis revealed consistent patterns across all risk types. The median values indicated medium likelihood (3), high impact (3), and a resulting median medium overall risk level of 9. In contrast, the most frequently reported overall risk level was high (12), reflecting that a notable portion of respondents assessed both likelihood and impact at the highest levels. This distinction between median and mode highlights the variability in risk perceptions across corporations. The mean scores translate to medium-high likelihood and impact levels across all risk types. The overall risk assessment (likelihood * impact) indicates a medium risk level for all categories. Table 3 describes the a nuanced risk assessment view by comparitive mean scores.
Frequencies of the Recommended Compliance Practices
The frequencies of the recommended compliance practices, detailing the frequencies by practice group, across three compliance areas: Anti-Bribery & Corruption (AB), Third-Party (TP), and Data Privacy (DP), are presented in Appendix 1.
Frequencies of the Needs Assessment Practice Group
Of the corporations surveyed, the study found that 84% (n = 78) conduct risk assessments for their CCPs; 11% (n = 10) conduct risk assessments but do not apply them to CCPs, and 5% (n = 5) do not conduct risk assessments. No significant differences were observed in risk assessment practices across specific CCPs. The study assessed how much compliance training was consistent with overall policy and values (from 1–5). Based on the feedback of the compliance officers, the mean and median answers of the overall sample and per compliance area were 4 and above. While 71% of the corporations in the overall sample require all employees to participate in compliance training, 81% of the corporations that conduct AB CCP, 62% in TP CCP, and 69% in DP CCP. The rest required only specific employees to attend the training, subject to their role or position. The compliance officers assessed to which extent their policy/guidelines are more principle-based (1) rather than specificity-based (very detailed), over a scale of 1–5. The mean and median answers of the overall sample and all compliance area were 3 and above.
The study assessed how often the compliance training material is updated (1- never updated, and 5- always updated). The mean answer of the overall sample is 2.83 (median 3), while the mean answer of the AB CCP is 2.63 (median 3), for TP CCP is 2.93 (median 3), and for DP CCP is 2.94 (median 3). The study assessed how often compliance training is conducted over a scale of 1–5 (e.g., 1- conducted less than once a year, 2- conducted every year, 3- conducted twice a year, and 5- conducted more than four times a year). The mean and median answers of the overall sample, the TP CCP and DP CCP were 2 and above. The mean answer of the AB CCP is 1.94 (median 3).
On a scale of 1–5 the mean and median result of the overall sample and per compliance area regarding the extent to which employees (including managers) contact the compliance department after attending the training for clarifications or further guidance as a result of their participation is between ‘rarely’ and ‘from time-to-time’.
Based on the compliance officers’ feedback (from 1–5) the changes in the training materials are in line with the actual needs/practice (e.g., real oversights/case study), for the overall sample and per compliance area were between 3.62 to 3.94 (3- ‘sometimes’, 4- ‘to a great extent’). The median was 4. Overall, in 52% of corporations (n = 48) the compliance training is adjusted to the role, while in AB CPP it is 47%, in TP CCP it is 55%, and in DP CCP it is 53%. Also, in 28% of corporations in the sample, the training is adjusted to seniority, while it is 34% in AB CCP, it is 31% in TP CCP and it is only 19% in DP CCP.
Frequencies of the Design & Development Practice Group
The compliance officers were requested to share the extent to which the corporation's subsidiaries are authorized to make local adjustments / are allowed to make changes to the training program defined by the headquarters (based on local regulation, local practice, task analysis, risk assessment, etc.); Of 93 corporations, in 39 (42%) the subsidiaries can only provide feedback to the headquarters on the local needs. In 32 corporations (34%), the subsidiaries are authorized to make local adjustments/changes. However, in 22 corporations (24%), the subsidiaries have no involvement at all in the design and development of the training program. In AB CCP, 25% have no involvement, in TP CCP, 14% have no involvement, and in DP CCP, 31% have no involvement. For those that are involved, the compliance officers were requested to assess the level of involvement. The mean answer across the sample and programs ranged between ‘somewhat’ and ‘a very small extent’.
The study assessed the extent to which the training content includes examples based on real-life cases/case studies/dilemmas to deal with actual dilemmas. Of 93 corporations, 89 (96%) use examples in the training content. In four corporations (4%), examples are not used in the training content. A similar ratio was observed in the three CCPs areas. Also, the compliance officers were requested to evaluate, on a scale of 1–5, the extent to which their training content is more principle-based (1) rather than rule-based (very specific guidance; 5). The mean answer was a mixture of principle-based and rule-based (2.97). In AB CCP, the mean answer is 2.63, for TP CCP, the mean answer is 3, and in DP CCP, it is 3.28. Out of the sample population, in 48% (n = 45) of corporations, the compliance training content is translated into the local languages of their subsidiaries; in 27% (n = 25) the content is translated but not for all of the subsidiaries’ languages, and in 25% (n = 23), the content is not translated at all (presented in English). In AB CCP, in 31%, the content is not translated at all, in TP CCP, 24%, and in DP CCP 19%.
According to the sample population, in 87 corporations (94%) the purpose of the compliance training is explained to the employees prior to participation in the training, while in six corporations (6%) the purpose of this training is not explained. In AB CCP and DP CCP, the ratio was 91%/9%, while in TP CCP, all corporations in the sample (100%) explain the purpose to the employees. Overall, in 56 corporations (60%), the senior management informally motivates the employees to attend the compliance training, mostly by sending emails on the importance of the training, and by initiating campaigns, and specific communication regarding the training. In 40%, employees are informed about the need to attend the training only through an automatic email issued by the eTraining system. In other words, no motivational actions are conducted. While in AB CCP, the ratio is 44% (no motivational actions) vs. 56% (conduct motivational actions), the ratio in TP CCP is 34%/66%, and in DP CCP, it is 41%/59%. Moreover, in 60 corporations (65%), formal motivational activities are performed to support the attendance of employees in the eTraining program, e.g., training is taken into consideration in the annual performance review/appraisal process and may even affect the employee bonus and enforce actions on employees who did not attend/pass the training. A similar ratio found in all CCP areas.
Frequencies of the Implementation Group
In 52 (56%) corporations, the senior management is involved in the implementation of the training (participating in the training videos, providing aspirational quotes, etc.). In both AB CCP and TP CCP, the ratio of involvement/no involvement is 62%/38%, while in DP CCP, the ratio is 44%/56%.
In 20 (22%) corporations, the employees are involved in the implementation of the training (sharing challenges, examples, real-life cases, etc.). In both AB CCP and DP CCP, the ratio of involvement 19%, while in TP CCP, the ratio is 28%. Moreover, of 93 corporations, in 57 (61%), the training includes non-textual visuals (e.g., animations, videos of actors or professionals). In AB CCP, the study found that 53% of corporations use non-textual visuals, in TP CCP it is 62%, and in DP CCP it is 69%. Out of the sample population, in 55 (59%) corporations, the training program is used for ad-hoc needs as a result of a critical incident (within the corporation, in the market, in the industry, etc.). In AB CCP, the ratio is 50%, in TP CCP it is 62%, and in DP CCP it is 66%.
Frequencies of the Evaluation Phase Group
The practices related to testing activities include five practices: (1) In 96% (n = 89) of corporations, the compliance training includes testing of employees’ learning during or by the end of the training. While in the AB CCP and TP CCP, the ratio is 97% (testing in place) vs. 3% (no testing in place), in DP CCP, the ratio is 94% vs. 6% accordingly; (2) Out of these corporations, 81 (87%) require a minimum score to pass the test, while the other 8 corporations only require participation in the test (the training program discloses the correct answers to the employees after participation regardless of the answer that is provided on the test). In AB CCP, the ratio is 91% (minimum score in place) vs. 9% (no minimum score in place), in TP CCP, the ratio is 90%/10%, while in DP CCP, the ratio is 81%/19% accordingly; (3) Of the 89 corporations, 81 (87%) offer an option for multiple attempts to pass the test. In the other 8 corporations, the employee can only try to pass the test one time; if the employee does not pass, the system discloses the answers. A similar ratio is found in AB CCP, in TP CCP, the ratio is 90%/10% and it is 84%/16% in DP CCP; (4) Only in 15% of corporations (n = 14), the direct manager made aware of the employee's test results, while in other corporations, the manager is not aware of the employee's performance. In the AB CCP, the ratio is 12% (managers informed) vs. 88% (managers are not informed) minimum score in place; in TP CCP, it is 17%/83%, while in DP CCP, it is 16%/84% accordingly; (5) in 92% of corporations, passing the test is mandatory, while in other corporations, the testing performance is not monitored and enforced. In the AB CCP, the ratio is 94% (mandatory testing), in TP CCP is 93%, while in DP CCP is 91%. By analyzing these five practices, the study finds that the median approach was to implement four out of the five practices per CCP and overall; and (6) in 77% (n = 83) an escalation process is conducted. The study finds that in AB CCP, the ratio is 81% (escalation in place) vs. 19% (escalation not in place); In TP CCP, it is 83% vs. 17%; and in DP CCP it is 84% vs. 16% accordingly. For those that have an escalation process, senior management involves 49 (53%) corporations, a disciplinary committee involves 19 (20%) corporations, a hiring committee involves 6 (7%), while only 3 (3%) corporations involve the Human Resources department. The median practice of the overall sample population and per CCP is involvement of senior management. The study found that no compliance surveys are performed to evaluate employees’ feedback regarding the compliance program activities (i.e., training) for 39 (42%) corporations, while surveys are performed in every activity by 42 (45%) corporations, with surveys used ‘sometimes’ by 8 (9%) corporations, and often by only 3 (3%) corporations. The median practice for overall sample population as well as AB and DP CCPS was ‘sometimes’, while for TP it was ‘often’.
For corporations that perform surveys (54 corporations), only 30 (32%) corporations use surveys for future training purposes. Out of these, 24 (26%) corporations always use surveys and always use the survey results for future training. The median practice for the overall sample and per CCP is ‘not to use the survey results at all’. The study assessed the extent to which corporations monitor metrics of compliance program activities to ensure they are addressing their objectives– e.g., evaluating the effectiveness of the testing per questions & answers analysis, per topic, per subsidiary, per function. In 69 corporations (74%), there is no monitoring of effectiveness. The mean answer is that monitoring is performed rarely, while the median answer is that monitoring is not performed at all for the overall sample and per CCP.
Relation Coefficient Between the Control Variables and the Independent Variables
The study did not find significant relations between the corporation's assets’ value or the market value and the risk assessment score (impact*possibility). The study found a significant positive relation (r(93) = .211, p = .043) between the corporation's sales value and the cumulative risk assessment score. In assessing the feedback (risk assessment and practices) provided by the compliance officer function (headquarter vs. subsidiary), there were no significant relations found between the compliance officer's roles. In addition, there was no significant relation found between the compliance officers’ experience (within the role or within the company) and the feedback regarding the practices or the risk assessment.
Statistical Inference
Hypotheses Validation - Overall Sample
The study hypothesis proposed a positive relationship between risk variances (possibility, impact, and assessment) and the implementation of recommended compliance practices. In this study, 33 practices were considered as recommended. Out of these practices, while assessing the hypothesis on the overall sample (including all CCP types), the study found various significant relations. As per the hypothesis, the study found various positive relations between the risk variances and the implementation of practices. The study found a significant positive relation between the risk assessment ranking (impact*likelihood) and the corporation's policies’ rule-based approach (r(93) = .217, p = .036). In other words, the higher the reported risk ranking, the more the policies’ content included specific rules, while the lower the reported risk ranking, the more the policies’ content included principles and more general guidance. In addition, the study found a significant positive relation between the risk assessment ranking and the extent to which corporations perform surveys (r(93) = .236, p = .022) and use survey outcomes (r(93) = .219, p = .035) to evaluate employees’ feedback regarding the compliance program activities of the training. The study also found a significant positive relation between the risk impact and the frequency of conducting compliance training (r(93) = .225, p = .030). This means that the higher the risk impact, the more frequent compliance training is conducted. On the other hand, the study found a significant negative relation between the risk assessment ranking and the extent of escalation activities if the employee did not attend the compliance training (r(93) = −.216, p = .037). When assessing the hypothesis on the sample per CCP type, the study found the following various significant relations.
Hypotheses Validation - Anti-Bribery & Corruption Compliance Program
As per the hypothesis, various positive relations between the risk assessment variances and the implemented practices (by corporations) were found. The study found significant positive relations between both risk impact (r(32) = .442, p = .011) and risk assessment ranking (impact*possibility) (r(32) = .410, p = .020) and the extent to which corporations’ subsidiaries are authorized to make local adjustments / allowed to make changes to the training program defined by the headquarters. Also, the study found a significant positive relation (r(32) = .382, p = .031) between risk assessment ranking and the extent to which senior management informally motivated the employees to attend the compliance training (e.g., sending emails, initiating campaigns).
On the other hand, various negative relations were found between the risk impact and the implemented practices. The study found a significant negative relation (r(32) = −.387, p = .029) between the risk impact and the required participation in the training. In other words, the higher the impact, the less employees are required to participate in the training (i.e., the training is directed at specific roles or functions and not to all employees). In addition, the study found a significant negative relation (r(32) = −.387, p = .029) between the risk impact and the conduct of escalation actions when employees do not attend compliance training. This means that the higher the risk impact, the less likely it is that the corporation conducts escalation activities. The study also found a significant negative relation (r(32) = −.421, p = .016) between the risk impact and the severity of escalation activities. Additionally, the study found a significant negative relation between risk assessment ranking and the extent to which corporations use survey outcomes (r(93) = −.411, p = .019) to evaluate employees’ feedback regarding compliance program activities of the training.
In sum, the study revealed positive relations between risk assessment variances and practices in the Anti-Bribery & Corruption compliance program, particularly regarding subsidiary adjustments and senior management's informal motivation for training. Conversely, higher risk impacts are related to less mandatory training participation and fewer escalation actions when employees do not attend.
Hypotheses Validation - Third-Party Compliance Program
Contrary to the hypothesis, various negative relations between the risk variances and the implemented practices were found. The study found a significant negative relation (r(29) = −.675, p = .000) between risk possibility and the frequency of updating compliance materials (i.e., training). The study found a significant negative relation (r(29) = −.639, p = .000) between risk possibility and the frequency of conducting compliance training. Also, the study found a significant negative relation (r(29) = −.408, p = .028) between risk possibility and the extent to which corporations adjusted the content of compliance training to the role. In other words, the higher the possibility that the risk occurs, the less likely corporations are to adjust the training content to specific roles (e.g., finance, procurement, marketing, and sales). In addition, the study found a significant negative relation (r(29) = −.424, p = .022) between risk possibility and the severity of the escalation activities when employees do not participate in compliance training.
In sum, the study found negative relations between risk variances and implemented practices in the Third-Party compliance program, indicating that as the likelihood of risk increases, corporations are less likely to adjust training content to specific roles and update compliance materials. Additionally, higher risk possibilities were associated with reduced severity of escalation activities when employees do not participate in compliance training.
Hypotheses Validation - Data Privacy Compliance Program
As per the hypothesis, only various positive relations between the risk assessments variances and the implemented practices were found. The study found a significant positive relation between risk possibility (r(32) = .443, p = .011) and risk assessment ranking (r(32) = .422, p = .016) and the frequency of updating compliance materials (i.e., training). The study also found significant positive relations between both risk possibility (r(32) = .473, p = .006) and risk assessment ranking (r(32) = .377, p = .033) and the frequency of conducting compliance training. Also, the study found a significant positive relation (r(32) = .350, p = .050) between risk possibility and the extent to which corporations adjusted the content of compliance training to the role. In addition, the study found a significant positive relation between risk possibility and the extent to which corporations perform surveys (r(32) = .473, p = .006) and use survey outcomes (r(32) = .454, p = .009) to evaluate employees’ feedback regarding the compliance program activities of the training. Similar relations (significant positive) were found between the risk assessment ranking and the extent to which corporations perform surveys (r(32) = .399, p = .024) and use survey outcomes (r(32) = .361, p = .042). In addition, the study found a significant positive relation between risk possibility and the extent to which corporations monitor metrics of compliance program activities (r(32) = .411, p = .019). Details on the statistical regression test results are presented in Appendix 5a and Appendix 5b.
In sum, the study found significant positive relations between risk variances and implemented practices in the Data Privacy Compliance Program, particularly regarding the frequency of updating compliance materials, conducting training, and performing surveys.
Discussion
This study examined the relationship between risk levels and the implementation of corporations’ Compliance Program (CCP) recommended practices across three compliance areas (Anti-Bribery & Corruption, Third-Party, and Data Privacy). Contrary to the study hypothesis, which predicted a positive relation between risk level and the extent of CCP implementation, we found significant positive relations in only nine out of 33 practices examined. Surprisingly, it also observed several significant negative relations. This discussion explores possible explanations for these unexpected results, analyzing the findings in detail for each practice area.
Does Risk Assessment Matter in Corporate Compliance Programs?
The fact that the study found positive relations only in nine practices raises the question: Why did the study not find significant relations with the other practices? In general, the recommended practices included in the study method have different maturity levels in terms of the implementation level. In other words, in some practices, it is evident that corporations tend to implement them more frequently, compared to other practices that are adopted by a relatively smaller number of corporations. For example, risk assessment is conducted, the policies are consistent with training, aligning the compliance materials with actual needs. training includes real-life examples or cases, and the purpose is explained in each training. The study assumes that these practices are implemented regardless of the risk level due to a mature ‘legalization of organization’, meaning the recommended practice became the common practice across industries and corporations following the regulatory guidelines, or the standards. These practices are perceived by the corporations as valuable to improve the effectiveness of the CCP.
Conversely, other recommended practices are less common to be implemented; e.g., employees are not involved in the training presentation. Considering the same assumption, these practices are less likely to be implemented regardless of the risk level, probably because corporations perceived them as less valuable for the CCP effectiveness and mitigation action to reduce the risk. On the other hand, the approach to adopting a practice may be impacted by a trend or by the fact that this practice is considered common. In other words, corporations may adopt an approach of ‘conditional cooperators’, similar to individuals (Falk & Fischbacher, 2006) and cooperate based on the behavior of others.
The study found that most measured compliance practices exhibited weak or non-significant correlations with assessed risk levels, raising important questions about their implementation and effectiveness. While this might initially suggest that these practices are not influenced by risk assessments, a deeper analysis reveals two main scenarios: practices that are widely implemented and those that are less commonly applied. When a practice is widely implemented, its uniform application can mask any variation that might be attributed to differing risk levels. Often, such practices become standardized due to regulatory requirements, internal policies, or industry norms, resulting in consistent application regardless of specific risk profiles. This uniformity creates a statistical flattening effect, where the lack of variation across risk levels leads to non-significant correlations. In these cases, the absence of a strong relationship does not imply irrelevance or ineffectiveness but rather reflects the practice's status as a foundational element of the compliance framework.
Conversely, when practice is less commonly implemented, particularly in smaller units or regions with limited compliance resources, the weak correlation may stem from inconsistent application, lack of awareness about the practice's importance, insufficient training, or resource constraints. Limited use reduces the statistical power to detect meaningful associations with risk levels and may indicate a missed opportunity to leverage an effective risk management tool. Distinguishing between these two scenarios is essential for interpreting findings and designing effective compliance programs. For widely adopted practices, organizations may consider tailoring them to better reflect specific risk profiles. For less common practices, it is important to identify and address barriers such as lack of awareness, inadequate training, or limited resources, and to promote broader implementation, especially in high-risk areas.
Furthermore, the observed variations in the practices adopted by different corporations suggest underlying differences in both their corporate governance approaches and the maturity levels of their Enterprise Risk Management (ERM) frameworks, particularly in the context of compliance risk management. These findings reinforce the notion that there is no standardized approach to ERM corporate governance across corporations. Instead, each organization appears to tailor its governance structures and ERM processes according to its unique context, leading to diverse strategies and levels of sophistication in addressing compliance risks. This diversity highlights the importance of considering organizational context when evaluating ERM effectiveness and underscores the need for further research into the factors influencing ERM governance standardization.
Different from the hypothesis, the study found a significant negative relation between the risk assessment ranking and the extent of escalation activities if the employee did not attend the compliance training (r(93) = −.216, p = .037). This finding can be explained by the perception of corporations those escalating activities 6 cause negative motivation behavior and can even increase the risk for non-compliant violation. Whether this finding stems from corporations’ perception based on bias or supporting evidence, this study recommends continuing to examine the relationship between escalation actions and compliance risk reduction.
Further to the hypothesis validation based on the overall sample, the study method included analysis of relations based on three different compliance risks. This analysis revealed various significant relations between risk assessments and the recommended practices. Looking into the results per risk area, the statistical analysis revealed deeper insights.
The Impact of Risk Assessment on Anti-Bribery & Corruption Compliance Program
The response to Anti-Bribery & Corruption (AB) compliance risk is multifaceted. The study identified significant relations in only two practices. In one practice, ‘authorizing sites to make amendments in compliance materials’, positive relations were found with both risk impact (r(32) = .442, p = .011) and risk assessment level (r(32) = .410, p = .020). On one hand, allowing subsidiaries to make local amendments based on regional regulations and cultural contexts may reduce compliance risks at the local level. However, this autonomy could also increase compliance risks due to potential misalignment with headquarters’ directives.
The study assumes that corporations recognize differences in anti-bribery & Corruption laws and regulations across countries, particularly concerning the definition of bribery & corruption and enforcement actions. This understanding may lead corporations to authorize subsidiaries to amend content to comply with local requirements.
In another practice (informal motivational actions by management), a significant positive relation was found (r(32) = .382, p = .031) with risk assessment. This aligns with the corporation's inclination to invest in a ‘positive’ approach rather than a ‘negative’ one, such as escalation actions (Edwards & Gallagher, 2018). However, the study also identified several significant negative relations that challenge the robustness of the “mixed results” claim. A significant negative relation (r(32) = −.387, p = .029) was observed between risk impact and required participation in training. Specifically, higher risk impacts corresponded to lower participation requirements for employees in training sessions, suggesting that training may be tailored to specific roles (e.g., public affairs, procurement, sales).
Furthermore, the study found a significant negative relation (r(32) = −.387, p = .029) between risk impact and escalation actions taken when employees do not attend compliance training. This indicates that as risk impact increases, corporations are less likely to conduct escalation activities. Additionally, a significant negative relation (r(32) = −.421, p = .016) was identified between risk impact and the severity of escalation activities. This finding supports the trend toward a “positive” approach previously discussed.
Another significant negative relation was found between risk assessment ranking and the extent to which corporations utilize survey outcomes (r(93) = −.411, p = .019) to evaluate employee feedback regarding compliance program activities. This result contrasts with findings related to the overall sample and suggests that higher risks may lead corporations to overlook employee feedback when enhancing compliance materials. These corporations may adopt a stricter enforcement approach aligned with headquarters’ requirements rather than considering employee input.
To interpret these findings, the study proposes that corporations with high perceived risk may rely on internal hedging mechanisms that reduce actual exposure. For example, limiting contract negotiations to top management or implementing strict internal controls may mitigate the need for broader training or escalation. This aligns with risk management theory, which distinguishes between ex ante perceived risk (Inherent Risk) and ex post realized risk (Residual Risk) (Fama, 1991; Monahan, 2008). Thus, the observed negative relations may reflect strategic choices to contain risk through targeted mechanisms rather than broad compliance practices.
Examining practices without significant relations reveal that some have higher frequencies compared to other CCP practices. For instance, within Needs Assessment practices, high frequencies were noted for compliance policies being consistent with training and amending training based on employee seniority. These results are aligned with the two significant positive relations found in this group.
In Design & Development practices, a higher frequency was observed for translating compliance materials into local languages for training purposes. This finding relates with the significant positive relation regarding authorizing subsidiaries to amend compliance materials according to local needs.
In conclusion, analysis of the AB CCP results indicates that as corporations’ headquarters grant more autonomy to subsidiaries for amending compliance content, they assess higher risk levels. However, these corporations tend to adopt a ‘softer’ approach concerning escalation activities and employee feedback through surveys as risk levels rise. The study suggests that this may reflect a deliberate strategic response, where corporations mitigate risk through internal controls and targeted actions rather than broad enforcement. The diversity of results can be attributed to the fact that the sampled corporations, primarily large multinational entities, operate in diverse regulatory environments with varying enforcement levels for anti-bribery & corruption laws. Consequently, this may lead to inconsistencies in alignment as corporations prioritize compliance in regions with stricter enforcement (e.g., the U.S. under the FCPA) while deprioritizing areas where enforcement is weaker or less clear.
The Impact of Risk Assessment on Third-Party Compliance Program
The analysis of Third-Party (TP) compliance risk reveals findings contrary to the study's hypothesis, with various negative relations observed between risk assessment and implemented practices. These results, while initially unexpected, may reflect strategic decisions by corporations to manage third-party risks through mechanisms not captured in the study. Corporations with high TP risk might invest resources in mitigation actions not included in the study, such as insurance or indemnification clauses in contracts with third parties. As risk levels increase, corporations may implement fewer recommended practices included in the study, instead focusing on preventive controls to interact with low-risk profile third parties. Additionally, corporations may overestimate the effectiveness of current mitigation actions considered more ‘common’, such as due diligence and blacklist monitoring, rather than implementing recommended practices like policy development and training.
This interpretation aligns with the concept of risk transfer, whereby corporations shift the financial and operational burden of compliance failures to third parties. For example, a company may rely on contractual protections to absorb potential losses, reducing the perceived need for internal compliance efforts such as frequent training or escalation procedures. In this context, the observed negative relations, such as reduced training frequency or lower severity of escalation may not indicate neglect, but rather a calculated reliance on external safeguards. This strategic approach suggests that corporations with high TP risk may feel sufficiently protected by these mechanisms and therefore deprioritize certain internal compliance practices.
While examining practices without significant relations, the study found that survey usage occurred more frequently compared to other CCP practices, aligning with the overall sample results regarding the hypothesis.
In conclusion, the TP CCP results indicate that corporations are less likely to adopt some recommended practices, and in some cases, implementation decreases as risk levels increase. This pattern may reflect a deliberate shift from internal compliance efforts to external risk management strategies. Several factors may explain these results: First, large corporations often have vast, complex supply chains and partnerships, making consistent third-party governance challenging across regions and subsidiaries. Second, these corporations might prefer transferring risks through insurance or indemnification clauses rather than implementing additional practices. Finally, the extensive scale of third-party interactions might make comprehensive oversight seem infeasible, leading to a focus on core risks rather than expanding practices.
These findings suggest that the relationship between risk level and compliance practice implementation in the third-party domain is mediated by the presence of risk transfer mechanisms.
They highlight the need for further research into effective TP compliance risk management strategies for large corporations with complex third-party relationships. Management should consider taking a more holistic approach to risk assessment, as emphasized in the study results, to ensure that all relevant risks, including those related to third-party interactions, are adequately addressed and disclosed to investors.
The Impact of Risk Assessment on Data Privacy Compliance Program
The analysis of Data Privacy (DP) compliance risk supports the study hypothesis, demonstrating positive relations between risk variances and the implementation of various compliance practices. Notably, significant positive relations were identified between both risk possibility and risk assessment ranking in relation to the frequency of updating compliance materials and conducting compliance training. Furthermore, risk possibility showed significant positive relations with several other factors: the degree to which corporations tailored compliance training content to specific roles, the extent of survey usage, the utilization of survey outcomes to evaluate employee feedback on compliance program activities, and the comprehensiveness of monitoring metrics for compliance program activities. Similar relations were observed between risk assessment ranking and the extent of survey usage and utilization of survey outcomes. These findings suggest a robust relationship between perceived risk levels and the implementation of more comprehensive and tailored compliance practices, indicating that organizations with higher risk assessments tend to adopt more frequent and sophisticated compliance measures.
These results provide strong evidence that recommended practices are well-implemented in DP CCP, aligning with risk levels. The study suggests that for DP, the CCP primarily serves as a mitigation action to reduce risk possibility and overall risk assessment levels. The relative newness of DP CCP practices, developed over the past 20 years due to technological advancements, may contribute to compliance officers being more open to adopting new recommended practices compared to those managing AB or TP CCPs. The study argues that corporate risk appetite in each risk area may impact the results. With DP regulations evolving more dynamically than AB and TP regulations, corporations may have a lower risk appetite for DP, leading to CCPs more aligned with regulators’ recommended practices.
Another possible interpretation of the study's findings relates to the nature of the risks examined. Specifically, the observed negative relations between risk levels and the implementation of certain compliance practices may reflect a strategic distinction between core asset risks and non-core asset risks. Core risks, such as data privacy, are often perceived as integral to the organization's value and operations and thus receive more direct investment in compliance practices. In contrast, non-core risks, such as third-party or anti-bribery & corruption risks, may be managed through external mechanisms like contractual safeguards, insurance, or centralized controls. This distinction could explain why organizations facing higher levels of non-core risk may appear to implement fewer recommended practices: they may rely on risk transfer or hedging strategies that reduce the need for broader compliance interventions. Future research could explore this dichotomy more explicitly, examining how the classification of risk as core or non-core influences compliance program design and resource allocation.
In conclusion, the study found positive relations between Data Privacy compliance risk and the implementation of various recommended practices, suggesting strong alignment with risk levels in corporate compliance programs. The adaptability of Data Privacy compliance programs to new practices, compared to Anti-Bribery & Corruption and Third-Party programs, is highlighted. These results may be explained by the evolving nature of data privacy regulations and corporations’ lower risk appetite in this area. Considering the sample of large-sized, multinational corporations, their operations across multiple jurisdictions with stringent data privacy laws like GDPR, coupled with their size and resources, enable them to implement comprehensive privacy practices to mitigate significant financial and reputational risks, explaining the strong alignment observed in the study.
These findings, when considered alongside the proposed distinction between core and non-core risks discussed earlier, suggest that compliance program implementation may be shaped not only by risk level but also by the strategic nature of the risk itself.
Limitations and Directions for Future Research
The study is aware that the sample included large-size corporations with multinational orientation (large geographical scope). Future research could explore smaller-size corporations and domestic ones, potentially revealing differing results due to resource constraints. Replication of the study with a larger, more diverse sample could offer broader insights.
Additionally, while the response rate of 22% is considered acceptable (Watson & Weaver, 2003), the possibility of non-response bias should be acknowledged. It is possible that corporations that chose not to participate differ systematically from those that did, whether in terms of geographic distribution, compliance culture, or risk exposure. For example, as noted in Appendix 2, Asian companies were underrepresented in the final sample. Although this limitation could not be fully addressed within the scope of this study, recognizing it enhances the transparency of the findings and highlights the need for broader sampling in future research.
The risk assessment provided by the compliance officer aims to represent the corporation's risk level. These functions are responsible for the overall compliance risk assessment. Nevertheless, risk assessment may be subjective and hence may contain some biases. The study relied on one compliance officer per corporation, while, in practice, risk assessments are often the result of collaborative input from multiple compliance stakeholders in the corporation. Furthermore, one limitation of this study relates to the operationalization of the term “implementation.” While the survey instrument captured the extent to which recommended compliance practices were adopted using a 1–5 scale or binary responses, it did not distinguish between different levels of implementation maturity, such as the mere existence of a policy versus its active enforcement, employee understanding, or behavioral outcomes. As such, the findings reflect compliance officers’ perceptions of implementation rather than direct evidence of employee behavior or measurable impact. Additionally, the risk assessment methodology, which relied on multiplying perceived likelihood and impact, is inherently subjective and based on qualitative scales (e.g., “high,” “medium”). This approach, while aligned with COSO and ISO standards, may limit precision due to variability in individual judgment and threshold interpretation.
Although compliance officers were instructed to assess inherent risk, defined as the level of risk prior to the implementation of mitigation measures such as compliance programs, it is possible that some respondents did not clearly differentiate between inherent and residual risk in their evaluations. However, given the clarification provided in the survey interview and the contextual framing of the questions, the study assumes that any such discrepancy was limited and did not materially affect the overall findings.
Future research could address these limitations by conducting multi-respondent studies within the same corporation, engaging both compliance and risk managers, and by analyzing organizations subject to regulatory requirements mandating public disclosure of risk assessments, such as companies regulated by the Israel Securities Authority. Triangulating subjective assessments with objective incident data, where available, may also enhance the robustness of future findings. Also, future research could further explore the distinction between inherent and residual risk by comparing both assessments within the same organization, thereby enabling a more nuanced evaluation of compliance program effectiveness.
Another limitation of this study is that it did not examine the relationship between the corporation's risk appetite statement and the actual implementation of risk mitigation activities, including the practices included in the compliance program. While the study focused on inherent risk assessments and their relationship with practice adoption, it did not assess whether the corporation's stated risk appetite serves as a guiding principle or merely a formal declaration, with respect to compliance decision-making. Future research could explore how declared risk appetite statements influence the prioritization and execution of compliance practices, helping to determine whether such statements function as strategic compasses or symbolic artifacts in managing compliance risks.
The study assumes that the recommended practices (by regulators or standards) reflect ‘what an effective’ CCP looks like. The proposed measurement method did not validate whether implementing these practices would reduce non-compliance actions in the future. To explore whether effective compliance programs reduce the risk of enforcement, a future study is recommended to compare current practice vs. future enforcement. The study is also aware that using other measurement methods may change the score. Nevertheless, this study aims to provide a first benchmark, which can be further explored in future studies.
Despite these limitations, this study has made significant strides in addressing its primary objectives and has laid a foundation for future research in this field. The findings, while acknowledging their constraints, provide valuable insights and open avenues for further investigation and methodological refinement.
Managerial Implications
This study highlights that while guidelines provide a framework for compliance, they lack detailed instructions on practical implementation. This leaves corporations to interpret and apply these standards based on their unique circumstances, often leading to informal benchmarks in practice. Based on these findings, this study proposes the following implications for academic, regulatory, and business conduct aspects.
First, it suggests an empirical normative methodology to evaluate the effectiveness of CCP, divided into four groups of practices, based on regulatory guidelines, standards, and other recommended practices. The findings of this study indicate that while most corporations conduct risk assessments to evaluate compliance risks, the results of these assessments do not consistently lead to the implementation of many recommended practices. To address this gap, compliance officers are encouraged to adopt a structured prioritization approach based on the AD&DIE model. By aligning the implementation of compliance practices with the assessed risk level, organizations can ensure that higher-risk areas receive more robust and tailored compliance interventions. For example, in high-risk domains, priority should be given to practices such as role-specific training, escalation procedures, and the use of real-life case studies. This structured approach not only enhances the effectiveness of compliance programs but also supports better alignment with regulatory expectations and corporate risk appetite. Also, the study findings also open the door for future research to further explore corporations’ approaches to effectively implement compliance programs, particularly when they are more exposed to higher risk.
Second, the study findings emphasize the need to align existing regulatory guidelines (e.g., DoJ, OFAC, USSG) with the practices of corporations. Establishing regulatory guidelines that are aligned with corporations’ common practices can assist them in managing effective compliance programs. For instance, this could involve adding recommended practices that are more commonly implemented and re-evaluating the necessity or specific form of less common practices. It is important to note that less common practices are not necessarily ineffective; rather, their practical implementation may require different regulatory guidance or tailored incentives. This alignment may help regulators adopt a more productive approach when assessing the effectiveness of specific CCPs. It could also inform their considerations of enforcement actions regarding relevant investigated violations. In addition, regulators may consider publicly recognizing corporations that voluntarily implement risk-based compliance practices beyond minimum legal requirements (Derchi et al., 2020), for example through official listings or certifications. Such recognition could serve as a positive incentive, encouraging broader adoption of advanced compliance measures.
Third, this study proposes a set of compliance practices designed to assess the maturity of enterprise risk management (ERM) specifically in the context of compliance risks. Building on the findings of Beasley et al. (2015), which highlight the impact of corporate governance on organizational resilience, the adoption of these practices may serve as benchmarks for achieving an advanced level of ERM maturity. Organizations seeking to strengthen their resilience are encouraged to implement these recommended practices if they have not already done so.
Finally, future research could explore certain contextual variables, such as the legal domain's risk level, moderate the relationship between assessed risk and the implementation of compliance practices. Investigating such moderation effects through dedicated analytical models (Hayes, 2015; Hayes, 2017; Hayes & Montoya, 2017) may provide deeper insights into how corporations tailor their compliance programs in response to both internal and external pressures.
Summary and Conclusions
This study contributes novel empirical insights by systematically examining the relationship between risk assessment and the implementation of specific compliance practices across three distinct risk domains: Anti-Bribery & Corruption, Third-Party, and Data Privacy. While prior literature has emphasized the importance of risk assessments in compliance programs (e.g., Armour et al., 2019; Benedek & Bognár, 2024), few studies have empirically tested how variations in risk levels influence the actual adoption of recommended practices. By analyzing 33 practices across 93 multinational corporations, this study offers a granular, data-driven perspective that bridges the gap between regulatory expectations and corporate behavior. The findings, particularly the differentiated patterns across compliance domains, highlight the complexity of operationalizing risk-based compliance and provide a benchmark for future research and policy refinement.
The theoretical background of this study emphasizes the importance of conducting risk assessments as part of Corporate Compliance Programs (CCPs). It provides various recommended practices highlighted in regulatory guidelines primarily in the U.S. These guidelines outline the need for risk assessments to inform other compliance components like policies, training, and monitoring. Also, it discusses recommended practices based on risk management standards, i.e., COSO ERM and ISO 31000, the challenges in the practical implementation of these practices, and the need for more specific practical guidance from regulators.
Based on the theoretical background, the study hypothesizes that there is a positive relationship between risk assessment (including risk impact and risk possibility) and the implementation of recommended compliance practices. Specifically, it suggests that the higher the risk level, the more recommended compliance practices are implemented.
To validate the hypothesis, the study method involved an empirical quantitative approach to investigate the relationship between risk assessment and the adaptation of recommended Corporate Compliance Program (CCP) practices. Data was collected through survey interviews with compliance officers from 93 corporations listed on Forbes 2000. The study focused on three compliance domains: Anti-Bribery& Corruption, Data Privacy, and Third-Party operations. Statistical analysis was employed to examine the connections between the level of risk and the extent to which CCP elements were implemented according to recommended practices.
Contrary to the hypothesis, the study revealed that only nine out of 33 practices had significant positive relations, including rule-based policies, compliance training testing, and surveys for employee feedback. Surprisingly, several significant negative relations were also observed, particularly in the Third-Party area. These findings challenge the assumption of a consistent positive relation between risk level and practice implementation, suggesting that many compliance activities are either standardized across companies due to regulatory maturity or deprioritized, regardless of risk.
In exploring Anti-Bribery & Corruption (AB), Third-Party (TP), and Data Privacy (DP) compliance programs, findings varied. For AB, the results showed some positive relations but also reluctance to use escalation for non-attendance, perhaps due to concerns about causing negative motivation in employees. The diversity of the results can be attributed to the multinational nature of the sampled corporations, which operate in varied regulatory environments with differing enforcement levels, leading to prioritization of compliance in stricter regions and deprioritization in domain with weaker enforcement.
In TP, higher risk levels are related to less frequent updates and role-specific training, indicating limited alignment with risk-based approaches. This may reflect a strategic shift toward external risk transfer mechanisms (e.g., insurance, indemnification), rather than internal compliance practices. The study results can be attributed to the complexity of third-party risk management in large multinational corporations, challenges in maintaining consistent governance across regions, a preference for risk transfer through insurance or contracts, and the impracticality of comprehensive oversight due to the scale of third-party interactions.
For DP, strong positive relations supported the hypothesis, reflecting newer, evolving compliance requirements. This alignment may stem from the perception of Data Privacy as a core organizational risk, leading to greater investment in tailored compliance practices. The study results can be attributed to the evolving nature of data privacy regulations, corporations’ lower risk appetite, and their ability to comply with stringent laws like GDPR across multiple jurisdictions, mitigating financial and reputational risks.
These findings suggest that the relationship between risk level and compliance practice implementation is not only domain-specific but also influenced by whether the risk is perceived as core or non-core to the organization's strategic objectives. Core risks (e.g., Data Privacy) tend to receive more direct investment in compliance practices, while non-core risks (e.g., Third-Party) may be managed through external mechanisms.
The study highlights that smaller or domestic companies may yield different results due to resource constraints. In addition, the study suggested conducting a similar analysis by industry, to examine the impact of the industry-specific regulations and trend. It also suggests aligning regulatory guidelines more closely with corporate practices to support effective CCP implementation and recommends future studies to assess the impact of CCPs on actual risk reduction.
Finally, the study recommends that regulators consider refining their guidelines to reflect both commonly adopted and underutilized practices, offering clearer implementation pathways and incentives for voluntary adoption beyond legal minimums. This could include public recognition for corporations that implement advanced, risk-based compliance practices.
Supplemental Material
sj-docx-1-rda-10.1177_15697371251375287 - Supplemental material for Does Risk Assessment Matter in Corporate Compliance Programs? An Empirical Study Examining the Impact of Risk Assessment on Corporations’ Compliance Programs
Supplemental material, sj-docx-1-rda-10.1177_15697371251375287 for Does Risk Assessment Matter in Corporate Compliance Programs? An Empirical Study Examining the Impact of Risk Assessment on Corporations’ Compliance Programs by Kfir Manor in Risk and Decision Analysis
Supplemental Material
sj-docx-2-rda-10.1177_15697371251375287 - Supplemental material for Does Risk Assessment Matter in Corporate Compliance Programs? An Empirical Study Examining the Impact of Risk Assessment on Corporations’ Compliance Programs
Supplemental material, sj-docx-2-rda-10.1177_15697371251375287 for Does Risk Assessment Matter in Corporate Compliance Programs? An Empirical Study Examining the Impact of Risk Assessment on Corporations’ Compliance Programs by Kfir Manor in Risk and Decision Analysis
Footnotes
Funding
The author received no financial support for the research, authorship, and/or publication of this article.
Declaration of Conflicting Interests
The author declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
Supplemental Material
Supplemental material for this article is available online.
Notes
Statistical regressions between risk assessment and CCP implementation*
| AB CCP | DP CCP | TP CCP | All Sample | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Independent | Dependent | r | p value | r | p value | r | p value | r | p value |
| 3f_risk possibility | 5A_Update Frequency | 0.443 | 0.011 | −0.675 | 0.000 | ||||
| 5b_Traing Frequency | 0.473 | 0.006 | −0.639 | 0.000 | |||||
| 7 Adjust per role | 0.350 | 0.050 | −0.408 | 0.028 | |||||
| 25a How Escalation is conducted | −0.424 | 0.022 | |||||||
| 26bi Survey Performed | 0.473 | 0.006 | |||||||
| 26bii Survey Used | −0.411 | 0.019 | 0.454 | 0.009 | |||||
| 26d monitor matrix | 0.411 | 0.019 | |||||||
| 3g_risk impact | 4a_Who Attend | −0.387 | 0.029 | ||||||
| 5b_Traing Frequency | 0.225 | 0.030 | |||||||
| 8 Site Authorized to amend | 0.442 | 0.011 | |||||||
| 25 Escalation Actions | −0.387 | 0.029 | |||||||
| 25a How Escalation is conducted | −0.421 | 0.016 | |||||||
| Risk Assessment Overall Rating | 4b Policy PB_RB | 0.217 | 0.036 | ||||||
| 5A_Update Frequency | 0.422 | 0.016 | |||||||
| 5b_Traing Frequency | 0.377 | 0.033 | |||||||
| 8 Site Authorized to amend | 0.410 | 0.020 | |||||||
| 13 Senior Motivate | 0.382 | 0.031 | |||||||
| 24a. Total test items | |||||||||
| 25 Escalation Actions | −0.216 | 0.037 | |||||||
| 26bi Survey Performed | 0.399 | 0.024 | 0.236 | 0.022 | |||||
| 26bii Survey Used | 0.361 | 0.042 | 0.219 | 0.035 | |||||
* Only significant relations are presented (*p < .05, **p < .01).
References
Supplementary Material
Please find the following supplemental material available below.
For Open Access articles published under a Creative Commons License, all supplemental material carries the same license as the article it is associated with.
For non-Open Access articles published, all supplemental material carries a non-exclusive license, and permission requests for re-use of supplemental material or any part of supplemental material shall be sent directly to the copyright owner as specified in the copyright notice associated with the article.
