70 Compliance Statistics to Know in 2022

70 Compliance Statistics to Know in 2022

  • December 02, 2021

If there’s one constant within the compliance industry, it’s this: 

The state of risk and compliance is ever-changing. 

As cybersecurity concerns continue to grow, the cost associated with not having a well-thought-out risk and compliance program is sky-high. 

We’ve compiled 70 compliance statistics for 2022 that cover the cost of non-compliance, compliance management, internal audit numbers, vendor risk management data, and industry trends. 

We hope these statistics will help educate teams about the importance of compliance, build a solid compliance program, and get executive buy-in to address the changing nature of compliance risks. 

The current state of compliance

As the compliance industry evolves, new technologies and tools are being introduced to streamline and improve processes. When companies take a proactive approach to creating and solidifying their compliance strategy, they find it saves them money and improves their overall security posture. 

Find out how the industry has changed in recent years. 

1. 86% of companies surveyed agreed that innovative digital technologies have helped identify financial crime. (Refinitiv's Global Risk and Compliance Report 2021)

2. The leading risk among organizations for 2021 was business interruption (41%), including supply chain disruptions. This was followed closely by cyber incidents such as cybercrime, data breaches, and fines and penalties at 40%. (Statista)

3. 70% of risk and compliance experts said the pandemic has increased their reliance on technology to improve decision making, performance monitoring, and risk management. (Thomson Reuter’s Fintech, Regtech and the Role of Compliance Report 2021

4. Firms have identified the top five risk and compliance functions that can benefit from technology as the following: 

5. Cybersecurity practices among vendors are becoming an expectation, as 44% of firms say they are being asked for proof of cybersecurity as part of a request for proposal (RFP). (ACA Key Trends and Forces Shaping Risk and Compliance Management in 2021

6. Risk and compliance programs are maturing. Navex Global found that the number of "mature and advanced" risk and compliance programs grew by 29%, while the number of "reactive and basic" ones declined by 35%. (Navex Global's 2021 Definitive Risk & Compliance Benchmark Report

7. 34% of organizations outsource some or all of their compliance functionality. (Thomson Reuter's Cost of Compliance Report 2021)

8. If it were a country, U.S. regulation would be the world’s eighth-largest economy. (CEI Ten Thousand Commandments 2021

9. When security professionals are asked how to improve their company’s security posture, the top answer is upgrading tools (67%). This is an effort which they also report is being thwarted by integration difficulties, lack of expertise, and the sheer number of tools to manage. (Netenrich's Global 2021 Survey of IT and Security Professionals)

10. 80% of respondents say they had a business continuity plan in place and that it helped them navigate the pandemic’s impact. (Navex Global's 2021 Definitive Risk & Compliance Benchmark Report)

The cost of non-compliance

Turning your compliance program into a well-oiled machine can be a daunting task. But the cost of not having such a program in place far outweighs any hesitations you may have. If you need a reminder of just how high the costs associated with poor compliance management practices can be, look no further than the data points below. 

11. Organizations lose an average of $4 million in revenue due to a single non-compliance event. (GlobalScape's The True Cost of Compliance with Data Protection Regulations

12. There has been a 45% increase in the cost of non-compliance since 2011. (GlobalScape's The True Cost of Compliance with Data Protection Regulations

13. 50% of organizations said they spend 6-10% of their revenue on compliance costs. (Bloomberg

14. 31% of respondents predict their compliance teams will grow in the next 12 months, down from 43% in 2018. (Thomson Reuter's Cost of Compliance Report 2021)

15. The projected total cost of financial crime compliance across financial institutions worldwide is $213.9 billion. (LexisNexis Global True Cost of Compliance 2020 Report)

16. U.S. businesses spend an average of $10,000 per employee on regulatory costs. (CEI Ten Thousand Commandments 2021

17. In the U.S., PCI compliance fines aren’t published, but they can range from $5,000 to $100,000 per month until the issue is dealt with. (PCI Compliance Guide FAQs)

18. Regulatory monitoring can save businesses $1.03 million on average. (GlobalScape's The True Cost of Compliance with Data Protection Regulations

19. Globally, fraud causes total losses upwards of $3.6 billion. (Association of Fraud Examiners’ 2020 Global Study on Occupational Fraud and Abuse)

20. Regulators fined banks $10 billion in a 15-month period through 2019, with most of those fines caused by cyber attacks (60%).  (Fenergo

21. Organizations spend $5.47 million on compliance compared to an average of $14.82 million for non-compliance. (GlobalScape The Total Cost of Compliance with Data Protection Regulations)  

22. The General Data Protection Regulation (GDPR) offers some of the strictest penalties among data protection regulations and standards. Under the GDPR, EU authorities can fine organizations up to €20 million, or 4% of worldwide turnover for the preceding financial year, whichever is higher. (Tessian Biggest GDPR Fines of 2019, 2020, and 2021 (So Far))

Compliance management statistics

Many organizations have begun to automate aspects of their compliance strategy. Find out what practices are becoming the norm within the risk and compliance industry below. 

23. 44% of organizations say their top compliance management challenges are handling compliance assessments, undergoing control testing, and implementing policy and process updates. (MetricStream State of Compliance Survey Report 2021

24. 76% of compliance managers say they manually scan regulatory websites to track changes and assess the impact on their organization. (MetricStream State of Compliance Survey Report 2021)

25. 40% of organizations say they use office productivity software, such as documents and spreadsheets, for compliance management. (MetricStream State of Compliance Survey Report 2021)

26. The top three skills for compliance officers are: subject matter expertise, communication skills, and anticipating future regulatory trends. (Thomson Reuter's Cost of Compliance Report 2021

27. Stagnant budgets and a shifting workforce have left many compliance teams feeling stretched, with 87% of organizations reporting they have no additional capacity due to being understaffed or only adequately staffed. (Deloitte State of Compliance 2020 Report)

28. ISO is the largest international standards organization in the world, with 24,130 international standards covering nearly every aspect of technology and manufacturing. In the year 2020 alone, ISO published 1,627 new standards. (ISO

29. 55% of organizations say their compliance culture is based around a “Can we?” rather than “Should we?” attitude, indicating a focus on building a more proactive and positive compliance culture. (Deloitte State of Compliance 2020 Report)

30. 43% of those under extreme pressure to increase revenue due to the pandemic said they would like to deploy (AI) and ML to combat financial crime in the future. (Refinitiv's Global Risk and Compliance Report 2021)

​​31. 68% of companies prioritize threats according to the potential cost to the business. The impact they fear most is loss of data and negatively affecting customer relationships. (Netenrich's Global 2021 Survey of IT and Security Professionals)

32. In the wake of the pandemic, compliance training has shifted to e-learning, with 62% of organizations reporting using that method rather than blended learning (30%) and instruction-led (9%). (Deloitte State of Compliance 2020 Report)

The importance of vendor and third-party risk management 

As many organizations opt to outsource various tasks to third-party vendors, the risks associated with sharing sensitive information jump sharply. Look at how other organizations are handling their vendor risk management practices with the statistics below. 

33. 44% of organizations have experienced a breach within the last 12 months, with 74% saying it was the result of giving too much privileged access to third parties. (Ponemon Institute’s A Crisis in Third-Party Remote Access Security report

34. 47% of firms predict they will spend more on third-party risk management resources in 2021. (ACA Key Trends and Forces Shaping Risk and Compliance Management in 2021

35. 58% of organizations say that the top challenge they face when it comes to third-party risk management is vendor responsiveness in the due diligence phase. (ACA Key Trends and Forces Shaping Risk and Compliance Management in 2021)

36. 48% of organizations find it challenging to track third-party compliance. (MetricStream State of Compliance Survey Report 2021)

37. Organizations spend more than 15,000 hours completing risk assessments each year. (Ponemon Institute and CyberGRX’s The Cost of Third-Party Cybersecurity Risk Management 2019

38. The average annual spend on vetting third parties is $2.1 million. (Ponemon Institute and CyberGRX’s The Cost of Third-Party Cybersecurity Risk Management 2019)

39. 63% of organizations say that reliance on a vendor’s reputation is the most common reason they are not thoroughly evaluating their privacy and security practices. (Ponemon Institute’s A Crisis in Third-Party Remote Access Security Report

40. 61% of respondents say their third-party management program does not define or rank risk levels. (Ponemon Institute’s A Crisis in Third-Party Remote Access Security report

41. 73% of organizations find managing third-party permissions and remote access to be a drain on internal resources and an overwhelming undertaking for their team. (Ponemon Institute’s A Crisis in Third-Party Remote Access Security report

42. Many organizations are not thoroughly vetting a vendor’s security and privacy practices. Only 49% say their organizations are doing this due diligence with all third parties before allowing them access to sensitive and confidential information. (Ponemon Institute’s A Crisis in Third-Party Remote Access Security report)

Data breaches by the numbers

Data breaches continue to be a costly risk for businesses, highlighting the need for preventative measures to monitor and flag any potential weaknesses in a company’s data protection. We’ve compiled a list of stats that underscore the costs associated with data breaches and common causes. 

43. 65% of organizations say they predict spending more on cybersecurity and privacy resources in 2021. (ACA Key Trends and Forces Shaping Risk and Compliance Management in 2021

44. Identity-based attacks are on the rise. Almost 90% of web application breaches were caused by credential abuse, and phishing was present in more than a third of all breaches. (Verizon's Data Breach Investigations Report 2021)

45. 78% of companies worldwide say zero trust has increased in priority, and nearly 90% are currently working on a zero trust initiative. (Okta's State of Zero Trust Security 2021 Report

46. More than 60% of all data breaches involve stolen or weak credentials. (Verizon's Data Breach Investigations Report 2021)

47. From February to April 2020, attacks targeting the financial sector grew by 238%. (VMWare Modern Bank Heists Threat Report

48. The average cost of a data breach among companies surveyed reached $4.24 million per incident in 2021, the highest in 17 years. (IBM)

49. Remote work poses a new threat for data breaches. Breaches cost over $1 million more on average when remote work was indicated as a factor in the event. (IBM

50. Customer personal data (such as name, email, and password) is included in 44% of data breaches. (IBM)

51. The total number of cyber attack-related data compromises year-to-date is up 27% compared to the fiscal year 2020, with phishing and ransomware seen as the top attack methods. (Identity Theft Resource Center Q3 2021 findings)

52. 67% of organizations with 5,001–10,000 employees plan to invest in employee security awareness, which is twice the number reported in 2019 (33%). (Netwrix 2020 IT Trends Report)

53. About 60% of companies have over 500 accounts with non-expiring passwords, highlighting just one of the inadequate security practices that leave companies open for data breaches. (Varonis)

54. By 2023, Gartner predicts that 65% of the world’s population will have its personal data covered under modern privacy regulations. (Gartner’s State of Privacy and Personal Data Protection report)

Internal audit insights

A key component of an organization’s governance, risk, and compliance program is regular internal audits. 

Internal audits help companies find weak spots in internal processes before an external source does. We’ve compiled the following insights surrounding internal audits, highlighting their importance and how they’re conducted. 

55. Only two in 10 chief audit executives said internal audits have experienced “extensive impact” from COVID-19. (The Institute of Internal Auditors 2021 North American Pulse of Internal Audit Report

56. The top five highest risk areas as defined by chief audit executives are: 

57. 66% of audit departments communicate with other risk and control groups within their organizations on how they can better share resources, particularly risk assessment and data analytics. (Gartner 2020 State of the Internal Audit Function Report)

58. Pre-pandemic, internal audit budgets grew 5% per year between 2017 and 2019. However, in 2020, that figure saw a 1.5% decrease. Gartner expects that number to remain flat in 2021. (Gartner 2020 State of the Internal Audit Function Report)

59. The Institute of Internal Auditors (IIA) suggests that over 75% of audit teams lack a modern audit technology solution. (IIA)

60. 62% of survey respondents said that moving from traditional, manual processes to a data-driven audit is a top challenge. (CaseWare IDEA State of Internal Audit 2020 survey)

61. Only 29.8% of respondents say that they regularly use data analytics in their audits. (CaseWare IDEA State of Internal Audit 2020 survey)

62. Holding regular compliance audits can save organizations up to $2.86 million. (GlobalScape's The True Cost of Compliance with Data Protection Regulations)

63. 37% of companies perform one or more internal audits annually. (GlobalScape's The True Cost of Compliance with Data Protection Regulations)

We hope these statistics help provide an overview of the current state of compliance. Below is a visual guide of some of the most important facts and figures we covered.

Regardless of industry, there’s no question that risk and compliance practices are crucial to running a company in our current environment. Assessing and monitoring your business’s ongoing compliance strategy can help save thousands of dollars and improve your security posture