NAVEX One

NAVEX One integrates technology, industry-relevant content, expertise, and data integration/insight capabilities within processes that fulfil many general GRC requirements, as well as some that are less common (arising from NAVEX Global’s heritage focus on HR-related compliance).

Informed by practitioner experience across a broad range of GRC domains, a primary objective is to integrate many types of data from the realms of risk and compliance, to enable better risk/compliance analysis. Examples include incident case data, ESG metrics, compliance data sourced from business units, external content on regulatory events and compliance benchmarks, operational risk/security data, and data on supply chain operations (e.g. risk, security, and contractual details).

Analytics and benchmarking pervade all the individual areas of GRC processing, enabling assessment of how the organisation is performing in each specialist domain. The solution provides a data warehouse, enabling it to support query and reporting of the organisation’s risk and compliance status, and to produce board and regulatory reports. A ‘GRC Insights’ subscription option is available for customers requiring custom, board-ready data delivered in NAVEX One, with PowerPoint and Excel download options, plus supporting services including benchmark comparisons (e.g. peer organisations’ employee compliance metrics).

Customer Quotes

“The NAVEX One suite of ethics and compliance software solutions help us manage our risks, protect our business reputation, and create a better workplace.”
Craig Hall, Senior Compliance Monitoring Manager at Currys

“Easy to implement and use, we are eager to begin correlating and unlocking the value of our business risk data in new and more impactful ways. We see the potential for significant downstream operational savings with this automation.”
Melissa Soiefer, Director, Data, Governance, Risk & Compliance at Shearman & Sterling

NAVEX’s long heritage in employee-related compliance leads to support for a broad range of these area’s specialist requirements. Examples of capabilities include: Whistleblowing support (including NAVEX providing specialist personnel via telephone) with incident management processes; Ethics and compliance training; Management of policies and procedures, and Codes of conduct; support of Ethics disclosures; advice for customers on changing regulations and compliance requirements; and country-specific compliance support. Employees can use its Compliance Hub to report their concerns as incidents or disclosures, as well as access their training records and attestations, plus related statements of policy or codes of conduct. An AI-driven query facility supports the use of natural language to answer bespoke questions.

Fig 1 – A lifecycle approach to third-party risk management

A second group of specialist GRC requirements supported by NAVEX One is third-party risk management. The solution can provide risk analysis for potential vendor partners, in advance of onboarding and throughout the lifecycle of a contractual relationship. NAVEX’s own solution (RiskRate) can provide a spectrum of detailed risk insight into vendors, and ready-made integration is supported with external providers of risk and security metrics (e.g. BitSight, SecurityScorecard, RiskRecon, and others). Continuous monitoring can be implemented to reduce risks from third-party vulnerabilities, and to provide awareness of risks around data breaches. Changed risk levels can trigger repeat assessments outside the standard cycle, and the solution provides automation to assess the accuracy of vendor responses and adjust risk levels if warranted. Figure 1 depicts a broad range of capabilities in this area, supporting a lifecycle approach to managing multiple types of third-party risk.

The solution also supports a range of the more general GRC requirements addressed by competitors, including enterprise-wide risk management (ERM), operational risk management (ORM), and IT risk management (ITRM).

A notable design principle is NAVEX One’s strong collaboration and linkage between risk management requirements and compliance processes. Organisations can control automated risk management by specifying risk tolerances, which are implemented throughout automated processes. These include mapping of obligations from changed regulations, and the necessary changes to policies.  Content provided with NAVEX One includes over 400 leading compliance frameworks and regulations, including industry-recognised templates available out-of-the-box such as the Secure Controls Framework (SCF) and a Standardized Information Gathering (SIG) Questionnaire.

Via one of the most extensive acquisition programs in the GRC market, NAVEX has gathered together a broad range of capabilities. The majority of its thousands of customers being focused on its HR-oriented specialist capabilities (e.g. enabling whistleblowers), they represent a significant opportunity to expand the company’s presence into other user bases.

Comparing NAVEX One with full-scope alternatives from GRC solution providers, there is space to expand its support for governance requirements. Currently this support is evident in the form of reporting on compliance and risk management, but without integrating the information and analysis with the organisation’s key objectives. We would also like to see more prominence for the business continuity (BC) capability that was part of the range acquired along with Lockpath – particularly due to possible synergy as employee awareness and engagement is such a key objective in implementing a BC program.

All the constituent legacy parts were mature, well-established offerings, and integrating these via the objective-led development of NAVEX One makes it an option that many organisations should consider to support at least a range of their GRC requirements.