BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Compliance and Risk: Clearing the Org Chart Hurdle

Following
This article is more than 9 years old.

By Alison Taylor

There seems little doubt that the external risk and compliance environment faced by multinational companies is becoming more complex by the day. The headlines are full of potentially catastrophic geopolitical developments, from the rise of ISIS in Iraq, the Ebola epidemic in West Africa, the deteriorating relationships between Russia and the West over Ukraine, and the horrors of events in Gaza.

Even without such drivers, the global compliance environment is also evolving rapidly. New anti-corruption enforcement realities have taken root in China, Brazil, India and Canada, and the rise of the empowered whistleblower making it ever harder for companies to control their reputational and regulatory risk.

Some multinationals have already placed risk management at the center of their strategic agenda, appointed a Chief Risk Officer, and focused on creating a coordinated approach to risk that encompasses quantitative and qualitative dimensions and applies a thorough, top down lens to the risk landscape and the corporate response. However, coordinating and understanding risk management from an organizational perspective remains highly challenging. Anecdotally, confusion over communication, responsibility and authority abounds.

Here is a sample of comments I’ve heard from clients in the last month alone:

From a general counsel: “We have tried our best to implement a robust third party due diligence framework, but we still get a ton of pushback from the business about the cost. No, we don’t share the reports with the business, we just keep them on file in the legal department in case we run into trouble.”

From a Shanghai-based head of business development: “The anti-corruption crackdown here is truly a game changer and like nothing we have seen in China before. But head office keeps on pushing us to grow just as fast as before. The compliance people seem to think that all they need to do is hire an FCPA lawyer and they can limit their risks. But business practices from 10 years ago are coming back to haunt our competitors. I’m really concerned, but I am not sure that the US headquarters really gets it.”

From the chief risk officer of a major multinational law firm: “Our people seem to think they can jump on a plane and go wherever they like, when they like. We have no idea where half of them are half the time. The same applies to client acceptance – there are processes in place, but no one pays any attention to them.”

From a chief compliance officer: “My areas of responsibility are growing every month, but my budget isn’t. I only get oversight of new deals and ventures at the last minute, because the sales people don’t want me to have enough information to block their deals”.

From a head of strategy: “We just completed a major acquisition and now have on the ground presence in a number of high-risk new markets from Pakistan to Guatemala. We need to roll out a comprehensive approach to risk, and have arranged online training on our compliance processes, but the old management team is still in place, and they seem to do things differently from us”.

All the above problems could be addressed with a more robust risk management framework, but this is difficult in practice. The traditional preventative approach to risk management is proving inadequate in the face of regulatory complexity, volatility and an environment of constant change, but what should replace it is not yet clear. It is notable that many of the companies currently under DOJ investigation had extremely expensive, state of the art risk management and compliance programs. This suggests that companies need to take the next step and embed risk considerations into strategic decision making. In turn, this means adopting a holistic perspective that embeds consciousness of risk into every part of the business, not just in the departments that play a regulatory or policing role.  Otherwise, the risks tend to be within a silo, and the metaphor of the blind man and the elephant applies.

However, in order for this concept of risk to move beyond an idealistic aspiration, companies need to look closely at their organizational structures. The starting point remains the evolution of the external environment in real time, and an external risk assessment is best conducted by a cross-functional, senior team, perhaps with facilitation to ensure that there is appropriate prioritization. This can cover the entire risk universe faced by a company, or focus on a discrete issue, such as corruption risk.

Once individual risks have been identified, a responsibility assignment (RACI) matrix can be used that establishes which teams and individuals are responsible, accountable, consulted, and informed about the individual risk.  Ultimate responsibility may continue to sit in the standard risk ownership departments, but those who actually experience the risk need to be assigned a role in this matrix. Cross functional accountability is also important, particularly for more nebulous areas such as political risk. Then, the organizational design and incentives can be examined more closely in order to measure whether the organization is set up to respond adequately.

An organizational analysis can be used to address any gaps in implementation of this approach. There are five levels - intrapersonal, interpersonal, group-as-a-whole, inter-group, inter-organization – and each can provide a useful lens to examine the effectiveness of the risk mitigation strategy.

The intrapersonal level involves understanding how employees are motivated and rewarded, and how these incentives are communicated and understood. Perhaps your employees who work in the front line in high risk markets receive mandatory annual training on how to manage corruption risk. But is it acceptable for them to walk away from business opportunities that might compromise the integrity of the company, or is the implicit modus operandi to do the deal, and fend the compliance team off with a tick box approach? Behavioral metrics are often factored into performance reviews, but are rarely given the same weight as commercial indicators of success. In other words, are sales teams merely informed about bribery risk, when they need to be accountable, and in real time?

The interpersonal level involves understanding the relationships and communication between the individuals who actually experience the risk, and the individuals who are responsible for addressing it. What information is provided to who, and when? Do the risk owners have the contextual information and financial resources they need?

At the group level, interactions within board and senior executive teams, or within the risk committee, are critical. Which risk owners get the most airtime and budget? Which risks are addressed at the senior level? Is there any cross-functional conversation on risk at all, or is each risk owner operating in a vacuum? Who dominates the agenda in meetings? How are key decisions made? Is there healthy debate, driven by a shared understanding of the company’s risk appetite, or does strategic planning devolve into bitterness and territorial fights?

Intergroup dynamics are perhaps the most important of all from a risk management framework. In order for a holistic risk management approach to be effective, the risk ownership functions need to work closely with the core business, both gathering and sharing insights. However, this will be ineffective if the fundamental concept of risk management remains as a policing function – a check and balance on the company’s core growth activities. Processes need to be established so that responsibility, accountability, consultation and information needs are clear to the various stakeholders. There is little substitute for communication and debate over specific risks to embed an understanding of how to mitigate the risk across teams.

Finally, inter-organizational approaches can be a very effective way to share best practice on a whole range of risk issues, and industry interest groups have been very effective in certain areas in driving knowledge sharing, as well as collective action to resist extortion from government officials, demands for bribes and so on. This is often seen as the most effective approach to long term, endemic issues, such as demands for facilitation payments. The new compliance landscape, where regulators tend to pursue companies in the same industry, or who use the same service provider, makes these relationships even more important. All companies in an industry are accountable, but responsibility for this particular agenda often (rightly) sits with the largest and most influential player in the industry.

The structures that are put in place will vary greatly according to industry, market and overall risk appetite, and it is difficult to generalize about what will work for an individual company. However, a much greater emphasis on the organizational dimension of risk management, and how humans interact with and respond to risks they face, will always yield benefits. It is time to move on from checks and balances, and look at innovative approaches to help all employees become individually engaged in how risk plays out in their professional lives.

 Alison Taylor is a Senior Managing Director of Control Risks business intelligence practice based in New York.