|
|
|
Features
< Back
Sarbanes Oxley : Auditing : Thought Leader
Death By A Thousand Cuts
An investigation in the Methods and Ramifications of Compliance
By
Ted Frank
|
|
Ted Frank
CEO
Axentis
|
In today?s intensely competitive global environment, the effective management of key legal, regulatory mandates as well as key operational risks represent countless life or death decisions for a business. With risk management taking on unprecedented importance, global 2000 companies need every assurance that they are comfortably in control of these issues.
Given the critical implications of these issues ? non-compliance can results in fines, investigations and destruction of hard-earned reputations, among other things ? it is essential that your organization be able to answer the following questions affirmatively:
? Are you comfortable with the current state of governance, risk and compliance?
? Does your company have comprehensive, usable performance information?
? Does your company have the ability to carry on a good, productive and clear conversation regarding risk or compliance management?
? Is there clarity regarding expectations and organizational accountabilities?
? Does your organization have a clearly defined, thorough and integrated business plan for managing governance, risk and compliance within the organization and the supply chain?
In all likelihood, most organizations cannot answer every question with equally positive conviction. How is it that questions such as these do not have resoundingly concrete answers? The answer is often one of four reasons and in some cases all:
Most organizations consider risk and compliance management a burden, something that has little impact on the well-being of an organization.
Now more than ever before, organizations are outsourcing key components of their operations to partners around the world, thus exposing the company to even greater risks, since their compliance now relies on third party organizations and their adherence to key mandates.
Most organizations measure ineffective management of risk/compliance by major failures when in general a major compliance breakdown is usually preceded by thousands of small cuts and scratches. These minor mishaps create isolated wounds that on their own pose little threat but collectively lead to extraordinary systemic failures. In other words, most organizations probably do not see the dangers as they are taking place because they are looking for something on a catastrophic level.
Many executives and risk/compliance managers believe their particular areas of risk or compliance are different than those faced by other organizations. With these individuals, it is tough to tell if this leads to apathy and avoidance among executives or whether it simply makes the problem too complex for organizations to develop a holistic and effective strategy.
While each company has its own reasons for missing the big picture, one thing is for sure, global regulation is on the rise and here to stay. In addition, capital markets now expect reasonable command over risks of all types. Those not properly prepared may experience grave breakdowns in financial reporting controls that can have remarkable impacts on market capitalizations. Conversely, effective community and government relations dramatically impact merger/acquisition approvals and corresponding time to value.
With this in mind, what steps should every organization take to ensure compliance? Organizations need clear, straightforward strategies for governance, risk and compliance that are institutionalized in the form of formal business. Only then can a vision be effectively articulated and employees be held accountable for effective management of the right control process.
Creating a Vision for 2010
While the idea of a corporate vision and over-riding business plans are usual business strategies for most corporations, remarkably few extend this practice to the management of risk and compliance. Ignoring a function (or more likely, multiple disparate functions) that as a whole generates tens of millions of dollars in expenses each year is a corporate governance failure of dramatic proportions. The magnitude of these costs alone should certainly be enough to create a sense of urgency. Furthermore, few would dispute the benefits that effectively managing risk (in new product introductions, acquisitions, supply chains, new market expansions, credit, etc.) delivers in terms of driving market advantage, profits and shareholder return. In fact, these advantages greatly exceed the impact of compliance cost, but ultimately drive only a few elite organizations to institutionalize clear risk management visions and strategies.
What?s Needed?
First, a comprehensive strategy. With a strategy in place, the next issue centers around the effectiveness of the initiative and measuring exactly what it is contributing to the organization. As the old saying goes, ?you can?t improve what you don?t measure.? With a compliance measurement program in place, organizations will be able to better gauge the effectiveness of the program and then make all necessary adjustments. Like a quality management program, a risk management initiative is only effective if the principles are mandated and audited throughout the corporation and not solely by administration. The reason is simple, both compliance and quality are discrete components of many different jobs or functions within the organization and to work, these principles (be they quality management or risk management) must be embedded and broadly distributed into the fabric of the organization so that specific process owners make risk an every day, common factor in the decision-making process.
With the components firmly in place, effective measurement must be the core of an organization?s business plan, as must be the principle of internal and external benchmarking of performance. Accountability is another critical component. Accountability can only truly be achieved if risk management performance and compliance are tied to compensation and advancement. We have heard this before, but how many organizations tie more than a token amount of compensation to risk and compliance?
The bottom line is that the opportunity exists to have a successful risk program, one that opens up endless possibilities when actualized. Imagine a future where all internal personnel and external business partners have consistent, uniform definitions of governance, risk and compliance. Imagine clear accountability of all risk and compliance domains or processes and a simple and consistent definition of appropriate risk and compliance business process. Imagine a comprehensive risk and compliance software framework that supports the very broad set of governance, risk and compliance processes within the organization and its extended network of business partners. Finally envision having broad visibility into those areas of risk and compliance management where an organization has deficiencies as well as unique competitive advantages.
The Typical State of Compliance in 2006
With so many attainable benefits, why is it that many organizations do not have written risk management business plans, visions or even reliable measurement of risk and compliance? What is stopping these organizations from taking the next step?
The answer is steeped in a history of hundreds of evolving regulations, legal precedents and the slow but constant evolution of shareholder, society and employee expectations. Many of these expectations and mandates have slowly crept into corporations, so that they do not recognize the damage these scratches or cuts are causing to their performance. To make matters worse, comprehensive cost data is non-existent so calculating the financial damage is not an easily attainable task. Risk/compliance functions are also remarkably fragmented, making the implementation of a program significantly more daunting. Compounding the situation is a legacy of hesitance for spending valuable resources on projects with indirect value to the organization.
Many of these factors have changed in the last few years. Capital markets have become remarkably efficient in information transparency and enforcement has made a dramatic swing to actual performance. With this in mind, there is good news. Today few organizations still believe that the current risk and compliance management spotlight is going to wane in importance any time in the near (or not-to-near) future. Organizations are now awakening to the fact that the thousands of ?cuts and scratches? they are receiving are dramatically impacting their organization?s health and ability to compete. Individuals within these companies recognize that outsourcing, financial reporting, supply chain, M&A and many other risks are accelerating with each passing day and they are not surprised to learn the internal systems in place are not keeping up with the ever-changing requirements because internal technology organizations are generally not provided with a business plan they can support. Most cannot even point to a common governance, risk and compliance vocabulary as a basis to begin internal conversations or easily identify which individuals are involved in overseeing specific aspects of risk and compliance management.
What does it all mean?
While today?s organizations recognize the threat they are trapped, having multiple systems spread across their own enterprise and that of their partners, many of which are not connected and make taking the first step a mystery. These ?silos of compliance? that have built up over the years are much like the city states of Italy in the 1400s, each risk/compliance domain has its own rulers and, in an effort to secure resources to sustain their community, have convinced their citizens that they have unique characteristics and needs. Ultimately, much as lack of shared defense led to Spanish and French influence during this time in Italy?s history, many corporations are recognizing breakdowns in their own competitiveness from fragmented and isolated compliance functions.
Six Steps to Begin Reaching for the Vision
While the above situation sounds daunting, the steps to improving risk and compliance management are remarkably simple. There are many ways to make this a difficult task, but a skilled leader can navigate through the external and internal constituencies that benefit from complexity and lead the organization on the path to compliance.
1) Vocabulary: It all begins with the conversation. A conversation based upon a clean set of governance, risk and compliance definitions. Is ?compliance? strictly legal or regulatory in nature or is it related to performing any process in place to control any risk? The answers to this question should drive this need home. This is an essential task, in that it is often what is assumed and not discussed that is most dangerous.
2) Expectations: What (or who) are all of the constituencies that have currently defined expectations for an organization? The universe can include a broad range of customers, regulators, investors and society in general. Risk tolerance may be entirely different for a utility than for an oil exploration firm. Defining or influencing these expectations cannot be an afterthought, nor can subsequent reporting around how well these risks are being managed.
3) Universe: A broad range of risks exist within all organizations. Companies should map, categorize and assess these risks so that all involved understand which 20 percent represent 80 percent of the impact, whether the impact is positive, negative or both. Most risks are connected in some way and are often a small component of a broad range of other processes. The most likely place to control and monitor performance is within other processes, not by pulling them out into unique and distinct processes.
4) Accountability: Another step that sounds remarkably simple, but most organizations have difficulty defining who owns the various components of risk and compliance management. It is not simply about oversight, but also the performance of risk management at the tactical level. Once accountability is clear, compensation systems and performance metrics must be implemented to measure and motivate performance.
5) Consistency: By deconstructing a few risk/compliance processes (and how performance will be measured) a compliance officer will likely find that they are remarkably similar and not as unique as many believe. Sure, the content and specific expectations may be unique, but the way in which expectations are communicated, performance is measured and problems are addressed is extremely straightforward. Companies should pick a process model from an organization such as The Open Compliance & Ethics Group (OCEG). This is a pre-requisite to automation and measurement.
6) Focus: Solving the broad risk and compliance management problem at one time is clearly too big of a project for most organizations to undertake. Instead, start with one specific area of risk and apply the above principles. Imagine the depth of process knowledge, best practices and technology that your organization has built to address Sarbanes-Oxley compliance. Has the organization charged a specific task force with leveraging these assets? If not, a dramatic opportunity is being overlooked. The needs in supply chain or information risk management are remarkably consistent with SOX and can benefit from the same expertise and technologies.
Moving Forward
Effective risk and compliance management is not a big-bang approach, but an ongoing, evolving process. The process begins with recognizing the impact that these so called ?minor? cuts and scratches have on an organization before they become major issues. But this is not to say risk and compliance management efforts are solely preventative. When these efforts are fully embraced the work often yields a unique perspective into the company as a whole. The knowledge and understanding gained can be used to recognize other financial opportunities not realized prior. In other words, ultimately leveraging compliance efforts can prove valuable as a stepping stone to attaining broader business goals. Embrace this attitude and take control of your company.
Ted Frank
CEO
Axentis
Ted Frank is the CEO of Axentis, LLC., a provider of managed service software to address specific compliance problems as well as enterprise-wide GRC initiatives. Axentis Enterprise helps companies manage financial, operating and regulatory risk, implementing processes that improve business performance and increase shareholder value. Axentis has more than 500,000 users in more than 100 countries.
|
|
|
|
|
