Last week we had a post about managing third-party risks at decentralized organizations. Today I want to revisit that subject and look at two specific issues that arise from a business structure like that—IT projects, and fostering a strong culture.
Let’s begin by repeating the theme of last week’s article: decentralized organizations challenge the notion of strong corporate culture and governance. The more power and responsibility you place in the hands of local business units, the more they are going to act independently. Compliance officers and most other business executives know this intuitively, but too often we don’t stop to consider what that means.
It means this—that you are in a race, constantly trying to stay ahead of the business units with policies, controls, and exhortations for everyone to follow the same corporate culture and behavior; while the local units try to race ahead and meet business objectives. If decentralized structure challenges strong corporate culture and governance, then your culture and governance need to challenge it right back.
The biggest problem I hear is that chief compliance officers (and other senior executives) can’t govern the actions of local business units because you headquarters don’t know what’s going on. You can’t get reports in a timely fashion, or data isn’t accurate, or you have no way to ask for a new analysis to examine some issue in a fresh way. You can’t gather the information you need to make better decisions.
Frankly, for many companies—why would expect that? Corporate America has been on a mammoth acquisition binge for years. In many cases that’s what “decentralized structure” actually means: that you’re highly acquisitive, and so busy acquiring more operations to meet business goals that you can’t keep steady grip on your governance goals. I recall one company where the compliance officer told me they had 20 accounting systems thanks to acquisitions; she couldn’t even get the whole enterprise to agree on what a third party was, much less get an accurate count of how many it had. (The pharma sector seems particularly plagued with this problem.)
Again, I don’t expect many compliance officers will consider messy IT systems as, you know, news. But we don’t stop to consider the consequences of that, either.
It means that in a decentralized organization, you need better management of IT projects. You, the compliance officer, need to collaborate more closely with the CIO, CTO, IT audit team, and anyone else involved in project management, to assure that you can design systems that generate the information you need. You wind up needing to worry more about data classification, inter-operability, defining system requirements, and the like.
Put simply, the more you want to decentralize operations, the more you need to strengthen monitoring. And that will require skill at IT projects, to integrate all those systems you have.
Otherwise your compliance risks go up, no matter how spiffy your policies and Code of Conduct look.
While you and the IT department trudge through all those integration projects (because IT projects always fall behind schedule), you’ll still be pouring all manner of policies down upon those local business units. That means you’ll also rely more on employees embracing your calls for ethical culture.
This is the other big consequence of companies adopting decentralized structures: you need to win over the hearts of employees. You need to get them to care about the company’s compliance and ethics risks.
How do you embed that into a decentralized structure? The answer will vary from company to company, but that’s the question you want to ask. You can try placing local compliance officers into the local operating units. You can tailor compensation structures to ensure that local executives are “forced” to care about compliance risks. You can massage the communications from headquarters to stress the importance of compliance.
You’ve heard all those bromides before, I’m sure. The deeper point is that decentralized organizations aren’t really decentralized at all. They behave more like a waterbed, where pushing one part down naturally forces another part up. In this case, as the company delegates more power over operational goals to local business units, your responsibility for corporate compliance and ethics actually increases—because getting local units to think about those issues, in the way you want local units to think about them, will be that much harder.