Another Strategic Advantage Compliance Brings

Not long ago, a study landed on my desk from North Carolina State University and Protiviti, listing the biggest risks on the minds of boards and senior executives as we enter 2018.

Most of the risks weren’t surprising: speed of business disruption, volatility in financial markets, vulnerability to cybersecurity attacks. One risk, however, stood out as especially relevant to corporate ethics and compliance officers.

“Our organization’s culture may not sufficiently encourage the timely identification and escalation of risk issues that have the potential to significantly affect our core operations and achievement of objectives.”

Hmmm, I thought. There’s opportunity for compliance officers in those words.

Each risk in the NC State report was ranked on scale of 1 to 10. Over the last three years, this “escalation risk” has been moving up the scale briskly: from just above 5.0 in 2016, to 5.9 heading into 2018. And 61 percent of the survey’s 728 respondents said escalation risk could have significant impact on their organization within the next 12 months.

Bravo to senior executive for being self-aware enough to worry that they might not hear reports of trouble until it’s too late. So what can compliance officers take away from that observation? How can you position an effective compliance program as a tool to help ease that fear in the boardroom?

You can ensure that your whistleblower hotline addresses that fear.

In fact, as I’ve written many times here and elsewhere, a whistleblower hotline is the bare minimum of how a compliance program can help your enterprise. Maintaining a hotline is pure regulatory compliance: the law requires large companies to have one, so you do, with occasional analysis of calls that might come across it.

Unto itself, a whistleblower hotline accomplishes nothing more than keeping the regulators off your company’s back. It’s a cost, not anything that could add a strategic advantage.

To provide a true advantage, compliance officers need to build a larger, more comprehensive system of “incident reporting and allegations management” — a process to catch all complaints and concerns from employees (the majority of which don’t come via the hotline), and then ensure that those concerns are analyzed correctly and dispatched to the proper level of management for follow-up action.

complianceAfter all, how many boards didn’t know about allegations of harassment by key employees, until the matter reached a crisis point and the key employee had to be sent packing? How many boards have approved FCPA settlements for millions of dollars, because they didn’t understand the true nature and volume of improper payments that led to FCPA misconduct? How many boards missed conflicts of interest, breaches of contract, or accounting frauds that employees knew about — because those concerns didn’t reach the board’s ear in a timely fashion?

What we’re really talking about are feedback loops: systems to relay information from the front lines of the business, back to senior management and the board.

In the worlds of enterprise risk management and military strategy, feedback loops are crucial; senior executives (or senior military officers) always fear that they don’t understand what’s really happening in the business. Above all, they’re terrified that something might not be working as expected, and they don’t know that fact.

Well, conceptually speaking, whistleblower reporting systems serve that same purpose: to relay information back to superiors, that something may not be working as intended.

Frame escalation risk that way, and you’re speaking a board’s language. Frame an effective compliance program as a tool to prevent “escalation failure” — which it is — and you position compliance as a tool to boost the company’s strategic edge.

Compliance as Strategic Advantage

This is the second week in a row that I backed into discussion of how strong compliance programs can be a strategic advantage for a company. Last week, we looked at cybersecurity risks posed by third parties, and that led to the point I call Kelly’s Law of Third-Party Risk Management: the better your firm is at managing third-party risk, the more attractive you become as a third party to others.

The common theme here is that effective compliance programs make your enterprise a better competitor — not that they help the company to cut costs or boost revenue.

Sure, sometimes an effective compliance program might lead to those things. For example, maybe a vigorous FCPA compliance program will lead you to centralize and simplify your procurement processes. Or maybe to improve your SOX compliance, you move the accounting department to a cheaper, cloud-based financial reporting system.

Still, no compliance officer can promise the board that a strong compliance program will cut costs. In many instances, it won’t. Good GRC technology, well-crafted policies, and effective training don’t come cheap.

But a compliance officer can promise that a strong compliance program will make you a better company. If you can demonstrate that you’re a trustworthy, secure, reliable business partner, more businesses will consider working with you. If you train employees well, fewer of them will do something stupid that puts your company on the front page. If you build an effective system of internal reporting and incident management, the board can get a better picture of what’s really happening more quickly.

My favorite metaphors for investing compliance are going to college, and going to the gym. Going to college never saves you money, and going to the gym never feels good the first time you go. But without question, both will pay off enormously over the course of your life, and make you a better person.

Effective compliance programs can do the same for organizations. The NC State statistic about escalation risk is only one small example of that very big truth.

Leave a Comment

You must be logged in to post a comment.