Explaining Compliance in Boom Charts
You might not have noticed this yet, but booms are having a moment these days. That’s a great trend for compliance, audit, and risk professionals.
Specifically, people are using the phrases “left of boom” and “right of boom” more often, usually to describe how governments, businesses, and other organizations respond to sudden events — the “booms” that strike like a bomb blast. I used those phrases myself just last week in a post about cybersecurity, and that made me wonder: what’s going on with booms?
The proximate cause of all this boom talk seems to be a new book, The Devil Never Sleeps: Learning to Live in an Age of Disasters, by Harvard University professor Juliette Kayyem. Kayyem uses the left- and right-of-boom phrases quite a bit in her book and on the media tour she’s been doing lately, and others (including me) have adopted her turn of phrase as well. I even visited Google Trends to see how many people have searched for “left of boom” over the last 12 months. As you can see from the chart below, public interest in the term is, well, booming.
This is a good thing for compliance professionals, because “left of boom” and “right of boom” are wonderful concepts to use when explaining what you do, why it’s important, and how compliance teams can support the enterprise. So let’s take a look at this metaphor and unpack its usefulness.
Why Booms Matter
I haven’t yet read Kayyem’s book, but the basic premise is straightforward: disasters can strike swiftly and severely, and corporate organizations need to be prepared for that. Those preparations should follow two paths:
- Steps to reduce the severity of the disaster when it does eventually strike (left of boom);
- Steps to build the organization’s response capability after the disaster strikes (right of boom).
A subtle but important assumption here is that the disaster always strikes. No matter what mitigation steps your organization takes left of boom, the boom still happens: the cybersecurity breach, the FCPA violation, the insider trading indictment, the outbreak of war, the outbreak of pandemic, the #MeToo accusation against the CEO. Then your organization tumbles into the right of boom world and all the tumult it brings.
The compliance team’s work straddles both sides of the boom, and that’s why it is such a useful metaphor to explain what you do. Sketching out a “Boom Chart” allows you to take a tangible corporate disaster and explain how your compliance activities help to both avoid and respond to that disaster.
For example, this was the Boom Chart I used last week to explain how compliance officers can help with cybersecurity:
But why stop there? The Boom Chart for an FCPA event would look like this:
The Boom Chart for AML compliance might look like this:
And one for privacy compliance might be this:
You get the idea. We could work up charts of any number of risks, and yours might be far more detailed than the thumbnails I sketched out above. Regardless, Boom Charts are an easy way to explain what the compliance team does to help the company avoid, and recover from, mistakes and disasters that could strike your enterprise at any time.
I also like Boom Charts because they can help you communicate clearly and concisely with other risk assurance functions about who does what. For example, when someone in the IT security team sees “root cause analysis” on your cybersecurity Boom Chart, that person might ask (quite reasonably), “Who does that root cause analysis? Because you’re a compliance person and you don’t have the chops to do that. Will you end up foisting that on me?”
Then the two of you can have a more productive conversation to define precise tasks for that root cause analysis, and document those tasks as part of a written plan. Ditto for compliance and legal teams looking at the Boom Chart for an FCPA event; or compliance and HR looking at one for a #MeToo allegation, and so forth. Boom Charts can clarify roles and responsibilities, which is crucial for modern risk management.
Indeed, that’s another selling point: Done wisely, this style of presentation drives home the message that compliance teams don’t exist just to enforce obedience to rules drawn up by faceless bureaucrats somewhere; compliance teams also help with risk management. That’s an important message for senior executives and boards setting your budget, and for employees in operating units whose support is so crucial for your compliance program to succeed. Telegraph it to them any way you can.