In a perfect world, and one they can certainly try to shape as such, compliance officers should not be an afterthought for the board of directors.
Corporate crises—from the old-school, SOX-birthing accounting scandals of Enron and WorldCom, to the troubles of AIG, and systemic woes that bought Volkswagen and GM bad press by the ink barrel—show that a failure to link strategy with compliance and adequate risk assessment can be disastrous.
During a panel at CW’s annual conference in Washington D.C., compliance officers discussed strategies for gaining the ear, if not mindshare, of directors. On that panel: Jim DeLoach, with 35 years of experience as a member of the global consulting firm Protiviti’s solutions leadership team, and a 10-year-veteran of the COSO advisory board; and Jay Taylor, former general director for strategic risk management at General Motors.
“Boards are under a lot of pressure,” Taylor said. “They are attacked by activist investors. Even insurance companies and regulators are going after boards about risk oversight. Boards are also under pressure from an efficiency and effectiveness standpoint. How effective is the board not just in terms of overseeing risk, but in driving value?”
Those pressures offer both challenge and opportunity for compliance officers. “As CCOs, you want to understand those things because you don’t want to become irrelevant,” Taylor said. “You want to be on the playing field.” Better CCO engagement means, “if you want a seat at the table you have to bring relevant information to the board and you have to talk at their level.”
Recent surveys underscore the hardships endemic to making that happen. Research by KPMG, from a pool of 1,200 respondents that included directors and senior executives, found that 78 percent were “very” or “somewhat concerned” that management uses outdated assumptions when setting strategy.
“The biggest play we have as compliance and risk professionals is reputation. When we talk about compliance issues sometimes eyes glaze over, but when we talk about reputation, people sit up straight in their seats.”
Jim DeLoach, Member, COSO Advisory Council
“Oftentimes your assumptions are locked in,” Taylor said. “You think you understand how things work and this is how the industry is. If you don’t challenge those assumptions from time to time you can really get into a lot of trouble.”
“Organizations fall in love with their business model and that creates blind spots,” DeLoach says. “They don’t pay attention to the warning signs that are out there.” The approach to contrary news and opinion is often met with a response that combines “see no evil” with “shoot the messenger.” Nevertheless, the goal of a compliance officer should be to reach the point where the board views them as strategically integrated and “not as just another appendage.”
Being a party to strategic decisions cannot be an exercise in drinking the corporate Kool-Aid. DeLoach recalls an executive who, interviewed at the onset of the 2008 financial crisis, was asked about taking on too much concentrated risk in the area of sub-prime loans. The response: “As long as the music continues, we are going to keep dancing.”
“What’s the purpose of risk management if you are just going to dance until the music stops?” DeLoach asked. “We need to understand the critical assumptions underlying strategy and get a sense of what makes those assumptions become invalid.”
Taylor detailed mistakes that can open the door to risk, including a failure to listen to what customers want, living on past successes, and not recognizing that the business has changed from right beneath you. Examples of the latter concern as applied to the automotive sector: the rise of autonomous vehicles and ride shares like Uber and Lyft.
WHAT MAKES EFFECTIVE COMPLIANCE?
Protiviti outlines several key elements of an effective compliance program for boards to consider:
Board oversight: Proactive understanding of potentially significant compliance risks and oversight of relevant compliance programs by the board or one of its standing committees helps to establish an effective tone at the top.
Executive management supervision: Coordination and management of the compliance program by a designated senior executive are vital for organizations with complex, diverse operations.
Policies, standards, procedures and reporting mechanisms: These elements should be documented and up-to-date in critical areas and communicated to employees across the organization.
Risk assessment and due diligence activities: The risk identification process should include explicit consideration of compliance risks. Appropriate subject-matter experts should be accountable for monitoring changes to the regulatory environment continuously and identifying modifications required in the compliance risk area for which they are responsible. The organization should exercise appropriate due diligence with respect to acquisitions, new employees, joint venture partners and third-party agents to ensure they have the necessary background, resources and experience to discharge their responsibilities. Appropriate compliance language and representations should be incorporated in third-party contracts.
Effective internal controls and monitoring: There are many compliance areas with reputational impact. Effective internal control over financial reporting is critical, as are environmental, health and safety issues, security and privacy matters, FDA compliance, anti-money laundering and other compliance domains, depending on the industry. Due to the nature of compliance being managed in silos by different groups, it is important that gaps and overlaps be avoided. Periodic audits of compliance program policies, procedures and controls to assess their effectiveness at ensuring compliance at all levels and across the organization provide assurance to executive management and the board. In addition, significant areas of noncompliance and recommended solutions to enhance compliance should be reported.
Training and awareness programs: Compliance awareness education for employees, third-party agents and consultants conducting business on behalf of the organization, both in and out of the home country, should ensure that everyone is knowledgeable about the appropriate behavior, legal requirements and company policies.
Investigatory and disciplinary mechanisms: Thorough investigation and remediation of reported compliance violations are necessary to establish the appropriate discipline. Disciplinary mechanisms that are consistently enforced for those who violate compliance policy send an important message.
There are tools to assist with strategic counsel for CCOS. Risk sensing is scanning the external environment for things that could affect a company in the future. At GM these assessments were often siloed.
“We found 12 groups doing scaling, but for their own reasons,” Taylor says. “Physical security people were watching for terrorism, things that could disrupt suppliers, and protection of executives and employees as they travelled. The marketing teams were scanning social media. Competitive intelligence people were going in to look at competitors’ products. What we were able to do is get those groups together in a network, applying a risk lens, bringing that information in, and then doing an assessment to see what’s important enough to get an executive involved in.”
“War-gaming” and game theory exercises further helped brainstorm as-yet-unknown developments that could rise to a board’s need for risk management.
Scenario analysis and stress testing is also applied to the business plan. Taylor said that, at GM, even scenarios weighted with a probability of just 20 percent still emerged to have an effect on the bottom line.
“Tough competition can put fundamental, underlying assumptions at risk,” DeLoach says. “We want a seat at the table, and one way to get there is that, when we have an opportunity to meet before the board or with the CEO, bring a big-picture view as opposed to just focusing on your specific domain. I know it is not easy, but that is the price of entry we pay as professionals to have that seat at the table.”
CCOs, he adds, must understand the business, its underlying assumptions, and “big picture strategy.”
“The biggest play we have as compliance and risk professionals is reputation,” DeLoach adds. “When we talk about compliance issues sometimes eyes glaze over, but when we talk about reputation—people sit up straight in their seats. They recognize brand image is a precious enterprise asset. [At Andersen] I saw a brand I worked 30 years to build disappear in 60 days. It was tough to watch.”
“The era of plausible deniability has evaporated,” he added. “It is no longer possible for a board or CEO to separate themselves from a debacle. Issues can define an organization for a long, long time.”
“As compliance and risk professionals we have an opportunity to pick up on warning signs, connect the dots, and put ourselves at risk in communicating, at a high level, the issues we see are germane to the sustainability of the organization.”
Taylor stressed that compliance and ethics outreach needs to be carefully monitored and measured. “When you see a CEO talking and saying all the right things, that’s evidence of a strong tone at the top,” he said. “But I think a lot of senior level executives have a fundamental assumption that the tone in the middle of the organization reflects the tone at the top. How do we really know that? Compliance, risk, and audit professionals have an opportunity to provide the red flags where the tone in the middle is not consistent. The CEO may have a strong voice, but the rank and file of the organization might not be listening.”