Is Your Organization Open to Discussing Strategic Risk?
In Andrea Falcione’s last Viewpoint post, she commented on the fact that compliance and ethics need to be fully integrated into corporate culture, with compliance and ethics leadership playing an integral role on the management team. (She also expressed some surprise that this is news to some organizations.)
Matt Kelly from Compliance Week makes a similar point in his December blog post, using MF Global’s meltdown to talk about how important it is for company leadership to look for—and act on—indications of strategic risk:
…[O]ne theme kept emerging: the apparent inability of the chief risk officer to raise concerns about strategic risks. Those concerns go well beyond warnings like, “The value of our European sovereign debt now exceeds the limit set by the board,” which MF Global’s chief risk officer did give. Any CRO can do that, and he or she doesn’t even need the fierce independence advocated by the U.S. Sentencing Guidelines to do so. These days, warnings that some risk has exceeded pre-determined risk tolerances are practically pro forma.
Strategic risks are an order of magnitude more serious; they require the CRO—or the chief compliance officer, or head of internal audit, or chief ethics officer—to go the CEO or the board and say, “This is a bad idea.” When I last broached this subject in October, speaking more about internal audit’s role in auditing strategic risks, that led to furious protests from the Institute of Internal Auditors and others that a careless approach to auditing strategic risks would compromise independence.
But the fact remains that strategic risks are what boards worry about, and are what can bring a company to swift demise—as MF Global shows. Compliance and governance executives need a way to handle strategic risks if they ever want that fabled “seat at the table” to help steer a company to sustained success. That’s just the reality of the situation.
Interestingly, Kelly goes on to report that MF Global sacked its previous chief risk officer for raising exactly the same kinds of strategic concerns—which reinforces Andrea’s statement that, for all this to work, organizations must be run by people of integrity in the first place.
It’s a kind of compliance catch-22—organizations that are genuinely open to hearing about and dealing with strategic risk, even when it means raising concerns about a compelling business opportunity, are probably also organizations that already include the compliance and ethics leadership in key strategic decisions, set a compelling tone from the top, and fund robust training and awareness programs. But even well-meaning companies can be shortsighted when facing objections to promising business initiatives.
On the training side of our business, we talk a lot about the human factors that cause well-intentioned employees to bend or break the rules. A top sales person might change the date on a big contract so that it counts in the current quarter, allowing him and his team to make their numbers—and, consequently, their bonuses. An employee might agree to a course of action recommended by a manager she admires. Even though she knows it’s not exactly by the book, she trusts her manager and assumes the manager knows what’s appropriate. Plus, she thinks it might create issues for her career if she objects.
Since organizations are led by people, these same business pressures and human factors can come into play at the top. It can be difficult, on a personal level, to break with consensus. It might not be clear that others fully appreciate your concerns. There can be pressure to support a proposal that’s popular with your colleagues. And, in some organizations, there may be actual job risks to objecting.
What happens when strategic risks are raised at your organization? Is there transparency when these types of issues are discussed? Would you get a fair hearing from the right people?