Starving for Compliance? Bring your Risk Appetite

“If it's your job to eat a frog, it's best to do it first thing in the morning. And if it's your job to eat two frogs, it's best to eat the biggest one first.”  ~Mark Twain

 

As Audit, Compliance & Ethics professionals, it is often our job to “eat a frog” and you likely find yourself sitting down to a banquet of frogs when crisis strikes your organization. Some of us consciously chose to enter the AC&E profession, while others with whom I’ve spoken tell me how their roles morphed into compliance functions. Either way, once we’ve accepted the responsibility to safeguard our organization’s enterprise risk management program, we must faithfully deploy an appropriate compliance framework.

One cannot simply purchase a compliance program at an online retailer, download it to your tablet, and check that task off your list. There is no one-size-fits-all compliance program that is going to align perfectly with every organization’s ERM model. The design of the compliance program begins with a studied understanding of the organization’s risk appetite. Delivering an off-the-shelf or generic compliance program to an organization without factoring in its risk appetite is like delivering a freeze-dried meal to a guest’s table without inquiring of her culinary preferences.

Risk appetite is that level of risk that an organization is prepared to willingly accept before mitigating actions are required to reduce it. Formulating the risk appetite requires the Board of Directors to consciously identify its consensus balance between the anticipated benefits of a chosen course of action and the threats that an uncertain future inevitably brings. Each area of risk may enjoy differing risk appetites. For instance, a well-capitalized organization bearing a trusted brand may be more averse regarding reputation and litigation risks, but more inclined to accept a moderate degree of financial and strategic risks. Such may be the variations found also in compliance risk appetites.

A compliance purist—if such a person exists—would trend strongly toward risk aversion. A Gordon Gekko (credit to Oliver Stone’s “Wall Street” fame) would trend strongly toward risk hunger. Since compliance is not generally viewed as a profit center, a typical organization’s Board of Directors will formulate a compliance risk appetite that represents its view of an appropriate balance (i.e. expects ethical business conduct that achieves its mission). A publicly-traded company may seek to maximize shareholder value and profit, but likely seek to avoid criminal and civil prosecution. A non-profit organization may seek to maximize its impact serving the largest number of people in a community, but likely seek to minimize its administrative cost ratio and excessive CEO compensation.

Organizations that design, employ, and monitor compliance programs that align with the Board of Directors’ risk appetite will encounter fewer compliance failures over the long-term. I am careful to point out that all organizations, no matter how well-run, will experience a compliance failure at some time. A risk appetite acknowledges that while risk may be mitigated, it generally cannot be entirely eliminated. To eliminate all risk is to forgo meaningful opportunities that competing organizations would be willing to accept, thus neutralizing your organization’s effectiveness in the space in which it competes. This fact does not apply only to for-profit companies, because non-profit organizations also compete for scarce resources and relevancy. Risk must always be recognized as a factor to be managed.

Whether you are designing a new program or enhancing an existing compliance program, you will want to ascertain your organization’s defined compliance risk appetite. Your compliance program, including training, monitoring, and Board-level reporting, must align to that risk appetite to provide appropriate risk management tools to support your organization. Finally, periodically revisit the relationship between the stated risk appetite and your program elements to ensure that you are making appropriate adjustments.

Don’t starve your compliance program. Embrace the risk appetite. Be prepared to one day confidently defend your compliance risk management program to your external auditors and prudential regulators…and enjoy that frog sooner than later.

Ethical Business Conduct: Context Makes a Difference

"There’s a big difference between what you have a right to do and what is right to do." ~ Potter Stewart, former U.S. Supreme Court Justice

“If everyone is thinking alike, then somebody isn't thinking.” ~ George S. Patton, former U.S. General


In this day and age, it is an increasingly popular sentiment for organizations to describe their workforce as entrepreneurial and empowered. Genuine engagement of today’s employees is a hallmark of the knowledge worker economy, and has led to continued innovation and heightened productivity. In conjunction with the advances made in employee engagement, many organizations have reduced layers of complexity and bureaucracy, and in some cases have even removed offices and walls to encourage greater collaboration between teams. Do not lose sight of the truth that roles and authority—whether explicit or implicit—continue to exist within these organizations.

Amidst this seemingly egalitarian shift in the workplace, organizations continue to implement and improve governance over ethical business conduct. Codes of Conduct flourish as more organizations recognize the real benefits, both tangible and intangible, or providing written guidance supported by training and modeled by leaders at all levels. While well-written Codes detail and illustrate appropriate business conduct guidelines and many prohibitions, these Codes do not seek to define every action for every situation. More importantly, Codes cannot be regarded in isolation of other pertinent organizational guidance and leadership structures.

The Code of Conduct should be drafted so as to apply to all levels of employees within an organization. The CEO is no less subject to conducting her business affairs in an ethical manner than is the mid-level manager or line staff. All employees should adhere to business principles that support the legal and ethical attainment of the organization’s mission. But the authority, opportunity, and tools available to senior leaders and other employees within an organization may very well differ pursuant to board approval, corporate policy, or culture.

For example, a publicly-traded company remains committed to increasing shareholder value. While the senior leadership of that company focus upon profitable long-term strategy, and salespeople focus upon generating daily and monthly revenue, both groups’ actions should align with the best interests of the shareholders. To fail to act in the shareholders’ best interests would represent an unethical (and possibly illegal) breach of duty. That being said, the day-to-day roles and authority levels of the senior leadership differ from those of the salespeople and other employees.

One area where this difference may be illustrated is in the authority to enter into contracts that bind the company. A senior level executive may have been granted authority under corporate policy to negotiate and execute large-dollar multi-year contracts with external vendors, likely with additional internal controls in place. In contrast, a salesperson may have been granted authority under corporate or departmental policy to accept orders from customers, subject to additional internal review and approvals. Both groups, acting on behalf of the company and in the company’s best interest, have been granted contractual authority, but subject to different financial thresholds and internal controls.

Thus, were the salesperson to seek to negotiate and execute a contract with an external vendor in this scenario, he would have committed a breach of corporate policy, and likely the Code of Conduct. A senior level executive, though generally not engaged in sales to customers, might not be similarly constrained from accepting a customer order.

Codes of Conduct and corporate policies serve to educate and guide employees at all levels of an organization. While Codes and policies should provide clear guidelines, especially with regard to prohibited conduct, employees must recognize that excerpts of such documents should not be read in isolation or taken out of context when evaluating business conduct. The context—including role, implicit and explicit authorization, and culture—do provide a backdrop against which all business conduct must also be ethically evaluated. Every employee has the duty to act ethically; not every employee has the authority to engage in all actions. Thus, context does make a difference when it comes to interpreting your Code of Conduct and corporate policies.