Starving for Compliance? Bring your Risk Appetite

“If it's your job to eat a frog, it's best to do it first thing in the morning. And if it's your job to eat two frogs, it's best to eat the biggest one first.”  ~Mark Twain

 

As Audit, Compliance & Ethics professionals, it is often our job to “eat a frog” and you likely find yourself sitting down to a banquet of frogs when crisis strikes your organization. Some of us consciously chose to enter the AC&E profession, while others with whom I’ve spoken tell me how their roles morphed into compliance functions. Either way, once we’ve accepted the responsibility to safeguard our organization’s enterprise risk management program, we must faithfully deploy an appropriate compliance framework.

One cannot simply purchase a compliance program at an online retailer, download it to your tablet, and check that task off your list. There is no one-size-fits-all compliance program that is going to align perfectly with every organization’s ERM model. The design of the compliance program begins with a studied understanding of the organization’s risk appetite. Delivering an off-the-shelf or generic compliance program to an organization without factoring in its risk appetite is like delivering a freeze-dried meal to a guest’s table without inquiring of her culinary preferences.

Risk appetite is that level of risk that an organization is prepared to willingly accept before mitigating actions are required to reduce it. Formulating the risk appetite requires the Board of Directors to consciously identify its consensus balance between the anticipated benefits of a chosen course of action and the threats that an uncertain future inevitably brings. Each area of risk may enjoy differing risk appetites. For instance, a well-capitalized organization bearing a trusted brand may be more averse regarding reputation and litigation risks, but more inclined to accept a moderate degree of financial and strategic risks. Such may be the variations found also in compliance risk appetites.

A compliance purist—if such a person exists—would trend strongly toward risk aversion. A Gordon Gekko (credit to Oliver Stone’s “Wall Street” fame) would trend strongly toward risk hunger. Since compliance is not generally viewed as a profit center, a typical organization’s Board of Directors will formulate a compliance risk appetite that represents its view of an appropriate balance (i.e. expects ethical business conduct that achieves its mission). A publicly-traded company may seek to maximize shareholder value and profit, but likely seek to avoid criminal and civil prosecution. A non-profit organization may seek to maximize its impact serving the largest number of people in a community, but likely seek to minimize its administrative cost ratio and excessive CEO compensation.

Organizations that design, employ, and monitor compliance programs that align with the Board of Directors’ risk appetite will encounter fewer compliance failures over the long-term. I am careful to point out that all organizations, no matter how well-run, will experience a compliance failure at some time. A risk appetite acknowledges that while risk may be mitigated, it generally cannot be entirely eliminated. To eliminate all risk is to forgo meaningful opportunities that competing organizations would be willing to accept, thus neutralizing your organization’s effectiveness in the space in which it competes. This fact does not apply only to for-profit companies, because non-profit organizations also compete for scarce resources and relevancy. Risk must always be recognized as a factor to be managed.

Whether you are designing a new program or enhancing an existing compliance program, you will want to ascertain your organization’s defined compliance risk appetite. Your compliance program, including training, monitoring, and Board-level reporting, must align to that risk appetite to provide appropriate risk management tools to support your organization. Finally, periodically revisit the relationship between the stated risk appetite and your program elements to ensure that you are making appropriate adjustments.

Don’t starve your compliance program. Embrace the risk appetite. Be prepared to one day confidently defend your compliance risk management program to your external auditors and prudential regulators…and enjoy that frog sooner than later.