“If it's your
job to eat a frog, it's best to do it first thing in the morning. And if it's
your job to eat two frogs, it's best to eat the biggest one first.” ~Mark Twain
As Audit,
Compliance & Ethics professionals, it is often our job to “eat a frog” and
you likely find yourself sitting down to a banquet of frogs when crisis strikes
your organization. Some of us consciously chose to enter the AC&E
profession, while others with whom I’ve spoken tell me how their roles morphed
into compliance functions. Either way, once we’ve accepted the responsibility to
safeguard our organization’s enterprise risk management program, we must
faithfully deploy an appropriate compliance framework.
One cannot
simply purchase a compliance program at an online retailer, download it to your
tablet, and check that task off your list. There is no one-size-fits-all
compliance program that is going to align perfectly with every organization’s
ERM model. The design of the compliance program begins with a studied
understanding of the organization’s risk appetite. Delivering an off-the-shelf
or generic compliance program to an organization without factoring in its risk
appetite is like delivering a freeze-dried meal to a guest’s table without
inquiring of her culinary preferences.
Risk appetite
is that level of risk that an organization is prepared to willingly accept
before mitigating actions are required to reduce it. Formulating the risk
appetite requires the Board of Directors to consciously identify its consensus
balance between the anticipated benefits of a chosen course of action and the
threats that an uncertain future inevitably brings. Each area of risk may enjoy
differing risk appetites. For instance, a well-capitalized organization bearing
a trusted brand may be more averse regarding reputation and litigation risks,
but more inclined to accept a moderate degree of financial and strategic risks.
Such may be the variations found also in compliance risk appetites.
A compliance
purist—if such a person exists—would trend strongly toward risk aversion. A
Gordon Gekko (credit to Oliver Stone’s “Wall Street” fame) would trend strongly toward
risk hunger. Since compliance is not generally viewed as a profit center, a
typical organization’s Board of Directors will formulate a compliance risk
appetite that represents its view of an appropriate balance (i.e. expects
ethical business conduct that achieves its mission). A publicly-traded company
may seek to maximize shareholder value and profit, but likely seek to avoid
criminal and civil prosecution. A non-profit organization may seek to maximize
its impact serving the largest number of people in a community, but likely seek
to minimize its administrative cost ratio and excessive CEO
compensation.
Organizations
that design, employ, and monitor compliance programs that align with the Board
of Directors’ risk appetite will encounter fewer compliance failures over the
long-term. I am careful to point out that all organizations, no matter how
well-run, will experience a compliance failure at some time. A risk appetite
acknowledges that while risk may be mitigated, it generally cannot be entirely
eliminated. To eliminate all risk is to forgo meaningful opportunities that
competing organizations would be willing to accept, thus neutralizing your
organization’s effectiveness in the space in which it competes. This fact does
not apply only to for-profit companies, because non-profit organizations also
compete for scarce resources and relevancy. Risk must always be recognized as a
factor to be managed.
Whether you
are designing a new program or enhancing an existing compliance program, you
will want to ascertain your organization’s defined compliance risk appetite.
Your compliance program, including training, monitoring, and Board-level
reporting, must align to that risk appetite to provide appropriate risk
management tools to support your organization. Finally, periodically revisit the
relationship between the stated risk appetite and your program elements to
ensure that you are making appropriate adjustments.
Don’t starve
your compliance program. Embrace the risk appetite. Be prepared to one day
confidently defend your compliance risk management program to your external
auditors and prudential regulators…and enjoy that frog sooner than later.
No comments:
Post a Comment