Dealing with Enterprise Risk and Compliance, Part 2

Stephen DeAngelis

July 13, 2011

In Part 1 of this two-part series, I discussed the first five highlights from an Economist Intelligence Unit report entitled Ascending the maturity curve: Effective management of enterprise risk and compliance. It was brought to my attention by Annabel Symington, Deputy Editor of Business Research for the EIU. The study was based on the findings of “a survey of 385 senior executives from the finance, risk, compliance and legal functions in six industries: financial services; healthcare; energy and utilities; logistics and manufacturing; and the public sector.” The full report can be downloaded by clicking on this link. Headlines for the first five highlights (i.e., topics covered in the last post) included:

1. Chief Risk Officers need to earn respect from the business lines

2. Finance executives’ perception of risk differs markedly from that of other risk-related functions.

3. Which industries are most likely to suffer from significant risk or compliance failures?

4. Most people think they’re getting an “A” – until they see the “F”.

5. Where are the risks? Ask Dilbert.

I pick up the discussion with sixth highlight that underscores the importance of having consistent company policies.

6. One-third of organizations lack consistent policies on business practices.

“Any enterprise-wide endeavor requires a consistent set of principles and policies on business practices that can be applied across its operations. But a third of companies fail to clear this first hurdle.”

Inconsistency is a weakness that undermines organizational attempts to become more integrated. Almost every business analyst believes that integrated enterprises are the ones that are going to thrive in the decades ahead. Back in 2006, IBM CEO Sam Palmisano began pushing what he called the “globally integrated enterprise” [“How multinationals have been superseded,” Financial Times, 11 June 2006]. In that op-ed piece, Palmisano indicated that globally integrated enterprises are “made possible by shared technologies and shared business standards, built on top of a global information technology and communications infrastructure.” Obviously, inconsistent organizational policies undermine this concept. The next highlight discusses the folly of failing to learn from past mistakes.

7. Those who do not learn from history…

“When a company experiences a risk or compliance failure, what is the best way to respond? Almost three-quarters of those surveyed in a recent Economist Intelligence Unit study say they tighten policies and procedures to reduce the chances of a similar mishap. But the other side of this statistic is that over one-quarter of companies do not make any changes in policies and procedures. Those that do not adapt in response to the lessons of failure increase the likelihood that their procedures will fail again.”

We’re all familiar with definition of insanity attributed to Albert Einstein: “Doing the same thing over and over again and expecting different results.” It’s probably not too strong of a statement to say that policymakers who fail to change policies following compliance failure are crazy. One of the reasons that Enterra’s Supply Chain Assurance Platform (ESCAPE™) has been so well-received in the consumer packaged goods industry is because it helps manufacturers avoid making the same mistake time and again and being hit with chargeback fines and penalties. As the EIU report states, “Technology helps organisations to link disparate sources of assurance and automate the controls environment. … In many organisations, a fragmented approach to documentation and compliance processes means that critical information resides in spreadsheets, and that processes are relying on inconsistent underlying data. By replacing this approach with a central repository for data and information, companies ensure that there is ‘a single source of truth’ that is constantly updated.”

The next highlight deals with a human tendency that often finds its way into an organization’s culture.

8. Hiding failure

“Every failure contains a lesson. But learning that lesson – and, even more importantly, getting others to learn it – requires sharing what happened and what was done about it. At least a quarter of corporations don’t follow this advice in the area of risk and compliance. When asked ‘How does your organization deal with risk or compliance failures or near-misses,’ 26% of executives in a recent survey said that the problems behind the incidents were fixed in isolation, away from superiors and the larger organization.”

No one likes to admit they have failed. People in areas responsible for failures naturally fear for their jobs when failure occurs. The authors of the report are correct, however, when they state that an organization whose culture tries to hide failure is destined to fail again. An article in The Economist claims that “companies have a great deal to learn from failure — provided they manage it successfully.” [“Fail often, fail well,” 14 April 2011] One particular example detailed in the article is pertinent to this discussion:

“When Alan Mulally became boss of an ailing Ford Motor Company in 2006 one of the first things he did was demand that his executives own up to their failures. He asked managers to colour-code their progress reports—ranging from green for good to red for trouble. At one early meeting he expressed astonishment at being confronted by a sea of green, even though the company had lost several billion dollars in the previous year. Ford’s recovery began only when he got his managers to admit that things weren’t entirely green.”

As I wrote in a previous post, “The managers’ initial responses at Ford are completely understandable. No one likes to admit they failed. They fear that admitting failure will result in their dismissal. … I suspect that Ford’s charts only started to change colors when Alan Mulally convinced managers that they had a better chance of being dismissed for prevarication than for failure.” There is a well-known story about IBM’s Thomas J. Watson, Jr., who once refused to fire a mid-level executive after the executive’s lapse in judgment cost the company millions of dollars. As the story goes, when his wife asked him if he was going to fire the executive, Watson said that would be foolish since he had just spent millions of dollars educating him. That story is a good segue for the next subject — risk tolerance.

9. The most successful corporations know their risk appetite.

“The sprawling nature of large organizations almost guarantees an inconsistent approach to risk-taking, with some functions taking bigger risks than others. But a new survey from the Economist Intelligence Unit suggests that companies with a consistent risk appetite are likely to outperform the rest. High-performing companies (those in the top 20% of their industry in revenue growth) tend to be more consistent in their risk tolerance. Among that group, 48% say that their risk tolerance is consistent across functions, while 29% of those in the lower-performing group (those in the bottom 60% of their industry in terms of revenue growth) offer the same assessment.”

Developing a healthy risk appetite is not easy, because it means that organizations must embrace a certain amount of failure. The Economist article cited above states, “Simply ’embracing’ failure would be as silly as ignoring it.” It continues:

“Companies need to learn how to manage [failure]. Amy Edmondson of Harvard Business School argues that the first thing they must do is distinguish between productive and unproductive failures. There is nothing to be gained from tolerating defects on the production line or mistakes in the operating theatre. This might sound like an obvious distinction. But it is one that some of the best minds in business have failed to make. James McNerney, a former boss of 3M, a manufacturer, damaged the company’s innovation engine by trying to apply six-sigma principles (which are intended to reduce errors on production lines) to the entire company, including the research laboratories. It is only a matter of time before a boss, hypnotised by all the current talk of ‘rampant experimentation’, makes the opposite mistake.”

As I wrote in another post, “If a seasoned executive like McNerney had a difficult time seeing the difference between and good and bad failures, one can understand why fostering risk tolerance in organizations is so difficult.” The final highlighted topic from the study is the flip side of the risk coin.

10. Which two functions are most averse to risk?

“By training and inclination, executives in finance and legal tend to look at what might go wrong rather than assume that things will go right. These managers are judged by their peers as having the smallest appetite for risk, according to an Economist Intelligence Unit in a risk and compliance survey of 385 executives in the finance, risk, compliance and legal functions. The results are consistent across all six industries surveyed.”

Those results really shouldn’t come as a surprise. You want the people in finance and legal to protect your back and raise objections when something questionable or risky is about to transpire. Based on past experience, however, financial and legal worrywarts can take their risk aversion too far. Sometimes you want those folks to help you make something happen rather than be an obstacle to progress. Good finance and legal executives need to know when to help and when to halt without crossing any legal or ethical lines.

The study concludes that “risk and compliance management remains as relevant as ever. … In addition to the traditional goal of meeting compliance obligations, companies see the investment [in risk and compliance management] as a means of aligning their risk and controls with broader strategic goals, building better relationships with stakeholders and enhancing overall performance.” It goes on to say:

“Despite these benefits, many companies remain at a relatively early stage of adoption. An absence of serious risk failures—or lack of knowledge of them—can breed complacency and a misguided conclusion that, just because nothing has yet gone wrong, the tools continue to be effective. At a time when regulatory scrutiny is greater than ever, and when markets remain highly volatile and turbulent, this is a dangerous assumption to make.”

Despite the current political rhetoric calling for less regulation in order to stimulate the economy, I doubt that the regulatory load will be much reduced in the years ahead. The public understands that it was a lack of regulatory oversight that permitted Wall Street to plunge the globe into a recession. People also believe that it is a lack of oversight that permits hazardous products to enter the country and tainted food to enter the food chain. President Obama has ordered government agencies to scour their books for outdated and dumb regulations. It’s a shame that they have to be told to do that. But deregulation, in most cases, could prove more harmful than beneficial despite the fact that the cost of compliance is high. “Lafayette College economists Nicole and Mark Crain’s study says that the annual cost of all federal regulations on business is already $970 billion per year.” [“Can This Economy Be Saved?” by Pete DuPont, Wall Street Journal, 23 June 2011] Needlessly adding to this total by accumulating fines and penalties for non-compliance does not make sense. As I noted in the first post of this series, a business case must be made for why compliance management is important to the overall success of the organization. The EIU study goes a long way towards helping make that case.