If people responsible for compliance are operating within silos, there may well be areas of neglect, warns Paul Pilkington
Regulation, and the appropriate response to it in terms of creating effective governance, risk and compliance management, is a major concern for many corporations. This has been borne out by the results of the last two global surveys of CEOs which PricewaterhouseCoopers carries out annually. Those CEOs surveyed ranked over-regulation as one of the top three biggest risks that their organisations faced.
Over the last decade or so companies have been subject to a wide range of regulatory initiatives and changes that have created, in most cases, significant burdens of compliance in different areas of the business, often spurred on by governments and regulators responding to specific events with ever more legal requirements. The cumulative effect for many organisations has been the gradual development of governance 'silos' in which relevant data and policies are developed and held on a stand alone basis without wider communication or effective implementation throughout the rest of the organisation.
Given the increasingly global nature of business and the jurisdictional reach of initiatives such as Sarbanes-Oxley, the Foreign Corrupt Practices Act and many EU initiatives, it is not surprising that regulation should be uppermost in many CEOs' thoughts. And increasingly, organisations are looking for a way to address their overall burden of compliance in a more integrated, consistent and efficient fashion.
In some sectors, particularly financial services and pharmaceuticals, a more integrated approach is already a feature of how organisations have responded. Those sectors have arguably operated within a significantly weightier regulatory environment for longer. But there is no doubt that many other organisations across all sectors are also now keen to identify a better way to manage their compliance more efficiently and effectively and to ensure that the approach extends to driving strategic initiatives more effectively.
Re-inventing the wheel
Many organisations are managing their governance, risk and compliance from within organisational silos on a bottom-up and piecemeal basis. These silos have developed in separate departments and functions within the organisation and have created policies and approaches to deal with specific risks or regulations on a largely stand alone basis. For each individual incident or instance of regulation a new policy tends to be developed from scratch in a reactive way. This constant re-invention of the wheel hampers the ability to create a more integrated approach and reinforces the walls around each functional silo.
Going back to root causes
This piecemeal response often also covers the way that risks are managed. In this context, we have been undertaking rolling research that seeks to identify the underlying causes of high-profile incidents that have created a damaging outcome for organisations (see box). In the 26 such incidents analysed to date, the overwhelming majority did not arise from a significant unforeseen change in the external environment, but were in fact due to existing factors that had not been adequately addressed. Our research shows that the largest cause of significant incidents related to a failure in day-to-day operations, frequently related to a poor compliance culture, insufficient resources, complacency, perverse incentives and low morale. The second two largest categories of causes related toinadequate monitoring and insufficient enforce-ment and follow up in response to known problems.
The root causes of many high-profile incidents over the last few years have, on analysis, often revealed a track record of the same, or similar, risks materialising. There are issues within many organisations that arise from a pre-existing set of circumstances – whether these are related to safety, instances of questionable commercial behaviour, product liability or any one of a variety of causes - that have not been addressed or contained in an appropriate way. They are not unexpected bolts from the blue. Rather, they are known issues that have not been dealt with, creating a lingering threat within the organisation.
Identifying risks on the doorstep as well as on the horizon
All this indicates that as well as scanning the horizon for emerging risks in the external environment, organisations need to ensure that they also focus on the risks already identified in their day-to-day operations and ensure that they have the appropriate monitoring in place and the mechanisms established that allow them to learn from mistakes that have been made in the past.
This means drawing on the wide range of monitoring and reporting functions already within the business, but ensuring that this is done in an integrated way so as to provide the most comprehensive picture possible of the potential risks facing the organisation. A wide range of different information sources can be productively tapped to identify lead indicators of potential future problems. The sources of appropriate information should include the traditional internal assurance providers, including those with an operational and commercial focus. The organisation should also draw on sources in human resources (HR), legal, compliance and finance.
For example, the high correlation of adverse incidents and staff problems points to HR as a useful source of information from employee satisfaction to safety surveys. In much the same way, the legal department can provide valuable insight into the nature and extent of particular types of legal action to which the organisation may have been subject, indicating likely areas of potential concern.
Many organisations also operate with specialist audit functions that focus on industry-specific concerns, and these can also create insight into the likely existence of persistent problems. Businesses in the food industry, for example, are likely to have assurance focus on hygiene and food safety. Those in extractive industries will have a particular focus on operational procedures and safety. Other functions, such as finance, supply chain, corporate responsibility and so on are all likely to be valuable repositories of information and data that can help pinpoint potential or ongoing problems. Lack of integration and consistency across compliance silos often manifests itself in incidents that arise outside the core risk focus of the business. A company may have stringent requirements and high standards in its core area of operations – for example operational safety – but be caught out by an incident in another part of its business, such as anticompetitive practices, where the focus on risk has not been applied to the same exacting standards.
This lack of uniformity in the approach to risk and compliance is evidence of a lack of integration, and signposts the need for an approach that can identify what appropriate behaviours and attitudes are required from every individual within an organisation and the mechanisms required to ensure they become embedded.
The main mechanisms of control
Our experience of working with leading businesses shows that there are three principal categories of mechanism that management uses to exercise effective control:
“Constant re-invention of the wheel hampers the ability to create a more integrated approach.
¦ Culture and value These establish the principles that guide an individual's innate sense of acceptable and appropriate behaviour and actions within the context of a particular organisation. These values are set from the top of the organisation and are frequently set out in a code of conduct
¦ Management systems These are the instructions and guidance on which an individual can rely for understanding how a particular task should be carried out along with the appropriate processes, technologies and tools to achieve them
¦ Oversight This consists of the right people being given the right tasks, and ensuring that they have the appropriate and sufficient resources, as well as operating with proper levels of supervision and monitoring.
Every business will use a different mix of these mechanisms, and even within the same organisation will emphasise one or more over others, depending on the context and the desired outcomes from a particular part of the business. It is possible, for instance, that a company in heavy industry will rely on a systematic and rules-based approach to ensure operational safety in its operations, but rely more on values or cultural factors in the management of its strategic planning or its trading arm in order, in each respective context, to ensure that key risks are successfully mitigated. This is a matter of management style, rather than right and wrong approaches. But an organisation's assessment of its governance needs to be focused on each of the above elements in a balance which is appropriate tothe particular management style being exercised.
Fundamentally, each of the different mechanisms points to a very simple question about how an individual within an organisation understands what is expected of them and how they should execute the tasks they are set. These mechanisms cut across functional and compliance silos and show how understanding of responsibility and accountability can be integrated throughout an organisation so that every individual is able confidently to answer questions regarding their own role. They also show how organisations can start the process of understanding where their own control emphases lie, and make sure that they assess and measure their current organisation in an appropriate way.
Integration drives performance
Our research shows that organisations that are able to achieve an integrated approach to governance, risk and compliance realise tangible and measurable benefits from doing so. We commissioned some independent research which demonstrated that the benefits include an increase in reputational value of 23%, an increase in employee retention of 10% and revenue increase of 8%. These findings show that the value of such an approach far exceeds merely operating within the law. In fact, our experience indicates that it can yield significant broad benefits, including the following:
¦ Cohesion and consistency across all elements of compliance within the company
¦ A lower total cost of compliance by eliminating duplication and the need to 're-invent the wheel' in response to any new initiative
¦ An ability to quickly integrate new legislation and regulations from multiple jurisdictions into an existing regulatory framework
¦ Helping to avoid being surprised by adverse incidents and media reports and litigation and helping to manage the impact when things go wrong
¦ The possibility of driving sustainable growth and positively contributing to competitive performance by influencing behaviour
¦ Focusing management information on the right non-financial areas.
As businesses move towards the adoption of a more integrated approach to governance, risk and compliance they need to ensure that they identify the barriers that currently block greater consistency
in the way they operate. As well as helping to achieve basic objectives of legal compliance, risk avoidance and issue management, this will also help companies to achieve their objectives in respect of streamlining business processes, producing better quality products and services, and driving performance.
HIGH PROFILE INCIDENTS
1 An official investigation into an infrastructure failure
concluded that rules already on the books would likely have prevented the tragedy. The investigation also found that procedural work-arounds were accepted as normal; abnormal exceptions were not investigated, and executives and managers were aware of problems but failed to act.
2 A product recall resulted from outsourced manufacturers failing to apply established standards, and initially too much trust being placed in the outsourcers. Once strengthened checking systems were put in place, an additional group of non-compliant outsourcers were identified, and their operational practices were rectified and more closely monitored on an ongoing basis.
3 Two cases of corruption, and one of anti-competitive practice, were the result of a failure to apply long-standing policies. One company additionally failed to properly monitor compliance.
Paul Pilkington is director, risk assurance services, PricewaterhouseCoopers LLP, www.pwc.com