2016 has seen a virtual tsunami of compliance failures involving some of our largest companies. From Mitsubishi to VW, from ANZ to Target, almost weekly there have been media reports about some company employees having run amok – unbeknownst to their executives and boards. People are asking: “What happened to the compliance management systems that are supposed to monitor and prevent such abuses?” Executives and boards are naturally starting to question the entire compliance management function.
Behind compliance management failures at Mitsubishi, VW, Target
It’s time to admit compliance management systems are failing their owners. A guard dog is no help if it fails to protect the asset. Most guard dogs are used as a deterrent – making any would-be wrongdoers think twice about their next action. What if the wrongdoer goes ahead anyway? For the dog to bark at the spot where missing items once stood would be noticeable but pointless.
We need to understand how and whycompliance failures occur. The weakness in most modern compliance management systems is their reliance on predictable policing, followed by periodic (historical) reporting. Yes, the system ‘works’, in that wedid eventually find out about Mitsubishi and Target – but after the real damage had been done (see: Target managing director resigns).
The fallout from these systemic compliance failures commonly results in executives and board members having to commit professionalSeppuku. With ignorance no excuse for those who are ultimately responsible for corporate governance, and the risk of being blindsided by disaster seemingly unavoidable, it’s no wonder the demand for fail-safe compliance management is coming from the top down, rather than from compliance managers at the middle level.
The paradigm shift in compliance management systems
Albert Einstein defined insanity as doing the same thing over and over again, expecting different results. Yet whenever compliance has suffered an epic fail, and leaders are sacrificed, the same type of system that failed to prevent this catastrophe will survive in usage to fail elsewhere, and cause another. Nothing short of a paradigm shift in compliance management can protect even the greatest captains of industry from ‘hanging’ over breaches within the rank-and-file.
This much-needed shift can be made possible only by changing prevailing attitudes towards compliance management – from ‘good’ compliance management being about ‘meeting the necessary regulatory controls at minimal cost’, to nothing less than a truly defensive business intelligence system of immense value to the organisation, and all of its stakeholders.
Corporate accountability without complete visibility?
When visibility and accountability is based on post-event periodic reporting, it allows time for the manipulation of data, the promotion of nebulous excuses like ‘reporting period transition errors’, and lack of avid interest by top management with its tendency to be forward-focused.
Also, the deterrence factor is lost as soon as managers realise their ability to “massage” figures is not actually being detected from above. The classic case of visibility failure stars Nick Leeson (sole protagonist in the Barings Bank collapse) who has always maintained his actions were ‘not for personal gain’ (see: Original rogue trader tells story). The shock destruction of the UK’s oldest merchant bank started with Nick Leeson covering a colleague’s mistake. When this relatively minor breach went undetected, his breaches snowballed until it was too late to save Barings.
The dangers of management desensitisation
Minor corporate infractions that ‘slip through’ have the effect of desensitising management and compliance to the erosion of ethical mores across the organisation. Without a formal, real-time monitoring and reporting system, the organisation becomes wholly reliant on peer-pressure to enforce proper norms and practices. The increasing desensitisation among colleagues, combined with personal benefits gained from improper actions, leads to the development of a ‘rogue culture’, however surreptitious its risk-laden encroachment.
The only solution is to transform existing compliance management systems from the traditional mode of ‘checking what has happened’, to using an applicable compliance framework as a real-timeassessment framework for operational performance and decision-making. This paradigm shift requires four major changes.
The four changes needed to achieve fail-safe compliance
- Link all management collateral (objectives, KPIs, risks, tasks, decisions) back to specific regulatory clauses.
Whether ISO standards, governmental regulations or corporate/legal obligations, most are reasonably mature, meaning they have been developed to cover most causes of negative outcomes. This is shown by the fact that compliance management systems usually expose the shortcomings, but what we really want is to know in time for something to done about it.
- Cross-reference all management collateral pieces to determine how they are affecting one another.
This is not a preliminary step but an on-going function. Don’t be dissuaded by the perceived enormity of it. If each manager can list a few of their obvious cross-references on a piece of collateral when working with it, it won’t take long to develop an intelligent neural network.
- Introduce traffic lights on each piece of collateral, based on business-rule triggers, with drill-down capabilities.
Traffic lights become the compliance management system’s real-time visibility and accountabilityflags. They become both an effective tool for prevention and the harbinger of ill winds. What’s required is an enterprise graphical representation dashboard. The ultimate corporate governance dashboard denotes current operational performance levels – with their traffic lights – and provides a method of drilling down to see why the traffic light has been triggered.
- Integrate with an Enterprise Risk Management (ERM) system for complete situational awareness of the business.
Traffic lights are great for drawing attention to real-time issues without any argument over discrete values, but data is needed in order to make insightful decisions on moving forward. A true ERMshould include both quantitative analysis methods and aggregation of risk across the enterprise. The triggering of a traffic light should cause an immediate re-evaluation of target risks, and their effect on corporate objectives, either automatically or manually.
With this effective compliance management protocol in place, variations of activity out of the norm (> 2 standard deviations) are flagged (for good or bad, right or wrong), delivering the accountabilityneeded, while the real-time compliance dashboard delivers the visibility.
Organisations are full of people. Some people do bad things – a fact of life which cannot be changed. What ‘good’ compliance management really means is that when bad things are firststarting to happen, the situation is detected, contained, and mitigated in ‘good’ time.
Bio:
Greg Carroll - Founder & Technical Director, Fast Track Australia Pty Ltd. Greg Carroll has 30 years’ experience addressing risk management systems in life-and-death environments like the Australian Department of Defence and the Victorian Infectious Diseases Laboratories among others. He has also worked for decades with top tier multinationals like Motorola, Fosters and Serco.
In 1981 he founded Fast Track (www.fasttrack365.com) which specialises in regulatory compliance and enterprise risk management for medium and large organisations. The company deploys enterprise-wide solutions for Quality, Risk, Environmental, OHS, Supplier, and Innovation Management.
Mastering 21st Century Risk Management” which will be available from the www.fasttrack365.com website in a couple of weeks. Meanwhile a recent Webinar on the topic can be seen at http://www.youtube.com/watch?v=nQoJj6FBxrY&feature=youtu.be in which we show how emerging best practices provide a good picture for how enterprise risk management should look in the 21st century.