Enterprise Risk Management and the "KISS" Rule
It is amazing how professionals try and complicate tasks. The latest fad – “Enterprise Risk Management.” Corporations now have “Risk Officers.” Making ideas more complex does not mean more effective results. Overlapping corporate structures with multiple committees assigned to specific tasks are a compliance nightmare. It is really just a new form of window dressing.
To be effective, a compliance program does not need fancy names, acronyms and important titles. The Board and senior management have a responsibility to direct and supervise a compliance program. Ideally, the Board will include a Compliance Committee.
Identifying and measuring risks are the responsibilities of a Chief Compliance Officer, or a designated officer within the compliance office. A company does not need an “Enterprise Risk Manager.” They need a competent Compliance Officer, who works closely with the legal staff and the internal auditing office to identify the risks to the company, develop a compliance program in response to the risks and then make sure it is implemented and monitored. If the risks change, the program needs to change. If resources are needed to carry out the job, then it is up to senior management to assign those resources.
There is really no need to make things more complicated. In any organization or committee, I have always noticed that there a small number of officials/employees who have the energy and the drive to attack a problem and get the job done. The same goes for compliance – a company will have key actors in the organization – it may be a Board member who takes an active interest, or the Compliance Officer who is dedicated to accomplishing various tasks.
As a prosecutor, we were always told when presenting your case to follow the “KISS” rule – “Keep it Simple Stupid.” When it comes to compliance, companies need to remember that old adage.
Oddly enough you will have noted that these positions flourished in some companies where huge fraud has since been uncovered being perpetuated by actual employees. Less staff better systems then?
Absolutely — fewer staff better systems