Maintaining Perspective: Enterprise and Compliance Risk Management
It is always interesting to watch the flow of risk management trends, particularly as they impact ethics and compliance issues. Financial companies have been the target of regulatory enforcement actions for risk management and control deficiencies. Citigroup and JP Morgan were two recent targets of banking regulatory enforcement actions. We will probably see a few more banks subject to regulatory enforcement actions.
Apart from the regulatory focus, and in response to the impact of the pandemic on corporate entities, companies are renewing their focus on risk management. An integral part of this process is compliance risks. As I see it, the legal and compliance risk analysis is one component of an overall enterprise risk management process.
Enterprise risk management is a broad process that takes into account a variety of risks to an organization – for example, a pandemic, a natural disaster (e.g. earthquake, hurricane or flooding) or other “Act of God” could cause serious disruption to a company’s operations and have a severe economic impact on the business. Companies are devoting more attention to these issues, and rightfully so, given the impact that such occurrences can have.
COVID-19 has underscored the importance of enterprise risk management. Many companies conduct an ERM assessment by soliciting input from key functions throughout the organization in order to provide a specific perspective. Some companies have a formalized procedure for conducting this analysis, while other companies secure informal input. Given the importance of this analysis, companies need to devote more attention to securing reliable information, rather than just off-the-cuff, informal opinions from key functions.
To bring some rigor to the process, a specific set of questions and parameters needs to be adopted so that everyone involved in the process is speaking the same language. I have seen risk managers sift through a set of opinionated response to try to score and make sense of the responses as the basis for a formal risk management assessment.
Compliance risks is just one of many risks that a company faces in today’s global economy. The impact of an FCPA investigation and enforcement action is certainly significant but pales in comparison to COVID-19 and the severe damage resulting to many companies that were unable to operate, or had to continue its operations with major adjustments or limitations.
I am not belittling legal and compliance risks but in the face of environmental disasters and other catastrophic events, legal and compliance risks, which should be assessed, need to be weighted by a healthy perspective on impact to an organization.
An accurate ERM process is critical for any organization. Based on the ERM analysis, companies have to develop contingency plans and take affirmative steps to mitigate risks. For example, if a company manufactures a key component in one location which may be subject to weather events, risk managers have to identify alternative solutions for a weather event impact on such manufacturing. COVID-19 uncovered a vast set of supply chain and distribution risks that company’s face. As a result, companies are now reassessing their ERM procedures to develop appropriate contingency and crisis management problems.
In response to recent events and economic disruptions, organizations have to revisit their ERM process and adopt a more accurate and robust process. Compliance professionals can be very helpful to this process. Compliance officers are familiar with risk, mitigation and gap analysis processes and their expertise should be incorporate into the improvement of an organization’s ERM risk management. Bringing risk expertise together in an organization is a critical and important initial step before responsive critical response strategies can be developed.