Bribery and corruption, data breach, fraud, IP infringement, employee malfeasance, regulatory breaches: CCOs and GCs are often asked what keeps them awake at night. However, in today’s ever-changing business environment, perhaps the question they should be asking themselves is ‘what isn’t keeping me awake at night that should be?’
The role of the CCO has always been critical in managing enterprise risks. But CCOs today are dealing with ever broader, more complex risks as business becomes more globalised, digitalised, and of course, regulated. No matter the size of a corporate compliance department, it’s easy to get caught up in day-to-day firefighting. As such, it’s essential that the relevant functions within your organisation proactively prevent and detect risks as they emerge in order to formulate an appropriate response.
How confident are you of your organisation’s ability to anticipate and assess its evolving risk profile as it expands into new service lines, jurisdictions, or customer and third party relationships? Consider the following scenario: You finalise an acquisition of an owner-managed business in Eastern Europe. Fast forward three years. Its finance systems are still completely independent of your organisation, with their financial reports coming through on Excel spreadsheets. Would this situation even be on your radar? More so, would you or anyone at headquarters realise if several of its suppliers were connected to local management and that it had recently entered into major government contracts thanks to the help of a local business introducer? It’s easy to dismiss such scenarios and assume that these red flags would be picked up. But the fact is, Kroll is called in to investigate these kinds of situations every day by organisations of all sizes and maturity.
So, what are smart organisations doing to protect themselves?
Anticipating: Enterprise Wide Risk Assessment (EWRA) is becoming something of an overused phrase of late, and all too often, its practical application takes a ‘one and done’ turn. Documents are not maintained or updated, and consequently only provide a moment-in-time snapshot of a business’ risks. Frequently, the GC’s role in the process is also limited. However, when done properly, the EWRA is an invaluable tool to the business. Because businesses evolve every day, there should be a process for regular review and updates with input from the CCO and GC. Equipped with timely, on-the-ground knowledge of how the business truly operates across functions, service lines, and jurisdictions, the business will be better able to identify potential risks which may not be obvious to local staff.
Once risks are anticipated, appropriate preventative measures can be put in place that are tailored to each risk. A one-size-fits-all approach to controls is destined for failure. What is necessary and working at a shiny corporate headquarters location might be completely ineffective for a small subsidiary in a high-risk jurisdiction. When controls are implemented according to a well-thought-out and regularly updated EWRA, you can at least be reassured that the framework addresses specific risk, be it from a regulatory, intellectual property, or other perspective.
Detecting: There’s no doubt that the empowerment of the compliance function has helped mitigate risk to an organisation, but as compliance becomes smarter, so do wrongdoers. Increasingly, fraudsters are aware of what comprises a ‘red flag’, be it a transaction, third party, or commercial relationship. More than ever, it’s critical that an organisation uses the wealth of information available internally to detect and respond to potential risks.
What data is relevant will depend on your organisation; however, the continuous and evolving detection of fraud risks is an integral part of any robust fraud risk management strategy. Best practices include analysing data, conducting site visits and third party audits, and reviewing books and records for red flags of fraudulent activity.
Regulators continue to stress that the level of monitoring and detection activity needs to be proportionate and customised to the specific business and the specific risk areas identified. With some careful and diligent consideration, an effective monitoring programme can be implemented in a targeted way without incurring massive cost and can play an important role in highlighting potential risks.
Another valuable source of help to the CCO and GC is the internal audit function, particularly in performing a detection role. These colleagues often have the most practical understanding of the nuances of different areas of a business and what constitutes a red flag. As such, formal measures should be taken to ensure the insights and findings gained from implementing their audit plan are communicated to the compliance and legal functions and incorporated into the EWRA itself.
Responding: No matter how proactive a company is in its risk management, it is impossible to anticipate and detect all potential risks. There will inevitably remain issues of varying magnitude that land on the desk of the GC that were either overlooked or could not have been anticipated. Whilst a plethora of advice is available on how to manage such investigations, the fact of the matter is each one is different. Companies can certainly apply some best practices, but as with the risk management process, each investigation has to be tailored to the issue in hand.
Ultimately, in the relief of reaching the conclusion of an internal investigation, many neglect asking themselves a key question: “How did this happen and what lessons can we learn to prevent it happening again?” The answer should be used to update the relevant control framework way before the investigation is concluded and likewise, be fed into the EWRA, which should be a well-thumbed document on your desk as opposed to sitting dusty on a shelf.
This article was first published in inCOMPLIANCE, the members' magazine of the International Compliance Association