Bye-bye, best practice?
If there’s one term (beyond the benighted “zero tolerance”) that is holding us (risk, compliance, sustainability, etc. practioners) back, it’s “best practice.” If we imagine our organisations as buildings, our job is to keep them safe, sustainable, and secure without preventing them from fulfilling their core purpose. To do that requires four steps.
1. Context: What do you do? Best practice for a rare metals recycling facility should look very different to a retail chain.
2. Environment: Where do you operate? Climate, crime, community, conflict, and other factors (typically) beyond your control will inform how you build.
3. Design: How you operate, as well as resource availability and constraints, will influence design. An expansive glass boxy Scandinavian den may look lovely, but it’s impractical if you build affordable housing.
4. Behavioural factors: Who works for you, who visits your building, and what are their needs? A temporary medical aid facility in a conflict zone requires very different considerations from a Swiss health resort, even if both are in the same sector (healthcare).
These examples are intentionally contrasting, but recipients of this email span numerous countries and sectors. Arguing that there is “best practice” across every sector in areas as diffuse as human rights, anti-corruption, and resource consumption is pure nonsense. Yet, so many risk systems perpetuate this lunacy.
Yes, there are some areas where the best practice principles are consistent. For instance, having a risk assessment that considers external context, internal controls, and behavioural drivers of risk is optimal. Having a consistent and diligent approach to protecting whistleblowers also makes sense.
However, best practice becomes impractical in some of the most costly areas. For instance:
Policies and procedures – I’ve met sole traders whose clients asked for diversity policies 😖.
Supply chain due diligence and oversight – General Motors’ influence and oversight of suppliers differs from that of a regenerative farming cooperative.
Sustainability goals – a Middle-Eastern manufacturer of highly complex devices concocting oncology drug doses were required (by a health service) to detail their work on all 17 sustainability goals, most of which are, at best, tangential to their impact.
Resources and structure – not everyone needs an audit committee, and no, compliance shouldn’t (always/often/ever) report to legal.
Confidential investigations – a fixation on knowledge (harassment, fraud, safety, etc.) often leads rather than prioritising skills (interviewing, gathering evidence, research, etc.). So, money, time, and resources are wasted on teams that cannot adapt to the myriad issues that occur.
Monitoring & controls – when the other steps (context, environment, design, and behavioural factors) aren’t done correctly, HUGE amounts of time and money are wasted looking at the wrong things from the wrong angle with the wrong tools.
Many mid-caps and SMEs are blighted by these problems as their clients, investors, lenders, etc., tell them to “implement best practice” and then dump a lot of regulatory blubber on the business, usually to the detriment of performance and morale, leading to risk and sustainability resistance and cynicism.
There is a better way. I’m lucky to work with forward-thinking investors who recognise investees need something rightsized, relatable, and relevant. In this context, best practice is bespoke. Ignore the noise and focus on creating frameworks that match what you do, how you do it, where, when, and why.