How can risk and integrity (including ethics & compliance, E&C, functions) become a business engine and not a compliance handbrake?
I’m paraphrasing a great question I’ve heard and seen repeatedly. Many intelligent people have written extensively on this topic. I won’t. At least not in one post. The focus will be on one area today (maybe more in time). But first, we need to examine some of the common reasons to care about risk and integrity (I’m bucketing them for brevity):
- Reputational harm: brand damage, undesirable employee, untrustworthy partner, etc.
- Liability: personal & professional legal exposure, disciplinary action, jail, etc.
- Disruption: business interruption, management time, rebuilding relationships, etc.
- Financial: fines, share price erosion, opportunity cost, lost business, investigative & legal costs, etc.
You’ll see a theme here: they’re all fear-based motivators.
Do you get a warm and fuzzy feeling when you buy insurance? Comforted in the knowledge that if you lose a digit or worse, you’ll get a payout, maybe, at some point? No, but why? Or are you the optimistic (or cavalier) person who thinks no harm will ever befall you? Many senior leaders are Type A “It’ll never happen to me” personalities. Is it, therefore, any surprise that they can find these arguments unconvincing business cases for investing in what amounts to procedural insurance?
Warm ‘n’ fuzzy
Before getting to the point, some of you will wonder, what about integrity as a value? Good question; what about it?
Doing the right thing even when no one is looking. It’s a great concept, and I like it. But us folks who’ve chosen to walk this career path could do well to have the empathy to step into other people’s shoes. Being ethical by picking up other people’s trash as you walk through a forest, returning the bag you find on the floor, or telling the server you’ve been undercharged is all very noble, but what about…
- Refusing to pay an extortive bribe would mean delay and detention (at best), incurring possible late delivery fines, job insecurity, or missing a visit with a terminally sick parent.
- Not making the trade on an insider tip from a friend. If you did act, you’d hit your targets and save yourself (and other team members) from possible redundancy, thereby keeping your family in the life to which they’re accustomed.
- Speaking up about corner-cutting to hit aggressive targets that will lead to environmental and human suffering. Knowing that if you did, you’d likely suffer retaliation and exclusion in a toxic team which sadly represents the first rung on a ladder you wish to climb (with heft student debt to boot).
“Doing the right thing” is a context-dependent construct. In high-stakes decisions, risk management asks people to take personal risks. We should remember that.
Given that most organisations run at a 50% level of employee engagement, that’s a big ask. I see people rise to this regularly. Notably, someone who spent a couple of days in jail for refusing to yield to extortive requests from a mafia-state policeperson at considerable personal risk. The reward from their employer for not paying? Nothing. Best not to talk about such things lest we admit they happen.
“Doing the right thing” has its place, but beware of the context and piety of privilege.
Risk & reward
What if the business case for risk management focused on risk? Risk is the crucible before we reach opportunity. Bringing risk factors (beyond the usual financial – cost-benefit-analysis – calculations) into strategy helps. The trick is not to use the R-word (much or at all). I don’t see it done often, but when I have, it goes something like this:
- What are all the shiny things we (as an organisation) are attracted to? New markets, product/service launches, acquisitions, etc.
- Picking the most important or attractive, what are our projections and scenarios? Scenarios? You know, best case, most likely, outliers? Let’s sketch them out briefly. What are the triggers that signal an improvement or deterioration in the outlook? Can we alter any of those (in or outside our control)?
- Can history teach us? Hits, misses, near misses from the past. What would we need to do to reduce the probability or impact of past problems?
- How sustainable is this idea? Is it short-termism or in the long-term survive and thrive interests?
- Look again at the shiny things. With these lessons from the past and our scenarios, do some look more tarnished than tantalising?
- Picking the still-shiny things, how do we maximise the chances of success? Usually, this throws up the need to consider some stakeholder mapping.
- Of those stakeholders who are unsupportive and/or influential, where might they intersect with our organisation (which functions)? Can we spend time with those people, preparing them and learning from their previous experiences? Now we start to get a two-way flow of information.
- What does success look like? Knowing this, can we create targets and incentives to avoid the abovementioned outliers and issues?
I’m very briefly summarising a MASSIVE topic, with much missing. I also admit this won’t work for all risks. For example, it won’t help with conflicts of interest, harassment, discrimination, and other personalised E&C and HR challenges. Here, it’s more about the culture that grows from organisations that start to listen to their people.
But it might help avoid some of the catastrophic issues.
So how might we get to this hallowed place where our inputs are considered at strategic decision-making levels?
What’s our role?
To start, here are a few does and don’ts (and yes, I am aware of the irony of concluding with proscription in a post about avoiding it):
- Don’t speak in a language others don’t understand and feel threatened by. When we get defensive, we stop being receptive.
- Use your ears, eyes, and mouth in the right ratio (more observing and listening than talking). Culture always eats compliance – we don’t understand or shape culture until we switch from broadcast to receive.
- Be specific – link risk to what really matters (the crown jewels of the organisation).
- Don’t create policies and content in a void – because “it’s the law” but without seeking input and feedback.
- Stop relying on inadequate or vague data to make a case for risk management to the board – “perception indexes” or fines that happen to a tiny minority of organisations.
- Stay strategic – avoid getting lost in the weeds and details and getting overwhelmed, leading to busy work, not strategic work (which confirms all the prejudices people hold about “uncommercial support functions”).
I’m not standing in judgment here. I spent some years of my career conducting due diligence in a void – usually removed from any commercial or strategic insight or reality. The output must have been underwhelming and irrelevant all too often. It’s only since I stepped outside the methodology world into the mess of business ownership that I realised how irrelevant most guidance is (not just risk).
The people I now trust and rely on all have one thing in common – they ask good questions. I welcome their challenges to my assumptions and preconceptions, as their goal is to help us succeed. It’s in their enlightened self-interest that happens (we all benefit if EI grows).
If we want to make risk relevant and not constantly argue the business case, ask more success-based questions about how we make (the good) ideas work. More anon…