Your Quick Guide To Managing Ethics & Compliance

Why many risks are irrelevant

In the past few weeks, I’ve spoken to SMEs who’ve been asked to implement risk controls for risks that don’t exist, wasting money they don’t have. I’m using a broad definition of SMEs here: any organisation without a multi-person risk, ethics or compliance team.

What’s happening here?

Doing not thinking

Why is not always a great question to lead with (especially in investigations), but it worked here. Why the hell does a B2B Australian domestic online business need a fulsome anti-bribery & anti-corruption management system? Because a financial services client said, “We can’t work with you unless you have one.”

Why does a business getting kids into STEM with innovative learning need an anti-money laundering framework (despite no apparent exposure)? Because – you guessed it – someone at a large firm said they must.

Does a business with few transactions (and none outside of the US) need a sanctions framework? You get the idea.

Much to do about nothing

What’s the solution? For SMEs, it’s not immediately apparent. They might say, “Where can they go for help? What is money laundering anyway!? I’ve watched Breaking Bad, does that count as AML training?”

“Bureaucracy defends the status quo long past the time when the quo has lost status.”

Laurence J Peter

The SME might turn to the requestor for help in a logical world, but they’d be met with a “Cannot”; “Computer says no.”

Computer Saya No GIF

Maybe they might ask a local law firm or head to a freelancer site and get someone to “have a go at it.”

Irrelevant risk creates risks

So the SME faffs around fulfilling a pointless requirement to enable the larger firm to make somewhat hollow attestations to regulators that “We have zero tolerance for [insert poorly understood risk] in our supply chain”.

Back in the real world, a few things have happened:

  1. The SME gets the impression that risk management is a performative box-checking exercise executed by the corporate equivalent of parking wardens.
  2. The client deludes themselves into thinking they’re managing risk.
  3. The online B2B business with thousands of people’s data gets hacked, as they were distracted by irrelevance.
  4. Clients cancel contracts, wishing to wash their hands of a problem. The SME goes under.
AI thinks cat is a dog
  1. The client finds another similar SME through a Promethean procurement process and now adds to the shopping list of policies, “Please provide evidence of your cybersecurity framework.”
  2. The next SME heads to UpWork to buy a policy on cyber that makes as much sense to them as Aramaic does to me. They submit the policy.
  3. The policy is filed but never read. Why? Because “AI read it” and AI is faultless.

The circle of strife

Could we maybe aim a bit higher?

Stairway to nowhere

For the client, consider the risk factors based on what third-parties do for you, where, with whom, and how. If that sounds like a lot of work, it is at the start. But it’s a bit like a building; get the foundation and design right, or not…

Maybe consider sharing the love with your key partners – knowledge transfer and explaining why risk X or Y matters and what to do about it.

For SMEs, and to torture the building metaphor further, think of your business as you would your home. What do you have of value inside, what security do you have, how predictable are you, who lives in your (physical or sectoral) neighborhood, do you know the people who visit (your suppliers) well, and are you an upstanding member of the community?

If that’s a bit oblique, generally in a 20min chat, we can get you from errrrr, to ahhhh!

Note from me: As this is the first newsletter, written on a Friday afternoon the week before Christmas, it may not be my finest work, but you good people usually help me with that. So please suggest any topics you’d like covered, and I’ll do my best!

Happy Holidays to those celebrating (and to those not partaking, enjoy the email peace)!

Need more?

Book a (free) strategy session, get new articles, and other content designed to be useful and fun.

Your Quick Guide To Managing Ethics & Compliance