Why is ethics and compliance risk management often irrelevant?
In the past few weeks, I’ve spoken to SMEs who’ve been asked to implement ethics and compliance risk management for risks that don’t exist, wasting money they don’t have. I’m using a broad definition of SMEs here: any organisation without a multi-person risk, ethics or compliance team.
What’s happening here?
Doing not thinking
Why is not always a great question to lead with (especially in investigations), but it worked here. Why the hell does a B2B Australian domestic online business need a fulsome anti-corruption risk assessment? Because a financial services client said, “We can’t work with you unless you have one.”
Why does a business getting kids into STEM with innovative learning need an anti-money laundering framework (despite no apparent exposure)? Because – you guessed it – someone at a large firm said they must.
Does a business with few transactions (and none outside of the US) need a sanctions framework? You get the idea.
Much to do about nothing
What’s the solution? For SMEs, it’s not immediately apparent. They might say, “Where can they go for help? What is money laundering anyway!? I’ve watched Breaking Bad, does that count as AML training?”
"Bureaucracy defends the status quo long past the time when the quo has lost status." Laurence J Peter
The SME might turn to the requestor for help in a logical world, but they’d be met with a “Cannot”; “Computer says no.”
Maybe they might ask a local law firm or head to a freelancer site and get someone to “have a go at an anti-corruption risk assessment.”
Irrelevant risk creates risks
So the SME faffs around fulfilling a pointless requirement to enable the larger firm to make somewhat hollow attestations to regulators that “We have zero tolerance for [insert poorly understood risk] and [get other people to] conduct rigorous anti-corruption risk assessments in our supply chain”.
Back in the real world, a few things have happened:
- The SME gets the impression that ethics and compliance risk management is a performative box-checking exercise executed by the corporate equivalent of parking wardens.
- The client deludes themselves into thinking they’re managing risk.
- The online B2B business with thousands of people’s data gets hacked, as they were distracted by irrelevance.
- Clients cancel contracts, wishing to wash their hands of a problem. The SME goes under.
- The client finds another similar SME through a Promethean procurement process and now adds to the shopping list of policies, “Please provide evidence of your cybersecurity framework.”
- The next SME heads to UpWork to buy a policy on cyber that makes as much sense to them as Aramaic does to me. They submit the policy.
- The policy is filed but never read. Why? Because “AI read it” and AI is faultless.
The circle of strife
Could we maybe aim a bit higher?
For the client, consider the risk factors based on what third-parties do for you, where, with whom, and how. If that sounds like a lot of work, it is at the start. But it’s a bit like a building; get the foundation and design right, or not…
Maybe consider sharing the love with your key partners – knowledge transfer and explaining why risk X or Y matters and what to do about it.
For SMEs, and to torture the building metaphor further, think of your business as you would your home. What do you have of value inside, what security do you have, how predictable are you, who lives in your (physical or sectoral) neighbourhood, do you know the people who visit (your suppliers) well, and are you an upstanding member of the community?
If that’s a bit oblique, check out our free assessments. If you prefer talking it through, generally in a 30min chat, we can get you from errrrr, to ahhhh!