Compliance Driver

OCEG has a straightforward, ambitious and timely mission: to help organizations align their governance, compliance and risk management activities to drive business performance and promote integrity. Business Management caught up with Scott Mitchell, CEO of the non-profit organization, to talk about integrating governance and compliance into business operations.

BM. There’s a lot of talk about centralizing corporate governance and communication policies and procedures. How important is this?

SM. To me, the issue of centralising is less important than the issue of whether or not the company is taking a common operational approach to governance, risk management and compliance. Companies are in business to achieve objectives, and any obstacle that could stand in the way of achieving those objectives is a risk and it’s something companies will want to address. You also need to consider your operational boundaries – both mandated boundaries (i.e. rules and regulations), and also voluntary boundaries (the values and principles that you want to operate by, your brand, your reputation, how you want to be perceived). You need to make sure that the company operates within those boundaries, and whether an organisation creates a single, consolidated, centralised way of dong this or decides it wants its component parts in separate functions or departments, what is critical is that each of those departments uses the same operational approach.

Whether or not you’re dealing with employment compliance, privacy compliance, environmental compliance, it’s important that you use the same philosophy, the same approach, the same overall steps to address those operational boundaries. The reason it’s so critical is that whether or not you have one truly centralised department or 15 different departments, ultimately all this stuff funnels up to the executive level anyhow. Like it or not, the board is on the hook for this. So every organisation is centralised at the board level and it is how the layer underneath the board level is managed and coordinated that is critical. For us, the key is making sure each area is using a common operational approach and having some way of pulling all those different compliance areas together. We think that the best practice is usually to have a compliance, risk management or governance committee that’s made up of not only the legal risk mangers in each of those areas, but business line heads as well.

BM. Once you have all of these processes in place, is there a way to measure compliance and risk?

SM. I think so. If you’re using a common operational approach, the benefit is that you actually have a hope of implementing information technology in a meaningful way.

There are a lot of companies struggling through Sarbanes-Oxley, with an increasing number asking how they can automate Sarbanes-Oxley. But to me, that isn’t the right question. The right question should be how they can automate governance risk and compliance generally, with Sarbanes-Oxley being an instance or an example of one area that could benefit from this technology. Having a common operational approach gives an organisation hope that it can implement a technology architecture that can address a common operational approach.

The key is being able to pull together information in order to measure it, and the key questions we’re trying to get at are: do we understand the most important risks that face our company? What are those risks? Have we put in place the right controls and structures to prevent us from stepping outside our operational boundaries? If/when we step outside or get close to those boundaries, do we find out the instant it happens, a day later, a week later, a month later or a year later? Once something bad happens, how quickly do we then respond to it? Does it take us a day, a week, a month or a year to actually respond and improve the system? Those are metrics that you can absolutely track.

BM. What steps have you taken to try and simplify the risk and compliance process?

SM. In order to simplify, we have tried to streamline the process – but in order to do that, you need to pull together a number of different disciplines. You need accountants, you need risk managers, you need lawyers, you need everybody coming together on the same page, and so to that end we’ve created something called the OCEG’s ‘foundation guidelines’: 38 high-level and 140 detailed practices that form the backbone of an effective compliance and ethics program. If you implement these very tangible and observable business practices, you are addressing the requirements of all these different frameworks and you’ve put in place a capability that will allow you to address legal requirements – both current and any new ones that come down the pipe – because you’ve got this infrastructure in place that allows you to respond to these like a new sale. You’ve got an infrastructure in place that can handle anything associated with new risks or new boundaries, rather than every new law, rule and regulation being a brand new thing that you need to think about. It simplifies the sustainability of compliance.

The first time we sent out our foundation guidelines for public exposure we had 4000 downloads, which was remarkable given that nobody knew who we were, and it really showed what a need there was for bringing these pieces together. When we put out our next draft we had 10,000 downloads, and again it’s pretty remarkable for a new organisation to have that level of traction. And if you just look at some of our leadership council members, some of the most respected companies in the world are using pieces of the framework in their own programs, whether it’s DuPont, ADM, Staples, Wachovia Bank, etc. They’re able to leverage a lot of this information to help make their programmes a lot easier to use. So, I think that we’re getting a ton of traction.

BM. How important is tone at the top?

SM. We have a different perspective on tone at the top. Don’t get me wrong; I don’t want to say that it’s not important, but what’s more important is perception at the bottom. “If a tree falls in the forest and there’s nobody there to hear it, did it fall?” I think with tone at the top, you can look at all of the observable, objective things that we would typically do to measure tone at the top – whether or not executives say the right things; whether they send the right messages to the organisation in their communications; whether they make sure that it’s clear what is expected of people within the organisation in their public statements – but the reality is, in most organisations employees don’t really care who is on the board and what they say. When I was fresh out of college in my first job, my immediate boss was my supervisor, and so while tone at the top is critical, what’s even more important is what I call ‘tone at the tops’ – there’s lots of different pyramids within organisations, and the key is making sure that the right individuals are sending out the right messages. And this doesn’t just mean people within positions of power; you need to identify the opinion leaders within your organisation – the people that have been there for a number of years and are incredibly well respected. They may be just a supervisor on a particular shift, but they might also be the most listened person in a facility. In my opinion, it’s more important for that person to be sending out the right messages than it is for a CEO or a board member.

The key is identifying that there’s not just a top. There are many managers and leaders within an organisation and that to me is the critical component. If a company is really trying to communicate with the workforce about expected behavior, I think they really need to focus on management and supervisors and make sure the message is cascaded and that they have all the tools and training required or necessary to send out that message to their own individual work groups.

I meet with board members and CEOs very often, and one of the statements I like to make – which can be somewhat controversial – is to say: “You think you’re more important than your really are. The likelihood that your average worker is influenced by what you say and do is probably less than how they’re influenced by their supervisor and manager.” I think that maybe it’s been a while since they were in the trenches, quite frankly.

So tone at top is fine, but it’s perception throughout the workforce that is the key – and actually what you ought to be measuring, too. If you really want to measure tone at the top, you shouldn’t measure a single item of what’s being said or done at the top, you should actually just be measuring the perceptions of the workforce, because even if you’re sending the right message, even if you have the right tone, if it’s not being heard it’s totally irrelevant and you’re doing something wrong.

BM. So which areas can be improved?

SM. Let’s just take the US as an example. Research from the small business administration shows that, right now, organisations spend around US$1.1 trillion just to comply with federal laws, rules and regulations. That doesn’t count litigation, fines or penalties, it’s just the cost of complying, and this is clearly unsustainable. Right now, organisations are spending somewhere between US$5000-7500 per employee to deal with compliance and I would challenge almost any CEO to identify where that money is being spent, because it’s being spent all over the place.

I think IT is a critical component and to me there’s some really low-hanging fruit in the IT world. I think content management – being able to distribute policies, verifying that people received them, acknowledge receipt, those types of things – is very low-hanging fruit. Similarly, hotline/helpline technology is the heart of your information management system, letting you know where issues are coming from, what types of issues are coming up, how quickly you discover them – that comes out of a hotline or helpline management system, and so you need technology otherwise you’re going to be sunk.

Integrating governance, risk management, compliance and culture

Governance
• Set and evaluate performance against objectives
• Power to authorize a business strategy and model to achieve objectives

Risk management
• Proactively identify and rigorously assess and address potential obstacles to achieving objectives
• Identify and address risks that the organization will step outside of mandated and voluntary boundaries

Compliance
• Proactively encourage and require compliance with established policies
• Detect noncompliance and respond accordingly

Culture
• Establish an organizational climate and mindsets of individuals that promote ethical behavior, trust, integrity and accountability