The Fastest Cars Have the Best Brakes

Carole Stern Switzer, Executive Vice President of the OCEG, discusses why the best companies leverage value from compliance, governance and risk management to ensure they steer a safe course through the modern business landscape.

Whilst executives must always keep a sharp focus on business performance, it’s fair to say that the modern CEO has more distractions than ever before. Increasing compliance obligations, greater scrutiny of company ethics and pressure to perform extensive risk management has left firms with plenty on their plate. But it needn’t be this way. Carole Stern Switzer, Executive Vice President of the Open Compliance & Ethics Group (OCEG), insists that businesses need to see the present governance environment as an opportunity and not a challenge.

“One of the biggest mistakes is viewing compliance as the ‘Department of No’,” she explains. “But this happens all the time. Business people are trying to push out new products, marketing and technology and they see the compliance team as always saying ‘no’ or ‘stop’. But what they need to recognize – and this is really OCEG’s message – is that the ability to stop is essential to being a high-performance vehicle. The fastest cars have the best brakes. And you have to be able to see what is down the road to avoid the problem, be able to slow down or stop if necessary when issues are encountered – to have good steering as well as good brakes. But very often, organizations just seek to avoid the compliance program because they are fearful that it will slow them down.”

Aiming to keep businesses in the fast lane, OCEG was founded in 2003 as the concept of compliance and ethics management as a business function became increasingly prevalent. Recognizing that most core business functions have a common framework of standards – and how important this is to developing a high performing program and measuring ROI – OCEG made it a priority to develop a strategy and framework of guidance for aligning governance, compliance, risk management and ethics management and fully integrating them into business operations. OCEG also looks to remove market confusion, reduce organizations’ risk profile and legal exposure, and create strong links to existing risk management approaches.

“Risk management is essential in the context of compliance,” stresses Switzer. “When you look at enterprise risk management, you could say that very little enterprise risk management falls outside of the purview of compliance. In some way, every business risk that you evaluate ends up touching on a compliance risk or an ethical risk as well. I suppose there are some pure financial risks that don’t implicate compliance issues, but I actually think that those are the ones that are evaluated already. You need to assess what your compliance risks and your ethical risks are in order to plan and evaluate that program effectively.”

Risk management

Part of what OCEG is doing with the framework helps enable companies to achieve a stronger enterprise risk management process. “By that I mean if you are able to first and foremost identify the boundaries that your organization has to operate within and you are able to identify the events that give rise to substantial risks, and then evaluate the likelihood and the impact of those risks, you go a long way toward being able to manage the risks,” Switzer adds.

But OCEG is also looking to encourage a change in mindset with regards to compliance and risk management. Traditionally, the employee helming risk management has tended to find ways to share, avoid or reduce risk through insurance or joint ventures more often than conducting risk assessment and seeking to avoid risks through implementation of effective internal controls – and this highlights an interesting anomaly. Whereas many firms view insurance as an asset on a corporate financial statement, when steps are taken to avoid/reduce risk such as a strong risk assessment or compliance process, they are often viewed as expenses. Switzer hopes that with increased attention on these activities and the ability to develop metrics and benchmark, there is the opportunity to begin to view them more appropriately as assets. These are, after all, tools that can ultimately help a business perform better.

“There are a lot of opportunities in developing more organized compliance systems that will really help drive business performance,” she emphasizes. “One of the things that is changing dramatically in compliance is the understanding of the need to develop metrics – both in terms of performance and in terms of efficiency and effectiveness – that support business performance for the whole organization. This is particularly the case in the ethical area. Traditionally, many ethics officers have been very wary of metrics and unsure how you really measure ethical conduct or ethical attitudes. But there are ways of doing that and they are of great support to the organizations and help to drive business performance.”

Certainly, technology is the chief key to unlocking business performance from compliance, ethics and governance. But the biggest challenge facing firms is ensuring the cost-effective development of technology systems that support these structures. “I very often hear from compliance officers that have an idea of what they would like to do in order to manage their systems more efficiently and develop metric analysis that would help demonstrate contributions to business performance, but are having trouble finding systems that are robust enough to address that,” says Switzer. “One of the issues with technology is making sure that systems are developed that can interface with each other and that again have a common framework so that they can be benchmarked against each other.”

Technology Council

With emerging growth in technology to support governance, risk and compliance programs, there have naturally been accompanying technology-related difficulties. And it is for this reason that last year OCEG launched its Technology Council. A committee that includes both in-house end-user companies and external experts and solution providers, the Council works to develop a reference architecture for technology systems, identifying all of the pieces that are essential to a strong technology base for management of compliance and ethics, governance and risk in an integrated fashion.

In addition, the Council looks at what tools can be developed to put ‘meat on the bones’ of the architecture, while its Technology Forum (a series of conferences and publications) creates a platform for all the involved parties – the client (compliance department), the provider (in-house IT manager) and external technology provider – to come together to talk about what is needed. How can the enormous amount of money that has already been spent to address Sarbanes-Oxley be leveraged into broader compliance programs so that IT teams better understand the needs of the compliance department, and compliance teams better understand what is possible. “We have a conference in Boston in the Spring that will identify the main issues and then at our Fall conference in San Francisco we will be discussing the solutions,” highlights Switzer. “So we are not really looking just to educate people at these meetings but to use them as a true forum for driving technology solutions forward.”

Yet, irrespective of the technology solutions that are developed and deployed, the value of IT means little to ethics and compliance if the enterprise does not have the right culture in place. ‘Tone at the top’ is a phrase that is increasingly used, but there are still stories that fill our newspapers every day reflecting ethical lapses from business leaders. For Switzer, the most important lesson is that companies that present themselves as great ethical businesses shouldn’t “talk the talk if they can’t walk the walk”.

“If the leadership and the mid-level managers in that company are not actually behaving in that way, employees know that and the overall culture is eroded,” she says. “It is very important to have consistency and not just tone at the top but actual demonstrated ethical conduct by leadership at all levels. Clear disciplines need to be applied equally – if someone is the greatest salesman of the quarter but he did it through unethical conduct and people close their eyes to it, you can talk all you want about imposing certain values and rules and it won’t have any effect at all.”

Pillars of effective business

One barrier that some firms butt up against in the field of ethics, however, is the lack of metrics and indicators that can be used for benchmarking and self-assessment. “It is difficult,” Switzer concedes. “One way that it is addressed goes to workforce and workforce attitudes. There are questionnaires that go to the workforce about their beliefs about what the organization’s values are and whether the leadership of the organization truly follows those values. And they are useful as information. I don’t know if you could call them scientific data because there are a lot of issues that can’t be controlled in understanding why certain responses were given and how they were given. But you can get a broad picture, I think, of the view of people within the company about the company. The other thing worth highlighting is that what you see in the paper every day is not the ethical failure of massive numbers of stock clerks, but failures at the top. And the only control for that is the board. If you have stronger boards with more independence, that are not simply going to close their eyes when they see things that their friends in the executive positions are engaging in, then you will begin to have more true representation of the shareholders and society.”

Governance, risk and compliance have emerged as three important pillars of effective business in recent years and every level of an organization – from the board down – has its part to play in ensuring that these pillars are solid. With fields such as compliance continuing to grow in corporate importance, greater resources are sure to be deployed to address the soaring challenges, whether these be in terms of IT or manpower. OCEG will have its part to play in all of this, providing support to companies. But the responsibility will rest with the board and the executives to ensure that the internal mechanisms will be put in place to not only ensure that risk and compliance are addressed, but also that they can be integrated into business processes and leveraged to improve enterprise performance. Switzer, however, remains confident that these demands are well within the scope of most organizations.

“I think you will see more chief compliance officers being appointed in the future,” concludes Switzer. “Only around 10 percent of public companies have a Chief Compliance Officer, but some 40 percent have identified that they would like to appoint a Chief Compliance Officer in the future. And I think you will begin to see that role going increasingly directly to the board in terms of reporting, with more boards having compliance committees. There is definitely a move in that direction. And ultimately we will see a move towards the evolution of a sort of chief compliance function in firms that helps to provide feedback to the board and senior management; that helps to evaluate budget, technology, sharing and controls; and that provides support and structure for those compliance systems that are then embedded throughout the organization.”