In listening to companies discuss compliance in the areas of anti-corruption under the Foreign Corrupt Practices Act (FCPA), anti-money laundering (AML) or export control, one of the things that has consistently struck me is how siloed each of these groups invariably is within their company.
Not only does this deny a company the ability to share a wide variety of talent and experiences, it can lead to the concept of what authors Robert Kaplan and Annette Mikes call the “functional trap” of labeling and compartmentalizing risk. In an article in the June issue of the Harvard Business Review, entitled “Managing Risks: A New Framework”, they declare that good risk discussions must be integrative in order for risk interaction to be evaluated. If not, a business “can be derailed by a combination of small events that reinforce one another in unanticipated ways.”
The authors posit that it is difficult for companies to accurately and adequately discuss risk for a variety of reasons. One of these reasons is the aforementioned silo effect which can lead to a lack of discussion by a wide group regarding a number of risks, for example compliance risk; reputational risk; brand risk; credit risk; human resources risk are but a few of the types of risks mentioned in their article. The authors believe that one of the ways to knock down these silos when it comes to a more complete management of risk is to “anchor their discussions in strategic planning, one integrative process that most well-run companies already have” in place.
I. VW do Brasil Risk Management Strategy
The authors cite to the example of Volkswagen do Brasil (VW) and the techniques used by its risk-management unit. Initially, the VW risk management unit uses the company’s overall strategy map as a starting point for internal discussions around risk. For each objective that the company sets, the risk management group identifies risk events which might cause the company to fall short of its objectives. Based upon this risk profile, the group creates a “Risk Event Card” for each risk on the strategy map, “listing the practical effects of the event on operations, the probability of the occurrence, leading indicators and potential actions for mitigation.” From this Risk Event Card, the risk management group creates a “Risk Report Card” which is a tool used to present and convey high level information to senior management within the company.
A. Risk Event Card for the Objective of a Smoothly Functioning Supply Chain
B. Risk Report Card For Satisfaction of Customer Expectations
for more details link to: Risk Event Card, Risk Report Card
II. Risk Oversight Approach
The authors caution that beyond simply introducing a systematic process for identifying and mitigating key risks, companies should also employ a risk oversight structure. The authors discuss the experience of the Indian IT company, Infosys, which uses a dual structure. It consists of a central team that identifies general strategy risks and then establishes central policy, together with a specialized, decentralized functional team. This second team designs and monitors policies and controls in consultation with local business units. These decentralized teams have the authority and expertise to respond to changes in the company’s risk profile coupled with the nimbleness and agility of being in the field to deal with smaller issues before they become larger problems for the central team back in the corporate office.
All three of the components identified by the authors are relevant for your compliance program. Just as it is important to perform due diligence on third party representatives, before execution of an appropriate contract; the real work is in managing the relationship. In risk management, you must identify and assess the risk but the real work begins in managing the risk. This is where the rubber meets the road.
© by Thomas R. Fox, 2012