Boxing clever to manage risks
The 2008 crisis has prompted governments around the world to tighten regulation not just of banks and financial institutions, but of a wide range of sectors, increasing the compliance burden for all kinds of businesses.
There are those who believe that the amount of red tape should be cut. Earlier this year, the World Trade Organization’s director-general Pascal Lamy estimated $1trillion could be freed up for the global economy by cutting unnecessary regulation. However, most accept that the best way of managing risks within their businesses is by having a robust approach to compliance.
But how do companies go about this? And what should they expect to get out of it?
“Compliance must be focused on preserving, protecting and promoting business value, including reputation, to capture business attention and motivation,” says Nicole Bigby, a partner at law firm Berwin Leighton Paisner.
The consequences for boards, personally and collectively, are increasingly punitive, and fines can pale against the internal costs of necessary restructuring and independent monitoring regimes
“The benefits of good compliance need to be very direct: minimising the cost of or improving contract management, heading off problems or, even more powerfully from a strategic perspective, knowing when to create new compliance rules to enhance business adaptability and competitive advantage.”
Global examples of the importance of compliance and understanding business risk have been frequent for companies to observe. And when things fail, they often tend to fail in a big way.
The last decade, in particular, has been besieged by high-profile business scandals and financial failures, sparking unprecedented regulation and providing some valuable lessons for risk management.
Emboldened by the management of the credit crisis, governments have taken a zero-tolerance approach to other parts of the economy when it comes to managing their own risks. It has made them less likely to tolerate failures and more prone to legislate against them.
“The broader management and organisational failures at NASA, which led to the Challenger space shuttle disaster, and at BP, concerning the Deep Water Horizon oil rig explosion, demonstrate the dangers of purely tick-box compliance,” says Ms Bigby.
“The consequences for boards, personally and collectively, are increasingly punitive, and fines can pale against the internal costs of necessary restructuring and independent monitoring regimes.”
A willingness to embrace new methods and ways of understanding compliance must, therefore, be a key starting point.
One of the biggest challenges for businesses when it comes to compliance is getting beyond a box-ticking mentality, which can lead to the compliance failures seen more recently.
“Irrespective of the guidance available, organisations need to recognise that truly effective implementation is not a tick-box exercise,” says Sukhdev Bal, director of consultancy firm Protiviti UK. “For many companies, complex accountabilities for compliance have evolved in an ad hoc manner over a long time.”
However, it is one thing to extol the benefits of a compliance-focused approach, but in practice it can be more difficult to implement.
“Culture is key,” explains Kirsty Searles, head of governance and compliance at consultancy group Deloitte UK.
There are systems available for larger businesses to ensure they get on top of compliance and are able to monitor risk, ranging from “point solutions”, designed specifically for certain compliance areas, to software-based platforms which incorporate multiple functions.
Point solutions typically support deeper analysis and reporting requirements for compliance, whereas platform solutions provide extended capabilities, and could serve as infrastructure for broader compliance, governance and risk management activities over time.
One of the main benchmarks for businesses in managing risk is the ISO 31000 standard, which “provides principles, framework and a process for managing risk”.
According to the International Organisation for Standardisation, ISO 31000 can help organisations increase the likelihood of achieving objectives, improve the identification of opportunities and threats, and effectively allocate and use resources for risk treatment.
“For those companies that are less ‘mature’ from a risk management perspective, the ISO regulations provide a great start in terms of the risks they should be considering and the controls they could implement to mitigate these,” says Richard Hunt, managing director of Turnkey Consulting.
“The main regulations to be considering here are ISO 31000 for risk management and ISO 27000 for information security. There are a number of other more industry-specific ISO standards available with risk management content targeted at industry-specific risks.”
Yet, despite being a good place to start, experts warn against relying too heavily on the ISO standards.
“ISO regulations are a standard for guidance rather than regulation. They provide organisations with a framework for benchmarking what’s being done and a structure for building capabilities,” says Ms Searles. “It is not a panacea; it’s all in the practical application.”