Over this podcast series I have been visiting with Paul Johns, Chief Marketing Officer, and Rebecca Turco, Vice President of Learning, both at SAI Global, the sponsor of this podcast series. We have been discussing the changes in ethics and compliance (E&C) learning and how a more technology-based learning solution can help move your company to a more effective and more operationalized best practices compliance program. In this final episode, I visit with Paul Johns on the need for an integrated approach to risk management.
One of the primary reasons why an integrated approach to risk management is mandatory in today’s business environment is the increasing amount and complexity of risk which every company and, indeed, every Chief Compliance Officer (CCO) face. Moreover, social media has amplified every action and reaction both in terms of signal strength and speed of dissemination and communication. New risks include the parties you are working with down the line to 3rd, 4thand 5thlevel suppliers and sales representatives. Obviously cyber risks are greatly increased as well. From consumers or customers, however, the calculation is strikingly simple – did your company do the right thing?
It is only through an integrated risk management strategy that you can being to prepare your company to do business in the modern world. Such a strategy includes (1) forecasting, (2) risk assessment, (3) risk-based monitoring and (4) feedback of information gleaned from your monitoring into your risk strategy going forward. Yet it is more than the risk management process; it is using each part of your compliance program to develop information which can make your overall risk management strategy more robust.
While this five-part series has focused largely on compliance and ethics training, consider how an integrated approach to risk management works even with training. As Turco noted regarding adaptive learning, it is designed to focus on “making sure the learners are getting the content and relevant information that they need within any piece of content. It begins with asking questions about where they work and whether they interact with government officials. From there, it moves to serve up content to the employee which is meaningful, that helps them start to see what risks are in their area.” By asking questions to deliver an appropriate training solution, you begin to develop information about the state of your compliance program. If you are weak in some areas, you may wish to engage in remediation. If you strong in other areas, you can use those employees as Compliance Ambassadors within your organization to be a resource to other employees.
Johns tied this concept to your overall risk management strategy by noting it is only as strong as the weakest link. In the area of compliance training, this means if you have a high employee turnover, as is common in retail companies, your annual Code of Conduct training may not be sufficient to catch all employees every year. Moreover, if such training is run out of Human Resources (HR), the compliance function and hence senior management and the Board of Directors may not even be aware of this gap. But you may not even be aware of this gap unless you ask questions or consider what the data is telling you.
Some other questions Johns posed in the context of an integrated risk management strategy are if your company moves to a new geographic region or opens a new sales line, have all of your policies and procedures been updated to reflect this change in your risk profile? Has anyone considered such a move from the risk perspective? Are you even assessing such risks before product implementation or change in sales strategy? From the Board and Chief Executive Officer (CEO) perspective, have they been presented with an integrated risk report from which they can even begin to assess the risk in front of them? Your sales model will directly impact your risk under anti-corruption laws such as the Foreign Corrupt Practices Act (FCPA). Third-party risks are still the highest risks under the FCPA. However, an employee-based sales strategy also presents risks, albeit a different set of risks. (Consider GSK in China.)
Another interesting reflection from Johns was that with the more flexible nature of a workforce, including those on flex time, working from home, working during a commute and those who are essentially on 24-hour call; these innovations in working conditions demand an innovation in ways that training and ongoing communications are delivered. This means a company should have a mobile platform for learning and communication that can deliver its messages to employees when and how they want (and need) to consume it. This also ties into questions about not only content but the technology you use to deliver that content. When was the last time you considered the technology you are using in terms of the best manner to deliver the appropriate content?
Johns concluded with quite an interesting observation on the role of compliance and risk management. It is to become the new Praetorian Guards, which is to say put a ring around the senior executives to protect them. (Note – I am a fan of the Alamo analogy articulated by Chuck Duross but then again, all the defenders at the Alamo died.) He also alluded to the offensive nature of the Praetorian Guard. This also ties more closely into how a more fully operationalized compliance program makes a business run more efficiently and at the end of the day, more profitably.