Most readers know of my love for Rock & Roll. That love extends to those who write about the genre too. Today, I want to pay tribute to one of my favorite early writers on Rock & Roll, Nick Tosches, who died at his home this weekend. According to his New York Times (NYT) obituary, Tosches, “and his fellow music writers Richard Meltzer and Lester Bangs were labeled “the Noise Boys” for their wild, energetic prose, a world away from fan magazines such as Tiger Beat” and Seventeen. He wrote for Creem, where he and Bangs created some of the most personal profiles of rock legends. He later moved on to biographies, writing about characters as diverse as Jerry Lee Lewis and Sonny Liston. My favorite Tosches novel was one where he imagined a (fictional) Nick Tosches being called upon to authenticate a previously unknow Dante tract.

How should a compliance professional think about managing risk? How about senior management? Even the Board of Directors is being called upon more and more to manage risk from its oversight perspective. I recently revisited a seminal Harvard Business Review (HBR) article on this subject, entitled “Managing Risks: A New Framework”, by Robert S. Kaplan and Anette Mikes. The authors posit that “risk management is too often treated as a compliance issue that can be solved by drawing up lots of rules and making sure that all employees follow them. Many such rules, of course, are sensible and do reduce some risks that could severely damage a company. But rules-based risk management will not diminish either the likelihood or the impact of a disaster.” To help avoid this situation, the authors laid out their version of a 6-Part Tool for ranking and assessing risks.

Many compliance officers, like myself, came to compliance from the General Counsel’s (GC) office. We tended to think that risk could be managed by a set of rules. This certainly formed the basis of Foreign Corrupt Practices Act (FCPA) compliance programs from 2004 forward. Early on they were written by lawyers, for lawyers. Obviously, this approach has evolved and now compliance programs are much more holistic in their approach to risk management.

The authors identify FCPA risk and a wide variety of other risks as internal risks. By this, they mean risk “arising from within the organization, that are controllable and ought to be eliminated or avoided… To be sure, companies should have a zone of tolerance for defects or errors that would not cause severe damage to the enterprise and for which achieving complete avoidance would be too costly. But in general, companies should seek to eliminate these risks since they get no strategic benefits from taking them on.” Interestingly, the authors recognized that “a rogue trader or an employee bribing a local official may produce some short-term profits for the firm, but over time such actions will diminish the company’s value.” In other words, at the end of the day, the cost of such behavior and activity far outweighs the gain.

The next type of risk the authors discuss is strategy risks. They believe that this type of risk category is quite different from internal risks “because they are not inherently undesirable. A strategy with high expected returns generally requires the company to take on significant risks, and managing those risks is a key driver in capturing the potential gains.” This means that if your compliance program is more nimble and agile it can help to facilitate a level of risk management.

The authors believe that you need a “risk-management system designed to reduce the probability that the assumed risks actually materialize and to improve the company’s ability to manage or contain the risk events should they occur. Such a system would not stop companies from undertaking risky ventures; to the contrary, it would enable companies to take on higher-risk, higher-reward ventures than could competitors with less effective risk management.” For instance, if your mergers & acquisition (M&A) team has a full compliance component, you are able to not only move more quickly but identify and manage a high-risk region, opportunity or business line.

Finally, is the risk which is not only the most difficult to plan for but often the most difficult to manage, which the authors identify as external risks. These are risks which “arise from events outside the company and are beyond its influence or control. Sources of these risks include natural and political disasters and major macroeconomic shifts.” It can also be when a competitor is caught in a scandal so massive the blowback hits your company. This means that external risks mandate another risk-management strategy approach. The authors conclude that as “companies cannot prevent such events from occurring, their management must focus on identification (they tend to be obvious in hindsight) and mitigation of their impact.”

The best example of external risk I can put forward is something similar to what the German auto manufacturing industry faced after the Volkswagen (VW) emissions-testing scandal broke in 2015. It was so large it damaged not only VW’s competitors but also the German national brand of quality and honesty. It all involved the Made in Germany brand. Ulrich Grillo, the president of the BDI, the German global industry association, was quoted in Financial Times (FT) when he urged companies to check their “management processes, including compliance and control systems.” He suggested the question to ask should be “Are we doing everything right?”. It was the risk management strategy of compliance he suggested as the primary way for other German car companies to combat the negative publicity around VW.

Companies should tailor their risk-management processes to these different categories. Join me tomorrow where I take a look at how companies can begin to think through strategies for managing each type of risk and the role the compliance professional plays in this overall approach.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2019