There is not much more iconic in the US than Starbucks. As such they present some very visible and public lessons learned for the compliance practitioner. Recently Starbucks generated extremely negative news for having Philadelphia police arrest two persons who were waiting for a third person for a meeting. I want to use this most recent black eye for Starbucks and an earlier incident to help explain the need for a nimble and agile risk management process in any best practices compliance program. This risk management process includes forecasting, risk assessments and risk-based monitoring.
Within the context of an anti-corruption compliance program, you are trying to make adjustments based on the risks of violation of the law, out in the marketplace. For instance, in a compliance forecast, third-party risk should be considered at the top of your ordinal list of risk and you should consider a multitude of factors such as the operating procedures, processes and systems and training. Of course, the execution of that process is a critical component as well.
All these things, to some degree, should appear in a risk assessment for the organization. Meaning, at the corporate level, what happens if your core product becomes something different than simply a consumer product, such as coffee? There should be a risk assessment node which has a component that notes these changes so that you can adapt as necessary. A robust risk management process should be designed to elevate these new issues. If something does change, the next step would be to take appropriate course of action to address any of those risks.
The most recent story involved the arrest of two African-American men who were waiting for a third person at a Philadelphia Starbucks. As Matt Kelly noted in his Radical Compliance blog entitled “Starbucks and Policy Management Perils”, the story was “two black men, Rashon Nelson and Donte Robinson, entered a Starbucks in downtown Philadelphia to meet an acquaintance for a business appointment. Nelson first asked the manager to use the bathroom; the manager declined and said the bathroom is reserved for paying customers only. The men then sat at a table without ordering anything, waiting for their acquaintance to arrive. The manager, who is white, came to their table and asked if they wanted to order anything. They said no. Two minutes later, the manager called the police to evict Nelson and Robinson from the store. The police arrived and arrested them for suspicion of trespassing.” After spending several hours in jail, the two men were released.
Matt detailed many of the issues from the compliance policy and procedures perspective. However, I see another lesson for the company. Starbucks was initially a coffee shop, selling coffee and the coffee experience. If you have ever been to the original Starbucks across from Pike Place Market in Seattle, it is the consummate coffee shop experience as it does not even provide seating. The most recently opened Starbucks in Houston is gorgeously laid out with comfortable chairs and full working tables for those writing blogs.
With its ubiquitousness and growth the company has largely become the meeting place of America. Starbucks’ design has made itself America’s public space with clean, welcoming and open stores. It is certainly one thing if you have a coffee shop with limited seating to request persons there purchase a cup of joe but that type of approach is inconsistent with being America’s greenspace, open and welcoming to all. If you have made yourself that deeply embedded into America’s consciousness as the gathering spot to wait for meetings or even type out and post a blog (as Matt did for his blog on the subject) your risk profile has rather dramatically changed.
This means your forecast and risk assessment must take into account there will be racism and racial profiling by Starbucks store managers. This event did not happen in the South where many similar attitudes still exist but in a major Northern metropolitan center. Starbucks should have not only forecast this risk but it should have been more closely assessed in both its hiring practices and ongoing training. As to the latter, Starbucks has announced a one-half day nationwide store closure for training on racial discrimination issues. While some may say this is too little, too late; at least it is a start.
The differences between forecasting and risk assessment is that risk assessment attempts to consider things which forecasting either did not reliably predict for, or those things which the forecasting models have raised as potential outcomes which could be troubling, critical themes and issues. As risk management specialist Ben Locwin has explained, “What you’re trying to do then is decide on how you would address these. Risk assessments will percolate to the top of the list, your risk registry. Those items which are most consequential for your organization, whatever it happens to be. Again, just like forecasting, risk assessments apply to every organization.”
Starbucks had previously provided another example which illustrated the differences between forecasting and a risk assessment, yet how the two are complimentary. During a past winter, when I began purchasing hot coffee products from Starbuck, as opposed to the cold drinks I buy during the hotter parts of the year, I discovered that baristas’ no longer put sleeves on coffee cups but required you to ask for one. The second time I had to ask for a sleeve, I inquired from the barista why I had to do so. She replied that corporate had changed the policy for environmental reasons and that she could only provide a sleeve at the specific request of the customer. When I pointed out that it slowed the line down and was much less efficient in the delivery of Starbuck’s coffee, she replied, “You’re absolutely right. I hate it. Would you please email Starbucks and tell them of your dissatisfaction?”
Locwin noted, “what you’ve put your finger on is the crux of the balance of forecasting versus risk assessment. They’re two very different things, but at the same time, as they weave through time, they interchange. For example, Starbucks would potentially say, “We forecast that consumers are going to be more concerned about paper use, sleeves, the economic costs to the world, of extra paper waste and things. We’re going to, in certain locations, let’s say across Texas, we’re going to pilot that we don’t give out sleeves unless they’re asked for.” In their risk assessment, which I can tell you didn’t change from that forecast, what they then should have had was a commensurate line item which said, “If consumers start to have a problem with what’s being done at these locations, our immediate contingency plan is to do the following, to strip it away immediately, full stop, so that every cup gets a sleeve, so that they’re not slowing down lines, consumers say you heard us immediately, and then the organization is back on track.
Their forecast plans something, the risk assessment should have had countermeasures to address, and instead if they didn’t have this in place, they’re going to have to wait until they start to have a Twitter feed that blows up… The risk assessment model should say, “Then we will do the following. Texas was dissatisfied by this change and same in our pilot in Wisconsin. Let’s stop not giving out sleeves… Then eventually that starts to dissipate and they get rid of this whole new silly paradigm.””
The differences between forecasting and risk assessment is that risk assessment attempts to consider things which forecasting either did not reliably predict for, or those things which the forecasting models have raised as potential outcomes which could be troubling, critical themes and issues. As Locwin explained, “What you’re trying to do then is decide on how you would address these. Risk assessments will percolate to the top of the list, your risk registry. Those items which are most consequential for your organization, whatever it happens to be. Again, just like forecasting, risk assessments apply to every organization.”
The furor over the arrest of the two men at Starbucks may well last for some time. As noted at least Starbucks did not try and hide behind the rogue employee argument. It is stopping its business for a half-day to address the problems in its own organization. I hope every compliance practitioner can learn from Starbucks mistakes and responses.
If you sell coffee your risks are one set. If you are the country’s public square, your risks are different. What Starbucks teaches the compliance professional.Click to tweet
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2018