Corporate compliance is easily defined. In formal terms, it’s the observance of statutory and company regulations on lawful and responsible conduct by an organization, its employees, and its management and supervisory bodies. But successfully fulfilling all of the relevant and necessary corporate compliance requirements can be quite challenging for even the best and most vigilant enterprises. My two-part series shows five of the key things that companies are doing right when it comes to corporate compliance, as well as five of the most important things they’re doing wrong. The first installment covered five of the smartest corporate compliance strategies and moves. The following is the second installment and discusses five of the most problematic corporate compliance steps and approaches:
1. Strategic Risks
Companies are very good at addressing financial, compliance and (generally) operational risks. But they struggle to deal with strategic risks – the risks that relate to high-level goals and are aligned with, and support, the entity’s mission/vision. This is unfortunate because strategic risks often have the largest impact, by far, on an organization.
Corporate compliance programs fail in this regard for two reasons. First, strategic risk may be seen as an inappropriate role for compliance as it is often seen as a senior management function, even though senior management may lack the risk management skills and focus to systematically address it. Second, those involved with compliance don’t understand the business or the strategies well enough to grasp the risks. Often, this is because compliance personnel don’t have deep enough relationships with senior management to get a seat at the table to understand the strategic risks facing the organization.
Companies may need to have a C-level compliance officer (Chief Risk Officer or Chief Compliance Officer) to effectively address strategic risk. And boards need to be more active in asking about strategic risk.
Addressing strategic risks is not hugely complex. The processes for identifying, assessing, and addressing strategic risk are the same as for other risks. And as Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Enterprise Risk Management (ERM) framework rightly outlines, strategic risks needs to be considered as part of a holistic approach to risk management.
2. Continuous Monitoring
For years, we’ve heard about the promise and potential of continuous monitoring or continual auditing. And these are great, in theory, but, in reality, there has not been widespread adoption. Despite the potential benefits, many companies continue to rely on a high number of manual controls in their risk management processes.
The reasons for this lack of adoption are manifold, but a key reason maybe that the potential benefits have been oversold and don’t justify the costs. Continuous monitoring often requires a significant upfront investment. Further, unless properly configured, a continuous monitoring program just isn’t flexible and dynamic. This is particularly problematic in high growth companies where change is a constant. Finally, unfortunately most continuous monitoring approaches simply aren’t “plug and play” as they can’t operate as independent systems without human oversight and supervision.
In a more perfect world, companies would be able to truly benefit from continuous monitoring or continual auditing as an integral part of their corporate compliance efforts. To take advantage of available technologies, companies need to consider the cost benefit of a continuous monitoring program and only deploy in areas where it can truly deliver results.
3. COSO – (Internal Control and ERM Frameworks)
Perhaps more of a critique than a shortfall of corporate compliance is the relevance of COSO and the practical use of their frameworks. COSO wants to remain fully relevant, but, unfortunately, the 1992 version is outdated and of little practical use for most companies. The overall concepts may be useful in thinking about internal control issues, but lack in practical applicability. For example, many public companies say they use the COSO framework for their SOX assessment, but the question is – to what extent? And, when COSO issued its exposure draft of the internal control framework in 2012, significant and disparate feedback has delayed the issuance of an updated framework. Another example of COSO’s relevance to today’s GRC programs is the ERM framework, which was issued in 2004 and hasn’t been widely implemented.
Companies need to fully embrace the COSO’s frameworks for what they are. They are conceptual in nature and are not intended to be used to implement practical GRC activities. This gap in understanding has led to improper adoption of some elements of COSO internal control framework and the lack of adoption of ERM.
4. Formal ERM
As indicated above, despite much discussion, there hasn’t been widespread adoption of formal ERM programs. It’s true that some companies have implemented bits and pieces, such as an enterprise-wide risk assessment, but, generally, that’s about as far as it’s gone.
There are two main barriers here: formal ERM takes a lot of work, and it’s often viewed as a result, not a process. In addition, almost any list of risks and controls will soon become obsolete. So, if the process is built toward a deliverable, it won’t be flexible and sustainable without considerable effort.
Finally, it’s important to note that integrated GRC is a step in the right direction, because the compliance and risk management functions are sharing information; but true ERM is a holistic and fully coordinated approach that is difficult to fully implement.
5. Compliance Bureaucracy
The last decade has seen significant improvement in GRC and increases in resources dedicated to risk management and control. Still, for some organizations, this increase in size and formality has lead to inflexibility and bureaucracy.
This is a problem because risk management requires flexibility in order to deal with emerging, cutting-edge issues. For example, a lot of organizations are just beginning to realize that mobile computing risks are significant, even though many have had smart devices for over 10 years. The key take-away: risk can move much faster than a compliance function.
To combat this, organizations can’t forget the key objectives of their risk management and compliance functions. It’s very easy for a compliance functions to focus on form, and to lose sight of the substance of its efforts.
After all, the last thing in the world we want to see, to paraphrase Oscar Wilde’s words, is the bureaucracy expanding to meet the needs of the expanding bureaucracy.
Eric Miles leads Moss Adams’ Northern California Internal Audit Practice and is responsible for helping clients perform risk assessments and implement internal audit functions and other risk mitigation capabilities. He has over 15 years’ public accounting experience, including seven years specializing in SOX 404, internal audit and risk management for technology and life science companies. Eric is the Quality Assurance Coordinator for Moss Adams’ entire Internal Audit Practice and a member of the Firm’s Audit Advisory Committee which sets audit policy for the Firm. He is the outsourced director of internal audit for several organizations in varying industries. In this capacity, he is responsible for directing and overseeing the internal audit departments and reporting to Audit Committees on internal audit activities. Eric has deep experience in a wide variety of areas including operations, compliance, accounting, information technology and fraud prevention. Eric holds an MBA in Operations Management and Finance from Purdue University and has undergraduate degrees in Accounting and Computer Engineering from Pacific Lutheran University. He is a Certified Public Accountant (CPA), a Certified Fraud Examiner (CFE), is certified in Financial Forensics (CFF), and has achieved certification in Production and Inventory Management (CPIM).