This post was originally shared in the ACC Docket and is republished here with permission from the author.
Today, I watched a documentary about a professional surfer that survived a 70-mile-per-hour plunge down the choppy face of the biggest wave ever surfed. This wave was so big and so fast he had to be towed into it by jet ski. In the documentary, the surfer gives a blow-by-blow account of his death-defying feat, describing in detail what it was like to be chased by a wall of water the size of a seven-story office building.
As I marveled at this man’s daring, I noted a significant difference between his appetite for physical risk and mine. I enjoy a wide variety of sports – some of which present moderate physical risks like skiing and wind surfing – but I would never even contemplate being towed into a massive wave on a surfboard. Simply put, my risk appetite is considerably less than that of the professional surfer, who likely resides somewhere near the top of the risk tolerance spectrum.
Similarly, I think corporations exhibit a wide variety of risk tolerance. Some, like the big-wave surfer, may be comfortable operating with few controls to prevent and detect bad behavior, while others are more conservative. As corporate counsel, you may have a sense of where your firm fits on this spectrum based on your observations of the company’s behavior. But if you were asked to do so, how would you go about quantifying your company’s compliance and ethics risk tolerance in terms that would provide actionable intelligence to your leadership team? If your company does not currently have a practical means of answering this question, your management team may be unwittingly careening down a very steep wave while thinking that they are paddling on flat water.
There may be many sensible ways to determine your company’s compliance and ethics risk tolerance. But for such an exercise to be worthwhile, at the least, it must take “risk tolerance” out of the theoretical realm and produce data that decision-makers can use to make conscious choices about how much risk they would like to accept. I think Chapter 8 of the U.S. Federal Sentencing Guidelines (FSG) provides some insight into one way you might assess your firm’s risk tolerance and also satisfy one of the more difficult mandates of the FSG’s seven elements of an effective compliance and ethics program.
The Corporate Risk Universe
As you may know, corporate risks generally fall into one of the following four categories:
- Compliance and ethics
The first three risk categories listed above are driven primarily by external forces like currency fluctuations, natural disasters and the competitive landscape. By contrast, compliance and ethics risks are driven entirely by the behavior of directors, employees and agents. So, when we are seeking to assess our firm’s compliance and ethics risk tolerance, our aim is to determine the degree to which management is comfortable with the state of the company’s compliance and ethics program. As a consequence, one way you might measure your firm’s compliance and ethics risk tolerance is to undertake the work necessary to satisfy the FSG’s requirement to “take reasonable steps to evaluate periodically the effectiveness of the organization’s compliance and ethics program.”
Here’s how this might work. The third element of the FSG’s seven elements of an effective compliance and ethics program reads as follows:
(3) The organization shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.
Evaluating the effectiveness of your due diligence systems designed to satisfy this FSGs requirement will provide you a meaningful measure of your company’s risk tolerance. Specifically, if your company’s due diligence systems are weak or nonexistent, this is evidence that your firm is exhibiting a high risk tolerance in this area. In other words, your management team is, unwittingly or not, “tolerating” a higher probability that one or more ne’er-do-wells will join their ranks than a firm that has invested in a highly effective due diligence system.
Regardless of where you determine your firm sits on the risk tolerance spectrum, your measure of compliance and ethics program effectiveness does the important work of providing your management team the information they need to consciously set your firm’s risk tolerance. If management is satisfied with the effectiveness of the company’s due diligence systems of individuals elevated to senior management positions, then they are “tolerant” of the residual risk. If, by contrast, they are uncomfortable with the current state, they can either increase or decrease the amount of diligence performed to set the risk within what they perceive to be an acceptable range.
The same process can be undertaken with respect to all other elements of your compliance and ethics program. For example, an evaluation of the effectiveness of your standards and procedures, compliance and ethics training programs, auditing and monitoring and responsiveness to detected instances of misconduct could all serve as a measure of your company’s “tolerance” of the compliance and ethics risks such systems are aimed at mitigating.
Reasonable business professionals will certainly differ with respect to how tolerant they are of compliance and ethics risks. But regardless of where your management team sits on the risk tolerance spectrum, be sure to do your part to help them understand where they are so they don’t get clobbered by a giant “wave” they don’t see coming.