This article appeared previously Association of Corporate Counsel’s ACC Docket and is published here with permission from the journal.
At 5:12 a.m. on April 18, 1906, a powerful primary wave rippled through San Francisco at supersonic speed. Twenty seconds later, violent shocks punctuated the strong shaking that lasted nearly a minute. This great earthquake left buildings across the city in ruins and ignited a fire that raged for three days.
When the smoke cleared, not many buildings were left standing, with one notable exception: the Shreve Building. Constructed in 1905, the Shreve Building survived due to a decision by those who financed the project to use state-of-the-art engineering technology. The interior of the building was damaged by fire, but its structure withstood the blaze because columns above the second floor were fireproofed with three-inch hollow tile, those below with concrete. Those who paid for the Shreve Building’s construction undoubtedly paid a premium to install these protections. But their foresight and their investment paid off. The Shreve Building was rehabilitated and, as earthquakes have come and gone in the city over the decades since the great quake of 1906, destroying many other less well constructed structures, the Shreve Building survives to this day as a San Francisco landmark in the city’s premier shopping district.
Earthquakes and fires are ever-present risks. But, like the many risks that face businesses, they only manifest themselves episodically. It is this characteristic of risk that often leads business professionals to become too complacent and make cognitive errors regarding risk magnitude. We also only tend to focus on those risks that make the headlines. We become concerned about flying after the news of a crash, despite the industry’s spectacular safety record, but think nothing of driving our cars despite the fact that it is much more hazardous.
So, those of us in the compliance and ethics risk-mitigation business have our work cut out for us. It’s our job to find effective ways to battle against our all-too-common tendency to either ignore or underestimate the legal and ethical risks facing our firms that ultimately results in either the misallocation of resources or a chronic under-investment in key compliance and ethics management systems.
Deloitte’s Compliance Trends Survey 2013 (the Survey) sheds some light on the current state of how compliance and ethics programs are doing lately in their struggle for resources. Deloitte’s report summarizes the results of a survey completed by 189 senior-level corporate compliance, audit, risk and ethics officers worldwide from March 15-29, 2013. Generally speaking, the Survey is a portrait of a profession that seems to be coming of age, with 52 percent of respondents indicating they perform an enterprise-wide risk assessment annually, and 51 percent stating that their Chief Compliance Officer reports directly to the CEO or the Board.
Nevertheless, the Survey noted some worrying trends as well.
The majority of companies reported that their compliance and ethics departments run on a relatively tight budget and staffing. The median size of survey respondents was $1 billion to $5 billion in annual revenue and 5,000 to 10,000 employees, but 52 percent said their full-time compliance staff comprised five or fewer people, and 47 percent said their annual budget for compliance — including salaries — is less than $1 million.
It’s difficult to discern from this data whether corporations are generally taking on excessive enterprise risks by failing to make prudent investments in their compliance and ethics functions. In addition to the relatively small sample size, the Survey did not explore the state of many other investments corporations routinely make to manage their risks. And the reality is that some, like the builders of the Shreve Building, will invest in state-of-the-art risk management systems, while others will not. The difficulty for those of us engaged in the legal and ethical risk management biz is gaining a clear picture of where our firms are on this spectrum and what to do about it.
Although there are no absolute yardsticks by which we can make this measurement, I think we can make great progress if we work together with our colleagues to seek real answers to the following three questions:
- What are our top enterprise risks?
- What systems are we counting on to avoid or mitigate these risks?
- What is the reliability of these systems?
I highlighted the word “real” in the preceding sentence, because many efforts to seek these answers are poorly designed, poorly executed, half-hearted and/or short-lived. This may be due in part to the fact that it is frequently difficult to get business professionals engaged in this kind of work at all, let alone over the long term. But, one way you might persuade doubters in your organization to at least take the first step on this journey is to observe that it does not take a significant investment of resources, in time or money, to obtain meaningful answers to these questions. You simply need to get the right people in the room (usually middle managers who are very familiar with how things are really working in their respective departments) to focus on these questions and tell you what they already know. Simply ask them what risks they manage, obtain a simple description of the systems associated with those risks and ask them to characterize the reliability of those systems in a heat map: Green for “good enough,” yellow for “needs some improvement” and red for “we don’t have one or what we have is very unreliable.” If people come prepared, you can get these answers in four hours or less in a well run meeting, and you will then be in a position to identify and pursue opportunities for improvement.
If you are successful in engaging your colleagues in such an exercise, one thing you might keep in mind is that your success may depend less on the techniques you use than the general mindset of those engaged in the work. I think that if you and your colleagues gather this information with the intention of building a company that will endure for many decades to come, like the builders of the Shreve Building, you will optimize your chances of creating corporate structures strong enough to endure the “quakes” and “fires” that every business faces over time. By contrast, those who simply want to engage in a superficial risk assessment exercise or, worse yet, deliberately under-fund or ignore critical risk management activities, are making a bet against reality that will eventually have to be paid. We will all find out who these businesses are the next time the “ground” shakes and the “blazes” rage by looking around to see who is left standing when the smoke clears.