Last month, I discussed the importance of keeping a watchful eye on star performers and rainmakers. One of the suggestions I offered was to identify and manage the trust positions within the organization, meaning pay attention to the people whose actions and/or inaction can expose the organization to significant risk events. These individuals may include personnel who might not be regarded as “stars” or “rainmakers.” For example, people in trust positions include personnel responsible for such areas as public financial reporting and environmental, health and safety, among others. These are the rank-and-file folks who operate below the radar, but who nevertheless play an important role. This month, I thought further discussion would be warranted on the topic of identifying and managing “trust positions” in the organization.
Safeguarding assets and protecting enterprise value is as important over the long term as creating enterprise value. The unbelievably large losses experienced by established brands over the last 20 years as a result of unauthorized trading or use of financial derivatives certainly attracted the attention of the press as losses wiped out enterprise value that took years to create. In many of these cases, neither the Board of Directors nor the CEO – nor, sometimes, even the CFO – understood, much less authorized, the activities that created these large risk exposures.
Financial exposures make for interesting news. But there are other examples of significant exposures, as detailed below:
- When the books are cooked, reputations take a huge hit. Companies pulled into this web of deception have an Everest climb to recover from such breaches of the public trust. Corruption is another form of fraud which can result in severe penalties and sanctions under anti-bribery laws, not to mention an ugly ride in the press.
- Man-made environmental disasters such as toxic and hazardous waste incidents can be a source of protracted litigation, significant fines and reputation damage once news of them sees the light of day. By law in most countries, companies are expected to properly handle such materials. High-profile environmental failures create a negative brand image that can linger in the public consciousness for a long time.
- Other man-made environmental disasters include catastrophic accidents, another source of costly surprises. Five large, well-known man-made environmental accidents include the Chernobyl nuclear explosion (1986), Bhopal toxic chemical leak (1984), Deep Water Horizon oil spill (2010), Three Mile Island nuclear explosion (1979) and Exxon Valdez oil spill (1989). Recall of these types of incidents continues for a generation or two. For example, the safety reputation of the nuclear power industry still feels the weight of the influence from the Three Mile Island and Chernobyl events, and their effects on the industry were further exacerbated by the impact of the Japanese tsunami on the ill-fated Fukushima Daichi nuclear power plant in 2011. These incidents point to the importance of managing environmental, health and safety risks as a sustainability imperative.
- Another sustainability imperative is security. Protecting intellectual property, “crown jewel” data and information systems assets and customer data are top-of-mind concerns to many businesses as they focus on managing cybersecurity, information security and identity and privacy risks.
- Product defects are another high-profile issue. A highly publicized crisis in 2000 caused by defective tires made by a major tire manufacturer and installed on different vehicles by several major automotive manufacturers was a public relations nightmare, resulting in more than 200 deaths and hundreds of injuries, according to an independent study. After some missteps on the public relations front, the cost of the recall was staggering for both the manufacturer and the automotive companies, particularly the one that purchased 70 percent of the tires, and ultimately led to the end of a 95-year customer-supplier relationship.
- Massive product recalls of toys in the consumer products industry, meat and poultry in the food processing industry and cars and trucks in the automotive industry never fail to affect the brand image of the companies involved, generate huge warranty and rework costs, lead to litigation and large fines and trigger calls for increased regulation.
- Employee safety is yet another significant risk exposure. A building in Bangladesh that housed several factories making clothing for European and American consumers collapsed in 2013, killing hundreds of people. Earlier, a deadly fire at a similar facility prompted leading multinational brands to pledge to work to improve safety in this country’s rapidly growing but poorly regulated garment industry. Having such safety issues as well as human rights abuses resident within the supply chain can present a serious brand image problem for a company once the public becomes knowledgeable of it.
While not exhaustive, the above examples of large risk exposures represent financial, operational and compliance issues in the real world that can develop over time into what we might call “ticking time bombs” waiting to explode unexpectedly. Once they explode and the spotlight shines on flawed decision-making processes or bad behavior, the brand takes a huge hit.
If management’s decisions and actions place the public or shareholders at risk of the consequences of a catastrophic event, however remote the likelihood of its occurring, the tarnish to the brand is not easily forgotten or forgiven. Experience teaches us that the market doesn’t care about what kind of cost-benefit analysis was conducted, the manner in which the organization rationalized its decisions or behavior or if management even knew of the conditions giving rise to the incident. What the market sees is an organization that places other priorities ahead of protecting the public interest.
A person in a trust position is one who is knowledgeable of significant risk exposures that meet certain criteria and has the potential to act on that knowledge, including bringing issues to the attention of the executive team. The criteria are:
- The actual or potential exposure can result in an event that could impact the company’s reputation through fines, penalties, loss of revenues, legal fees, loss of market capitalization, the “spotlight attraction” effect and other costs.
- The velocity or speed to impact is significant once the event is public knowledge, particularly if the event can occur without warning and its effects can escalate and attract immediate media and regulatory attention.
- The persistence of the event’s impact on the company over time is significant, e.g., the reporting of the event is likely to “snowball” rapidly and the duration of the headlines is likely to have considerable “legs” over a long period of time.
- The enterprise’s response readiness for the event is low, e.g., the CEO will have to drop whatever he or she is doing and circle the wagons to engage in damage control.
In the aftermath of catastrophic surprises, we often hear questions around who made the fateful decision, who knew of the underlying issues, when did they know about these issues, did they have sufficient authority to do something about it to prevent the incident from occurring and why didn’t they act timely or communicate the issues up the chain of command? With respect to these questions, the “who” and the “they” are often the front-line folks occupying trust positions. They are the ones who make the call. In essence, they exercise great influence over the enterprise’s most significant actual or potential risk exposures.
The point is this: While competent people are an important aspect of managing risk, relying on them without strong core values, limits, checks and balances and independent oversight, monitoring and reporting is as ill-advised as not understanding the risks inherent in what they are doing.
The following are 10 relevant questions you should consider when evaluating where the trust positions are within your organization:
- Do we know who the people are who make decisions that potentially affect or create large financial, operational or compliance risk exposures?
- Do we know where they are, what they are doing and why they are doing it?
- Do we know who supervises them? Are those individuals aligned with our core values and the tone at the top?
- Are we satisfied that the appropriate risk management policies, procedures and controls are in place to manage and monitor their activities and capacity to perform?
- Are we satisfied with the reporting we receive on their activities, the results of their performance and the effectiveness of the oversight? Are we satisfied with the adequacy of the monitoring of their activities?
- How are we rewarding them? Are we convinced our reward systems and culture are not creating dysfunctional “blind spots” that might drive reckless, risky behavior and/or a myopic short-term focus and cause the chain of command to disregard warning signs about their activities?
- Do we have the appropriate checks and balances and segregation of duties in place to prevent or detect unauthorized activities? Put another way, do we know what access these individuals have to systems and information to which they should not have access?
- Is there a timely escalation process so we can “apply the brakes,” if necessary, and undertake corrective action?
- Do we have a response plan in place to handle a crisis should one arise?
- Are we satisfied our managers bring us the full picture – upside and downside – relative to taking advantage of an opportunity or addressing a particular risk issue? For example, how much would it hurt if things didn’t go as planned, and does the potential upside adequately compensate the organization for assuming the downside risk?
One other question is perhaps the most important one of all: Are the CEO and executive team setting the appropriate tone with respect to escalating sensitive risk matters? To that, add yet another question: Can someone raise a serious issue to the executive team without repercussions to his or her career and compensation? If these latter two questions can’t be answered in the affirmative, the rest of the discussion is a waste of time.
Skepticism in the marketplace is quick to recognize the game of not wanting to know and positioning oneself for plausible deniability. Such lame excuses carry little weight in terms of evaluating whether an organization has appropriately enabled its personnel in trust positions to behave in the right way and make the right decisions. While bulletproof assurance that there will never be a serious incident is not a realistic expectation, satisfactory answers to the questions posed in this article will create greater transparency around the organization’s largest risk exposures.
In summary, managing trust positions starts with identifying the largest exposures and leads to designing the appropriate policies and procedures to manage them. But the capstone to the risk management process is providing strong monitoring and oversight over those individuals who are closest to the source of the risk.