In a Control Risks White Paper (link here), “Risk, An Organizational Perspective,” author Alison Taylor (Senior Managing Director, Control Risks), states that “the traditional preventative approach to risk management is proving inadequate in the face of regulatory complexity, volatility and an environment of constant change.” However, as Alison continues, “what should replace it is not yet clear.”
In describing an organizational approach which goes beyond traditional “risk management” that is often “lacking in dynamism and commercial relevance,” Alison recommends that organizations consider “a holistic perspective that embeds risk consciousness into every part of their businesses, not just in the departments charged with formal regulatory or policing rules.” Indeed, while I have seen a tremendous and robust debate in the compliance community about the “internal processes” that appropriately need to govern anti-corruption compliance programs, what I have not witnessed is an equally healthy discourse about how a multidimensional approach to risk can impact compliance by addressing more than just “checks and balances.” I agree with Alison in that “treating corruption solely as a preventable risk stymies vital debate around these issues,” and I would add that such a gap comes at a time when the need for a more rigorous analysis has never been greater.
The current debate
As much of the current debate reflects, companies continue to “view risk management as a cost, failing to incorporate it into strategic and commercial considerations.” In other words, the current qualitative and threat-assessment view, while essential, “often fails to cover the spectrum of risks companies face.” Furthermore, “companies tend to treat corruption as a ‘preventable’ risk and make anti-corruption implementation the responsibility of the compliance and legal department.” Such an approach stops the discussion from continuing to address “the full organizational implications of the risk management response.”
From my perspective, this behavioral based, or “threat assessment” approach to risk mitigation, appropriately focuses on audit, control, policies and procedures. As Alison well states, it is indeed essential, but the question remains, given the continued stream of FCPA and other anti-bribery enforcement actions being reported, is it working? Based on the continued rising tide of violations, I think not. Furthermore, this “traditional preventative approach” to compliance “does not tackle the full scale of the corruption challenge, which cuts across every aspect of a multinational company’s business.
So, where does the current model need to be challenged? First, while a CEO might think globally, when it comes to corruption risk, it is critical to understand that “all risks are not created equal, and different risks require different responses.” Indeed, in some cases, this analysis may have to be dissected on a country-by-country basis, as even within regions, generalizations as to the external environment might not be possible. As Jonathan Berman states in Success in Africa (2013, Bibliomotion), a great example is Africa, where businesses fail “because they fail to distinguish its parts, and because they fail to grasp its whole.”
Thus, in any risk analysis, there is no substitute for an understanding of local and regional risk, for as Alison states, those “are the risks that the company cannot mitigate through internal measures.” As Matteson Ellis describes in How to Pay a Bribe (chapter 8, 2014, Wrage), in certain regions, where the institutions of government are weak, procurement personnel are poorly trained and compensated, “bribe requests might be baked into the economic order.” In other words, know up front what the risk peculiarities are before you start rolling up sales forecasts and business strategies to your boards, shareholders and front line business teams.
The Alpha Strategy
When those risks are carefully analyzed and weighted at the start of the planning process, then organizations can better balance “risk and opportunity,” and consider the full implications of strategy on the rest of the org chart. As my friend Alan Kennedy states in his work The Alpha Strategies, you can’t plan strategy if you don’t know current strategy (see prior post). So why not bring in your front line business teams and find out how they are now confronting and potentially struggling with corruption issues? As I have shared before, the more upset you are by those conversations, the better they are going, as you can ‘fix what you know.’
Failure to embrace the strategic implications of risk, specifically corruption risk, into the planning process can result in employees not seeing compliance as “an essential part of organizational success,” and when that happens “process will not solve the problem.” Worse, where incentives are indexed to individual performance in low-integrity regions, and where forecasts do not reflect corruption risk, compliance can be viewed as “bonus prevention” at the front lines of international business, as employees ponder “what does management really want, compliance or sales?”
When the implications of risk “are not incorporated into business development and strategic plans,” and front-line sales teams are being given aggressive growth targets in low integrity regions, then what is the message to the front line? As Alison states, at the field level, the message that nets out of this détente between compliance and strategy is that it might be necessary to “grease a few wheels” to win.
How things get done around here
When that happens, the ends of making and surpassing ‘plan’ often win out over the means of compliance, as employees will view the focus on financial gain as “the way things get done around here.” As Alison points out in referencing the work of those like Edgar Schein, this level of culture reflects the organization’s underlying assumptions, as being those traits “that are rarely, if ever discussed; they are taken for granted.” In other words “any risk management change effort that does not take into account organizational culture across divisions, locations and levels of seniority will never be ‘owned’ by the organization.” Worse, “it can never take root or succeed.”
When compliance is nothing but a “bolt-on” addition to “a business as usual approach-employees will quickly find themselves experiencing contradictory messaging and direction about what is important.” When that occurs, front line international business personnel will take compliance decisions into their own hands as to make choices about “what management really wants.” In sum, management needs to understand the risk that their front line teams face in their territories and factor those risks “into decision-making, targets and individual incentives.”
Where that intersects the organizational paradigm that Alison proposes, from my perspective, is at the level of “interpersonal risk management.” This part of her organizational response to risk addresses “how employees are motivated and rewarded and how these incentives are communicated and understood.” The question that organizations should be asking about their existing bonus and compensation packages is “it acceptable for them (employees) to walk away from business opportunities that might compromise the integrity of their company?” In other words, do employees know that they can ‘walk business’ back before compromising on their commitment to ethical conduct?
The ‘interpersonal’ response
When the interpersonal is addressed at the planning process, with a focus to insure that business strategy, financial forecasts and incentive packages are all aligned to the message of anti-corruption, then employees understand both the stated and unstated messages: “we do not bribe.” As Pia Adolphsen (Associate Manager of Marketing Content Strategy at The Network) reported in a compelling article about Coca-Cola, when approached by state employees who threatened a plant opening unless they were bribed, Coca-Cola said “no.” As a result, all the players in the ‘corruption ecosystem’, givers and takers included, understood the “company’s priorities: our values matter more than opening on time.”
As Alison states, when management addresses risk as a part of business strategy, going well beyond the “compliance and legal department,” with the consequential impact upon “decision making, targets and individual incentives,” compliance and commercial success are now indeed complementary goals. When this occurs, management has made the up-front decisions “as to whether to enter some markets, accepting a certain level of inherent corruption risk, or stay out of them so they can maintain stated ethical commitments.” These are the “clear-eyed” decisions that leadership needs to take,
as to remove the compliance-versus-success struggle at the field level.
In such cases, front line employees “understand the company’s strategy, mission and risk appetite.” Hence, the way people get “paid and trained around here” is the same as “the way things get done around here.” No longer will field personnel experience “contradictory messaging about what is important.” My appreciation to Alison and Control Risks for elevating this issue and to making a significant contribution to the existing “topsy-turvy” logic which often prevails.
A full copy of the Control Risk White Paper is available here.