Karima Mariama-Arthur (consulting@wordsmithrapport.com) is CEO of WordSmithRapport in Washington, DC, and Christopher Mayer (christopher.mayer@westpoint.edu) is Associate Dean for Strategy & Initiatives, United States Military Academy at West Point in West Point, New York, USA.
Colonel Mayer’s views are his own and not the views of the United States Military Academy, the United States Army, or the Department of Defense.
As our world becomes more connected and equally complex through global stakeholder engagement, advances in technology, and an ever-changing regulatory framework, organizations everywhere face new challenges, increased expectations, and greater exposure to compliance risks. Yet the concept of risk is hardly straightforward. And, even though good governance rarely relies on a single approach for mitigation, the process is often siloed. This is why practicing federated compliance—true collaboration across departments—can be a game-changer for organizations that prioritize it.
Evaluating risk is designed to be a meticulous process, where heightened scrutiny is the norm, rather than the exception. For this reason, due diligence requires tangible opportunities to diagnose, troubleshoot, and provide ongoing prescriptive guidance. While all organizations must confront their fair share of common compliance issues, most are unique. A large portion is industry-specific; others arise because of changes in the regulatory landscape. Still more are triggered in times of volatility, uncertainty, ambiguity, and complexity, such as during our collective experience with the COVID-19 pandemic.
Whatever the motivation for mitigating risk, a hard truth remains: Too many organizations simply don’t know where to begin. And, the failure to close this knowledge gap can be disastrous, as subsequent remedial measures do not always work. According to a joint survey conducted by Deloitte & Touche LLP and Compliance Week, 40% of companies do not perform an annual compliance risk assessment. That’s 40% too many.[1]
Choosing to ignore potential risks only puts an organization’s business, financial, operational, and legal structures in jeopardy. Regulators are keen on having their compliance expectations met and are prepared to escalate enforcement when they are not. To avoid the worst result, organizations must be proactive about identifying their susceptibility to risk and implementing a compliance management program that effectively safeguards their future.
We have learned a great deal over the last two years and, as a result, have had to change the way we view and plan for risk. What follows are some important points to consider.
A necessary shift toward agile crisis management
Not all crises can be broadly predicted, suggesting the need to raise the frame on how we deal with the unknown. Interestingly enough, an organization’s past performance, coupled with its institutional memory, provides valuable context for its current crisis management practices. Even still, when governing in real time, organizations need the dexterity to move swiftly and sustainably through a current, unforeseen crisis. If not managed well, an unexpected chain of events can dismantle an organization and its stakeholders.
In 2020, our cozy realities were upended by the COVID-19 pandemic, a crisis that shook the foundations of our society and battered its infrastructure. If that wasn’t enough, add several deadly natural disasters, along with a barrage of social and political unrest, and we were at our wits’ end. Forced to operate outside of our comfort zones, we soon learned that none of the battles we were waging could be managed in a vacuum. To survive, we needed to act responsibly and expeditiously. The good news is that we learned to be agile.
Agile crisis management, the process of successfully addressing crises by leveraging technical expertise, continuous learning, collaboration, and flexibility, is a well-recognized approach embraced by high-performing organizations worldwide. It takes into account the fact that “the world is ever-changing and consistently serving up challenges that represent volatility, uncertainty, complexity and ambiguity,” and as a result, organizations must be able to effectively “connect the dots between clients, suppliers, marketplace twists, technology, processes, economics and politics.”[2] At a very basic level, this is a nonnegotiable aspect of mitigating risk.
The term “agile” also describes a results-oriented, nimble approach to problem solving that focuses on iterative development, where outcomes are produced incrementally through rigorous communication and collaboration among cross-functional departments. This encourages divergent thinking, helps to address potential knowledge gaps, and allows for the discovery and correction of mistakes along the way. Because the process is ongoing and adaptive, it readily incorporates creativity and innovation within its framework. An organization is free to create the way forward by leveraging incremental change, continuous improvement, radical change, or paradigm shifts to produce desired results.[3]
While there are infinite models of agile crisis management available, there is only ever a need to implement one, and it doesn’t need to be elaborate. The litmus test is simply whether the concept helps an organization adequately prepare for, prevent, cope with, and recover from a crisis.[4]
Prioritizing appropriate stakeholder engagement
Stakeholders—individuals and entities with vested interests in the decisions, activities, and outcomes of an organization—should have a rightful seat at its information table. They necessarily include internal and external coalitions whose contributions help to propel an organization forward.
Long before the pandemic, effective communication was considered fundamental to responsible stakeholder engagement. And, even though ongoing dialogue, transparency, and accountability were cited as essential to the process, the problem has always been a lack of application in practice.
During the pandemic, organizations discovered their duty to communicate with stakeholders was more important than ever. Because changes were happening so rapidly and affecting the entire supply chain network, it was no longer acceptable to omit details or exclude entire departments from the conversation. Creating and preserving “the record” became more than anecdotal. Perfunctory measures meant to keep decision makers and regulators at bay were now proscribed.
This dynamic new environment exposed archaic (and in some cases, nonexistent) reporting policies and procedures that were negatively affecting the triple bottom line. As a result, organizations were forced to reevaluate their practices to reflect a heightened sense of awareness and the requisite new levels of scrutiny. This included leveraging technology to support remote work, as well as various modes of purposeful interaction. These shifts emerged as disruptive innovations across industries that would continue to be prioritized far beyond the pandemic.
To account for the countless shifts in the world of work, and as an additional way to strengthen stakeholder engagement, organizations have now begun to reimagine their workspaces, benefits packages, brand identities, and cultures. To achieve greater buy-in and long-term commitment to their enterprises, organizations are now more clear than ever that the roles, responsibilities, policies, and procedures they incorporate must reflect an informed approach to doing good business and mitigating risk.
Horizon scanning and scenario planning
The COVID-19 pandemic caught most organizations by surprise. While it is tempting to believe there was no way to be prepared for something like a pandemic, horizon scanning and scenario planning can help organizations prepare for and rehearse responses to these types of high-impact, low-probability events, which are referred to as “wild cards” in the foresight field.
Horizon scanning and scenario planning, both foresight methods, do not allow organizations to predict the future, but they offer an approach to imagine possible futures so organizations can identify potential risks and opportunities and take action to strengthen preparedness in case aspects of those futures become reality. Scenario planning also helps organizations articulate their desired futures and develop strategies to achieve these futures.
There are several approaches to scanning. One common approach uses STEEP categories—Society, Technology, Economic, Environmental, and Political—to focus scanning efforts and to ensure that scanning takes place across broad areas. The goal of scanning is to identify trends, which reflect broad changes occurring now with the potential to continue into the future, and weak signals, which may indicate emerging trends. Once trends and weak signals are identified, it is possible to envision driving forces of change that can be used to develop scenarios. It is important to scan with open minds and with diverse groups whose members approach the world from different perspectives to ensure the scanning effort does not overlook certain areas.
Trends and weak signals, and the uncertainties associated with them, are used to develop scenarios that reflect different futures. Scenarios allow organizations to identify risks and opportunities (positive and negative changes) that may occur in possible futures and consider how they would sustain their compliance management program and mitigate the impact.
There are a number of ways to develop scenarios.[5] One approach is to create one scenario that reflects a continuation of current trends and others that reflect alternative possibilities based on weak signals and possible wild cards. This is called the archetype method. Another approach is to select the two driving forces with the most impact and uncertainty and use them to develop 2x2 matrices.
Horizon scanning and scenario planning are not effective if just done once. Scanning must be performed periodically, as must the revision of scenarios, development of new ones, and adjustment of organizational strategies. Also, organizations should identify indicators that provide warnings if elements of scenarios are becoming reality. There is much more to know about scanning and scenario planning, so we recommend reading the articles, “Scenario Planning and Wargaming for the Risk Management Toolkit,”[6] “Five Principles for Thinking Like a Futurist,”[7] and “What Functional Leaders Should Know About Scenario Planning.”[8]
The importance of promoting operational integrity
The physical environment plays an important role in onboarding new team members, which is essential for ensuring they embrace the organization’s standards and values and reduce the risk of compliance violations. In-person gatherings, physical symbols, and the general feeling from being in a physical place all communicate standards and practices and build the necessary trust and commitment to the organization. The shift to a remote workforce during the pandemic and the transition to virtual onboarding offer many challenges to achieving the same impact.
While the formal part of in-person onboarding often took place over entire days, virtual onboarding should take place over multiple sessions that allow new hires to meet and learn from people from across the organization. These sessions should be interactive and should, as much as possible, allow for virtual face-to-face engagements. Spreading the sessions out prevents Zoom fatigue and provides time to reflect and consider questions. Even though the onboarding is virtual, it is still necessary to assign sponsors that new hires meet with individually and who can answer questions. Compliance commitments should be weaved throughout these sessions, and new hires should be provided an orientation on policies and procedures as well as given access to digital copies.
Another loss is “absorbing by observation.”[9] Following formal onboarding, new employees often shadow more experienced employees in the office. This practice is especially impactful for developing employee commitment to and knowledge of compliance standards. As hybrid work seems like it will be a norm for many organizations after pandemic constraints are lifted, there must be a focus on effectively enculturating new team members. The commitment and knowledge developed from these efforts will enable organizations to sustain their compliance operations even during crises.
The last two years have presented several challenges and possible solutions for sustaining and strengthening operational integrity. A Society of Corporate Compliance and Ethics & Health Care Compliance Association survey found that there has been a 36% increase in compliance inquiries during the pandemic.[10] Also, 77% of respondents expressed concern that the pandemic greatly or somewhat increased the risk for compliance failures. The survey found that compliance departments that are integrated into their organizations can better meet these challenges and address some of these concerns. Respondents to a Star Compliance survey suggested that automation can enhance compliance program efficiency and effectiveness, allowing compliance professionals to address the increased number of inquiries they are seeing.[11]
In addition to improved integration, automation, and communication, organizations have also learned how to sustain and strengthen organizational culture when team members are distributed in organizations. Some practices for doing this include overcommunicating to compensate for lack of in-person interactions and employing video during meetings whenever possible so that, in addition to seeing everyone, leaders can model appropriate behavior and reinforce policies and procedures.
Even more attention should be paid to what is written so that it is not misinterpreted, as team members may be hesitant to ask questions electronically. Leaders must also be intentional about making themselves available to their direct reports and communicating the importance of ethics and compliance. These practices will be useful for organizations that adopt hybrid work models. Additionally, streamlining employee communications to only include essential information can help focus attention to compliance-related issues.
Thinking systematically
The challenges of the last year and a half have led many organizations and their leaders to change how they evaluate risk and plan to mitigate it. Though it is impossible to be prepared for everything, organizations must prioritize the development of agile crisis management capability, so they are able to adapt when faced with inevitable crises. Compliance efforts must be integrated throughout organizations, and stakeholder engagement must be a priority. Automation should be employed to improve effectiveness and efficiency, although there must be a way to sustain compliance operations if technology fails.
Organizations should review for policies and procedures that have changed over the last two years and determine what should remain changed and what should be set aside in case of another crisis. Additionally, organizations must consider what elements of work have and will change, and what risks this presents for compliance management.
Foresight methods can also help strengthen organizational preparedness by having organizations consider what could happen in the future and what risks might affect their compliance management efforts. Team members can think through how they would respond to different scenarios and then make the changes that enable them to continue effective operations if these conditions ever exist. These efforts must become part of how organizations do business, as must monitoring for indicators that suggest parts of a scenario are becoming reality.
Compliance management is too important to assume that there will be no disruptions. Compliance professionals must be able to sustain operations in a crisis, adapt to new ways of working, and think systematically about the future to identify and prepare for possible risks.
Takeaways
-
Organizations are increasingly exposed to compliance risks due to the world’s increased connectedness and complexity. Ignoring them puts financial, operational, and legal structures in jeopardy.
-
Organizations must shift to agile crisis management because they cannot predict every crisis. This will enable them to successfully adapt during crises.
-
During the pandemic, organizations learned the importance of communicating with stakeholders. Going forward, they must prioritize appropriate stakeholder engagement.
-
Horizon scanning and scenario planning can help organizations imagine and prepare for the risks and opportunities they might face in alternative futures.
-
Compliance leaders should consider the impact of new ways of working and addressing compliance issues during crises.