Practical insights for compliance and ethics professionals and commentary on the intersection of compliance and culture.

Insights from management for compliance officers

This is the fourth and final in a series of four posts on insights for compliance officers from different fields of study.  The first post in this series covered lessons from psychology regarding, for example, self-interest and decision-making, from prominent figures such as Sheena Iyengar and Malcolm Gladwell.  The second post was about insights for compliance officers from self-development and coaching, including from people such as Wayne Dyer and Eckhart Tolle.  Last week’s post discussed behavioral economics, focusing on the work of people such as Dan Ariely and Richard Thaler.  Today’s post will suggest ways in which management theory can be applied to corporate compliance programs.

As a practice, compliance is greatly concerned with topics such as governance, controls, leadership, sustainability, business values, organizational integrity, risk controls, institutional decision-making, tone and conduct at the top, and corporate culture.  It shares these general disciplinary themes with management theory, which takes on the broad task of determining and guiding the strategic direction of an organization and steering its employees and resources in furtherance of these goals.  Given that the contributions of a robust compliance program to the regulatory, practical, and cultural aspects of this task are great, compliance officers stand to gain great insight from studying commentary from the field of management theory.


GRC for compliance professionals

Compliance as a function is sometimes subject to varying definitions. Across different companies, industries, and cultures, organizational perspectives on the purpose and scope of a compliance program can vary. Some see compliance as an alternative to or close relation of the legal department, while others position it much more independently, perhaps as an intermediary between the business lines and audit. Still others may see compliance as the depository for risk-based support activities that do not otherwise fall cleanly into any other established unit.

As previously discussed on this blog, and as this blog will continue to ensure to express, the autonomy and visibility of compliance is integral to the integrity and sustainability of an organization’s employees and business strategy. Compliance blends a rules-based approach with a values-based approach to reconcile ethical expectations with legal obligations and technical requirements.

Professionals who work with interpreting legal and regulatory guidance and implementing these into business practices will likely recognize the acronym “GRC.” GRC stands for governance, risk management, and compliance. This umbrella term integrates these functions to describe the operational activities undertaken by an organization to execute plans, manage risk, and encourage integrity.

The GRC model refers to process themes, not necessarily functional units of an organization. Indeed, the three themes of GRC may be included in operational tasks and across numerous independent departments, including HR, finance, IT, audit, and at the board level, in addition to the obvious areas such as risk, legal, and compliance.

GRC can be seen as a discipline that seeks to coordinate the flow of information and ownership of risk so that the activities and processes it encompasses are effectively and efficiently incorporated. As organizations become bigger, this discipline becomes all the more important for keeping channels of communication open and clear, both up and down silos as well as across business areas.

Ethical decision-making thrives in an integrated system where objectives are clearly expressed and information-sharing is transparent and relied-upon.   Elevating a coordinated GRC discipline can foster a communication regimen in an organization where reasonableness and feedback rather than heuristics and routine dominate. Equity and integrity can thrive if actions are taken openly and cooperatively rather than in isolation.

In the ever-changing regulatory landscape of modern business, it is so important that an organization’s GRC activities be coordinated so that work is not duplicated or wasted and gaps are filled rather than passed over with tunnel vision. These functions share stakeholders and objectives, and therefore should share information to maximize meaningful impact and minimize redundant effort.

The basic concepts of the GRC approach are all useful for a compliance officer or other professional to consider:

  • Governance: This refers to the management control framework used by an organization’s senior leadership, relying on management information from across the organization in order to direct and control the overall strategy and operation of an organization. This concerns major existential questions for the organization, such as – what are the roles of leaders at all levels? What are the reporting mechanisms and what checks and balances exist for these? How does business strategy translate into directions to various business units and how are these instructions communicated to employees? Having an informed perspective on the organization’s governance objectives is very important for a compliance officer because this gives insight to the tone at the top and the mechanism through which these critical values become concrete practices.
  • Risk management: Risk management is the identification, assessment, and response to risk factors which may have an impact on an organization’s activities. This also includes considering risks which do not have an impact and ascertaining that this evaluation remains correct and current as fluid business objectives and conditions may change. All organizations are subject to some risks, such as operational risk, technological risk, and financial risk, while others may be determined by the industry in which they operate, such as market risk, liquidity risk, political risk, third-party risk, and product-specific risks. Risk management entails planning and implementing controls in order to address these risks, either by mitigating them, changing strategy or practice to eliminate them, accepting them, or transferring them to a service provider or partner who is positioned to best respond to them. Legal, legislative, and regulatory risks are of particular interest to compliance officers, as are compliance-centric risks such as reputational risk. Compliance officers should take risk identification and assessment well into account when planning compliance program objectives so that these can be fine-tuned to the emergent and most important needs the business faces in this area.
  • Compliance: Of course, staying in good standing with supervisory authorities and ensuring that business practices and procedures meet standards and requirements set by external laws and regulations as well as internal policies and procedures, ensures that the work done in governance and risk management activities is properly directed and sufficiently supported. An on-going assessment and prioritization of the compliance program’s effectiveness and appropriateness is necessary to ensure that the controls in place are up-to-date and working as intended.

The themes above are all germane to the objectives of a compliance program and can be referred to in seeking buy-in from senior management or supervisory board members, with whom ultimate responsibility for establishing and executing these systemic processes rests.


Margin Call and unethical crisis management in the financial services industry

The 2011 movie Margin Call focuses on the conduct of the employees of an investment bank in disaster mode. The movie takes place in the prelude to the 2008 global financial crisis. During a reduction in workforce, an analyst reveals that the firm’s predictive models are showing that its portfolio of mortgage-backed securities will soon experience losses which will exceed the highly-leveraged value of the firm and lead to its bankruptcy.

The rest of the movie centers on the behavior of the firm’s employees and senior management and the choices they make in handling this discovery. Unsurprisingly, many of them model unethical decision-making and provide cautionary examples from which governance and compliance structures can take advice for what to prevent.

  • Key man dependency and lack of transparency – The entire movie revolves around the too-late discovery of the projected losses by an analyst. His boss was working on a project to try to figure out what was wrong with the firm’s models, but he was laid off before he finished his analysis. This scenario suggests the conclusion that if the boss had not been working alone or had been sharing his work in progress sufficiently, then the problems could have been discovered earlier and the entire dilemma could have been avoided or at least mitigated. An insecure overdependence on the work of one vulnerable man and a lack of honest disclosure led to this firm’s undoing from the very start.

  • Corporate code of ethics and culture drivers – A firm’s compliance program sets a tone and provides a rules-based structure for employees. Ultimately each individual still has the freedom to make unethical or inappropriate decision for his or herself, but the choice architecture provided by a firm’s governance controls matters for setting expectations. Corporate enablement of immoral or ethical behavior starts at its simplest practices, such as reimbursement of expenses, especially in a business where the financial upside for compensation is immense. In a firm where an anything goes culture reigns, the downside of this culture is also immense.

  • Tone at the top and unethical executive decision-making – In a series of overnight meetings, the firm’s senior management decides to hold a “fire sale” and dump their toxic assets to limit their own exposure by dispersing the risk through the markets and ripping off their counterparty broker-dealers. They also know that their customers will quickly realize what they are doing and be disenchanted by the deceptive sale of only their troubled mortgage-backed securities holdings. Senior management justifies and solidifies their choice to destabilize the entire market and subject counterparties and clients to losses to avoid their own bankruptcy.

  • Lack of business sustainability due to dishonest practices – By selling the toxic mortgage-backed securities to the counterparty firms which should be their trusted partners, the traders end their careers, as no one will do business with them again in the future. They are compensated handsomely with promised bonus pay-outs, but there is another large reduction in workforce once their dirty work is done. The principals of the firm plan to profit from the coming financial crisis, but their business as it was, as an investment bank, is over.

  • “It’s just money” – moral relativism as justification of unethical behavior – The CEO and chairman of the board takes an apparent long view on the actions of his firm, seeing their choice to deceptively unload toxic assets on the market in order to stem their own losses by kicking off systemic disorder, as a mere reaction. “It’s just money” is a wilful disconnection from the human and integrity costs; believing that the entire economic system is a historic construct makes wrongdoing within it blameless. However, this is not reality; financial crises have real impacts and victims, and money is not just “pieces of paper with pictures on it.”

At every turn, Margin Call exemplifies bad corporate conduct, insufficient compliance and governance controls, and unethical decision-making. This movie provides a primer as to the devolving organizational accountability that set the stage for the 2008 financial crisis.


Enron and the mood in the middle

The Enron scandal is one of the most famous examples of modern corporate fraud and corruption. The publicity of the fraud, subsequent bankruptcy of the firm, trial of principals Kenneth Lay and Jeffrey Skilling, and the cascading negative impact on employees and shareholders form a notorious history of corporate malfeasance and misleading investors.

Enron was an energy company that dominated its market in the 1980s and 1990s. Originally involved in the distribution of electricity and natural gas and creation of the related infrastructure, through a series of mergers and acquisitions and expansions of corporate strategy, Enron extended its business into commodities trading, retail energy, water distribution, and data management. Enron was well-known for its commercial success, immense corporate wealth, and aggressive marketing and promotion strategies. Enron was also a fraud, with many of its purported assets overestimated in value or non-existent, and its immense liabilities and losses hidden in other entities so that its financial statements appeared much more positive than they ever actually were.

More has been written about the pervasively fraudulent practices that led to Enron scandal, and the individuals and motivations behind them, than probably any other corporate bankruptcy in history. Many of the principles of, and the unfortunate justifications for, a robust compliance and ethics program can be illustrated by this case. One of the more interesting points of analysis involves the conduct of employees during the fraud and their reaction to signs they may have noticed but not reported, followed by the eventual widespread discovery of the scandal.

Professional skepticism is undervalued in many corporate cultures. Enron employees were so enchanted by the aspirational allure that the company offered that they too often became blind to risks and unethical behavior, and missed or refused the opportunity to get out or to report the fraud.   The focus in discussions over corporate governance and compliance programs often focuses on “tone at the top” (senior management and supervisory boards) or the impact corporate collapses have on shareholders and the public – but a more important question is what about these employees who were there during the fraud, may have noticed signs, did not or could not do anything, and after are left with nothing but a sense of betrayal? The question of how to encourage these employees to mitigate risks or report wrongdoing, even in the face of personal loss or certain reprisals, challenges and inspires compliance professionals to strive for positive change.

This tale of corporate non-governance, as it was, demonstrates that putting compliance and ethics on the back burner in favor of commercial and competitive pursuits can have a far-reaching disastrous impact. The intersection of business and compliance will always be a tense spot, underscored by commercial pressures, cultural differences, and never-ending change. However, a closer, more understanding relationship between the two disciplines is the best path to modelling the employee conduct that is necessary for longevity and sustainability of success.

For compelling anecdotes from a personnel perspective of the Enron scandal, this 2002 article by Charles Fishman is a good read.