Integrating Your Compliance Risk: Where the Rubber Meets the Road

In listening to companies discuss compliance in the areas of anti-corruption under the Foreign Corrupt Practices Act (FCPA), anti-money laundering (AML) or export control, one of the things that has consistently struck me is how siloed each of these groups invariably is within their company. Not only does this deny a company the ability to share a wide variety of talent and experiences, it can lead to the concept of what authors Robert Kaplan and Annette Mikes call the “functional trap” of labeling and compartmentalizing risk. In an article in the June issue of the Harvard Business Review, entitled “Managing Risks: A New Framework”, they declare that good risk discussions must be integrative in order for risk interaction to be evaluated. If not, a business “can be derailed by a combination of small events that reinforce one another in unanticipated ways.”

The authors posit that it is difficult for companies to accurately and adequately discuss risk for a variety of reasons. One of these reasons is the aforementioned silo effect which can lead to a lack of discussion by a wide group regarding a number of risks, for example compliance risk; reputational risk; brand risk; credit risk; human resources risk are but a few of the types of risks mentioned in their article. The authors believe that one of the ways to knock down these silos when it comes to a more complete management of risk is to “anchor their discussions in strategic planning, one integrative process that most well-run companies already have” in place.

I.                   VW do Brasil Risk Management Strategy

The authors cite to the example of Volkswagen do Brasil (VW) and the techniques used by its risk-management unit. Initially, the VW risk management unit uses the company’s overall strategy map as a starting point for internal discussions around risk. For each objective that the company sets, the risk management group identifies risk events which might cause the company to fall short of its objectives. Based upon this risk profile, the group creates a “Risk Event Card” for each risk on the strategy map, “listing the practical effects of the event on operations, the probability of the occurrence, leading indicators and potential actions for mitigation.” From this Risk Event Card, the risk management group creates a “Risk Report Card” which is a tool used to present and convey high level information to senior management within the company.

A.     Risk Event Card for the Objective of a Smoothly Functioning Supply Chain

Strategic Objective	Risk Event	Outcomes	Risk Indicators	Likelihood/ Consequences	Management Controls	Accountable Manager
Guarantee reliable and competitive supplier-to-manufacturer processes	Interruption of deliveries	OvertimeEmergency freightQuality problemsProduction losses	Critical items reportLate deliveriesIncoming defectsIncorrect componentshipments	1 2 3 X 4 5 1 2 3 4 5	Hold daily supply chain meeting logistics, purchasing, QAMonitor suppliers’ tooling to detect deteriorationRisk mitigation initiative: Upgrade suppliers’ toolingRisk mitigation initiative: Identify key supply chain executive at each critical supplier	Mr. O. Manuel director of manufacturing logistics

From this Risk Event Card, the risk management group will next create the Risk Report Card. It is organized by strategic objectives and allows senior management to see at a glance “how many of the identified risks for each objective are critical and require attention or mitigation.”

B.     Risk Report Card For Satisfaction of Customer Expectations

Strategic Objective	Assessed Risks	Critical Risk	Trend
Achieve market share growth	4	1	Flat
Satisfy the customer’s expectations	11	4	Upward
Improve company image	13	1	Flat
Develop dealer organization	4	2	Flat
Guarantee customer-oriented innovations management	5	2	Downward
Achieve launch management efficiency	1	0	Flat
Increase direct processes efficiency	4	1	Flat
Create and manage a robust production volume strategy	2	1	Downward
Guarantee reliable and competitive supplier-to-manufacturer processes	9	3	Flat
Develop an attractive and innovative product portfolio	4	2	Downward

II.                Risk Oversight Approach

The authors caution that beyond simply introducing a systematic process for identifying and mitigating key risks, companies should also employ a risk oversight structure. The authors discuss the experience of the Indian IT company, Infosys, which uses a dual structure. It consists of a central team that identifies general strategy risks and then establishes central policy, together with a specialized, decentralized functional team. This second team designs and monitors policies and controls in consultation with local business units. These decentralized teams have the authority and expertise to respond to changes in the company’s risk profile coupled with the nimbleness and agility of being in the field to deal with smaller issues before they become larger problems for the central team back in the corporate office.

All three of the components identified by the authors are relevant for your compliance program. Just as it is important to perform due diligence on third party representatives, before execution of an appropriate contract; the real work is in managing the relationship. In risk management, you must identify and assess the risk but the real work begins in managing the risk. This is where the rubber meets the road.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012