The full effects of the pandemic caught most of us by surprise. Sure, the signs were there. The Tube got a little bit emptier. We were all washing our hands every 10 minutes. We stocked up on loo roll and soup. But the majority of us wouldn’t have predicted back in March that we would still be in pseudo lockdown come Christmas time. With no precedent to follow, most of us have adapted to our new working arrangements on the fly, with varying degrees of success.
If there is one set of professionals that shouldn’t have been found without a plan, it is those working in risk and compliance. Existential risk scenarios are key components of risk frameworks, and pandemics are one of the ‘black swan’ events that should be accounted for. Given the 2003 SARS outbreak, or Swine Flu in 2009, Daniel Lucien Bühr argues that: “COVID-19 style black swan events should be on the risk map of every single organisation.”
Bühr, partner at Geneva-Headquartered international law firm LALIVE, joined us as host of this roundtable session, which focused on effective risk management. Guests included leading in-house lawyers and general counsel.
The discussion touched on matters such as internal auditing and gathering the necessary information to adequately analyse risk. The conversation then turned to the role of the board and management in risk treatment, as well as in managing compliance risks.
Bühr is an expert in risk and compliance frameworks, and co-authored ISO 19600 – compliance management systems: a commentary for practitioners.
A global framework or internal systems?
The first port of call for the discussion was to debate the importance of following a specific framework, and the benefits that doing so can bring.
Two key frameworks were highlighted: ISO 31000 Risk Management and COSO Enterprise Risk Management. These two frameworks provide the only generally accepted methods of risk management, built out of risk assessment and risk treatment. By following international standards, companies and their management benefit from a legal presumption that they acted with due diligence and care. This limits their liability if things go wrong.
Already in 2014 the OECD in its report on risk management and corporate governance stated that the ISO standard 31000 is de facto is the world standard on risk management. Bühr said that: “International standards state best practice, i.e. what state-of-the-art is. Following standards reduces complexity and cost and makes life much easier when someone challenges you and you can reply that ‘we followed international best practice and acted diligently.’ If you follow your own “home-made” process you may overlook certain things, and then it’s all on you with regards to liability if something goes wrong.” Also, the first question the U.S. Department of Justice, in its criteria for the evaluation of corporate compliance programs, asks, is what method the company chose for its risk management.
The roundtable attendees played devil’s advocate by suggesting that most in-house teams have developed their own methodologies outside of these frameworks, and in many cases prefer them to what ISO or COSO have to offer.
Bühr had his own anecdote to support a shift to a uniform framework. “When I look back to my in-house experience and also to organizations I audited, the risk assessments were often based on Excel spreadsheets. The spreadsheets were filled in throughout the year and then sent to senior management, who took away some of the key findings. This process then started again the following year, with no real thought given to actual risk treatment, which should at least be the other 50 percent of risk management. I have seen important companies consistently identifying bribery as their top business risk, and then never doing anything about it.”
Getting management to buy-in
The attendees pointed out standard processes do not account for ingrained company and executive culture as it relates to risk. “You do wonder whether the lack of consistency can be driven by a lack of compliance/risk awareness at the very top of an organisation,” said one attendee.
Without management acknowledging that there is a risk, preventative measures will not be taken and this will lead to a material compliance risk. Without compliance-focused executives, is there any point in spending time on compliance at all?
“In some top-level management there is a conflict between obligations to make profit and the need to comply. This culture in management seems to be a big international problem,” said one attendee.
“You certainly need to be independent from line management, as required under the ISO Standard 19600,” says Bühr. “I’ve spoken to compliance officers who admitted that they were overruled by management three times a day, if this is the case then the entire exercise is useless.”
The power of structured interviews
Once you’ve got management on board, implementing the most effective investigative tools is vital. Bühr is a big advocate for structured interviews.
“ISO standard 31010 – Risk assessment techniques outlines in detail about 50 generally accepted techniques to do this, from surveys to Monte Carlo simulations, but the most commonly used technique is structured interviews, and I’ve found these to be most effective.”
To get the best insight, assessments need to look at a cross section of the business, including members of senior management, board members, and chief officers. It is also worthwhile to speak to assistants, audit personnel, sales personnel, and whoever else who has a good understanding of the business and you can manage to contact, regardless of seniority. These are the type of people who “see everything”, according to Bühr.
“If you conduct multiple interviews and the respondents all agree that everything is perfect, that’s a pretty tell-tale sign that there is a significant risk somewhere,” says Bühr.
Conclusion
The overarching theme of the discussion was the importance of following a defined and generally accepted method in risk and compliance management. By implementing a framework such as ISO 31000 and ISO 19600, companies reduce complexity and cost and have an assurance of consistency and clearly defined roles. The frameworks outline who is responsible for (compliance) risk management, what governance and processed need to be in place and what the reporting lines are, and how budgets are put in place. By following international standards, companies and their managers benefit from the legal presumption that they acted diligently should things go wrong.
Sponsor’s comment: Daniel Lucien Bühr, partner, LALIVE
Legal risks are among the most dangerous risks for organizations. Legal risks must therefore be assessed and treated effectively. The effectiveness of an organization’s compliance risk assessment (as part of the overall enterprise risk assessment) depends on its systematic, planned and methodologically sound risk management process.
A well-known deflection of Murphy’s Law (‘If anything can go wrong, it will.’) is the law ‘If anything can go wrong, it’s a system.’ No matter where they are introduced, management systems are typically met with scepticism. Still, in many organisations, it is extremely important to systematically manage product and service quality, information security and occupational health and safety, to quote but a few examples. And yet, when it comes to managing risk and compliance, and especially combating for instance the likelihood of bribery, money-laundering or sexual harassment, most organisations do not yet appear to follow a standards-based approach, preferring mix-and-match instead. In my experience, the true law of systems is: ‘If anything can go wrong, it is piecemeal governance, risk and compliance management.’ In my view, organizations should therefore follow a generally accepted governance, risk and compliance management methods, in particular also when assessing and treating their compliance risks.
Management is systematic and transparent when it follows documented, defined rules and involves planned, structured action, can be easily understood by outsiders who are familiar with the rules and its results can be independently audited.
According to a report by the OECD (2014, Risk Management and Corporate Governance), ISO Standard 31000 has become the de facto world standard in risk management. It was updated in 2018 and is the only independent global risk management standard. Another key document, while not an international standard, is the COSO (Committee of Sponsoring Organizations of the Treadway Commission, a private sector initiative) 2017 Enterprise Risk Management (ERM) Framework.
ISO 31000 firstly establishes clear terms and definitions. For instance, ‘risk’ is the effect of uncertainty on objectives; ‘risk attitude’ is the organisation’s approach to assess and eventually pursue, retain, take or turn away from risk; ‘risk assessment’ is the overall process of risk identification, risk analysis and risk evaluation; and ‘risk treatment’ is the process to modify risk. Based on its clear set of terms and definitions, ISO 31000 recommends that (senior) management commit to effective risk management and provide a documented mandate for designing and implementing a framework for managing risk. Once introduced, the framework needs to be monitored, reviewed and continually improved. The ISO Standard provides detailed guidance on the risk-management framework, risk-assessment and risk-treatment techniques and provides multilingual risk-management vocabulary. On the basis of ISO 31000 or the COSO ERM, compliance risk management is systematic, transparent, auditable and based on best international practice. Such a methodological approach should be the starting point for risk management, including compliance risk management, in all organizations.
