|In February 2017, the U.S. Department of Justice (DOJ) Fraud Section published its latest guidance on corporate compliance programs with the release of the very useful document titled “Evaluation of Corporate Compliance Programs.”
While many legal and compliance scholars have rightly stated that this latest publication isn’t anything radically different than prior authoritative guidance issued by the DOJ and other organizations, what jumps out is the reframing of the well-worn expression, “tone at the top,” with the potentially more insightful, and arguably much scarier, “conduct at the top.” In a just-released Flash Report, we put forth questions and insights that illustrate the degree to which the DOJ is examining senior management and the board of directors while evaluating a corporate compliance program.
This week, Protiviti is joining the best and brightest thought leaders from Fortune 500 companies at The Institute of Internal Auditors’ 2017 General Audit Management (GAM) Conference in Orlando, FL. For nearly 40 years, GAM has been the premier experience for internal audit leaders to explore emerging issues and exchange leading practices for positive outcomes. The theme for the 2017 conference is Fostering Risk Resilience. Two Protiviti leaders, Brian Christensen and Jordan Reed, will be conducting panel discussions on stakeholder expectations and the Internet of Things, respectively. We are covering these events and more from the conference here on our blog and on Protiviti’s social media platforms. Subscribe to our blog and follow us on Twitter for timely podcasts and analysis of this year’s conference topics.
In 2016, The Institute of Internal Auditors and Protiviti conducted the world’s largest ongoing study of the internal audit profession — the Global Internal Audit Common Body of Knowledge (CBOK) study — to ascertain expectations from key stakeholders, including board members, regarding internal audit performance. Several imperatives for internal audit emerged from the responses of the participants in the study. Among them: focus more on strategic risks, think beyond the scope of the audit plan, and add more value through consulting.
Warren Buffett once famously said that it takes 20 years to build a reputation and just five minutes to ruin it. All of us see evidence of how true this bit of wisdom is all the time. In the wake of recent corporate scandals, I thought now might be a good time to revisit some of the advice we give our clients on how to preserve reputation and brand.
These “Ten Keys to Managing Reputation Risk” were originally published in April 2013, in Volume 5, Issue 2 of The Bulletin, but they are as relevant today as they were then. They represent what I believe to be the nuts and bolts of reputation risk management, and their effectiveness or absence can make or break a company, as many have discovered first hand. We have organized them below according to five broad imperatives.
Strategic Alignment – A sustainable reputation begins at the top.
- Effective board oversight – Sets the expectations and lays a foundation for managing reputation risk. The board is an organization’s last line of defense in preserving its reputation and brand image.
- Integration of risk into strategy-setting and business planning – Makes risk a factor at the decision-making table and facilitates the intersection of risk management with performance management. (This is a critical connection.)
- Effective communications, image and brand building – While a good story is easy to tell, some companies are better at it than others. Messages that the press, analysts and others communicate are influenced by the good marks on the other nine keys discussed here.
Cultural Alignment – The importance of ethical and responsible business behavior has never been more evident.
- Strong corporate values, supported by appropriate performance incentives – Tone at the top is vital to effective corporate governance and appropriate incentives help drive a consistent tone in the middle.
- Positive culture regarding compliance with laws and regulations – A record of having made a strong effort to prevent and detect fraud and corruption is essential to demonstrating the “reasonable assurance” regulators expect.
Quality Commitment – All companies with a strong reputation are noted for their commitment to quality people, processes, products and services.
- Priority focus on positive interactions with key stakeholders – Stakeholder experiences, or the accumulation of everyday interactions with customers, employees, vendors, regulators, shareholders and other stakeholders in the company, get noticed in the marketplace and are a powerful approach to improving and sustaining reputation. They represent critical “moments of truth” that collectively define an organization’s reputation.
- Quality public reporting – Quality public financial reporting is something investors expect. If management doesn’t deliver it, it may take a long time for the markets to forgive and forget.
Operational Focus – A strong operational focus is vital to managing reputation risk.
- Strong control environment – The control environment comprises, among other things, the organization’s commitment to integrity and ethical values; the organizational structure and assignment of authority and responsibility; the process for attracting, developing and retaining competent people; and the rigor around performance measures, incentives and rewards to drive accountability for results. The standards, processes, structures and technologies that provide the basis for carrying out internal control across the organization, lay the foundation for a strong controls culture.
- Company performance relative to competitors – Even if a company does everything else right, its reputation will suffer if its business model is not competitive in the marketplace.
Organizational Resiliency – A company’s reputation is inextricably linked with the resiliency provided by its risk management and crisis management.
- World-class response to a high-profile crisis – Sooner or later, every company faces a crisis. Its reputation depends on the rapid and decisive response to crisis situations, putting responsibility to the safety of people first. It is a management imperative to build a rapid-response crisis management capability for sudden and unexpected events, especially where they relate to security, safety and environmental issues.
The ten keys outlined above represent the key components to address to reduce reputation risk to an acceptable level. Their common thread is a consistent and sustaining culture that recognizes the value of reputation and actively protects it with a systemic commitment to quality, ethics, communication, controls and preparation.
No company should believe it is immune to a reputational crisis. Nevertheless, a sincere and concerted effort to manage reputational risk by paying attention to the ten components outlined above gives a company a good shot at making it through the fire with its reputation intact.
If it’s true you can’t legislate morality – and all evidence, including but certainly not limited to corporate malfeasance such as the Enron and Worldcom scandals or the questionable corporate behavior of reckless risk-taking to maximize short-term profits and compensation (under “heads I win, tails you lose” compensation structures that left shareholders with the short stick) that contributed to the financial crisis, supports this hypothesis – why do companies bother with ethics policies?
I know Section 406 of Sarbanes-Oxley requires publicly traded companies to disclose whether they have ethics policies and whether their executives are bound by them. But Enron had a beautiful 64-page ethics policy, suitable for framing – for all the good it did them. So what’s the big deal?
With the Super Bowl just around the corner, don’t ask me who is going to win. That I don’t have a clue just makes it even more exciting as either team is capable of winning.
Unlike the anticipation many of us are feeling with the Super Bowl match-up between Seattle and Denver, risk management and compliance management issues do not generate the same level of excitement unless something goes wrong and the board of directors, CEO and executive team are pushed into crisis management mode. Instead of the outcome being decided in one football season or a single game, effective enterprise risk management is an ongoing process of “blocking and tackling” to make sure it works — and, in today’s fast-paced world, a company’s viability often depends on it being done right.
In a recent issue of Board Perspectives: Risk Oversight, we discuss how an effectively designed and implemented lines-of-defense framework (as shown below) can provide strong safeguards against breakdowns in risk management and compliance management.
As you can see, this lines-of-defense model emphasizes a fundamental concept of risk management: From the boardroom to the customer-facing processes, managing risk, including compliance risk, is everyone’s responsibility. It differs from the traditional view of three lines of defense.
I encourage you to subscribe to this newsletter and invite you to provide any comments or responses here. How does your organization safeguard against breakdowns in risk management and compliance management? How does executive management evaluate the organization’s risk culture? Do the board of directors and executive management play separate and distinct roles in overseeing the execution of risk management and compliance management?
Note that this article is also available on my blog for the National Association of Corporate Directors: http://www.directorship.com/author/jim-deloach/. You also can find more about the five lines of defense here.