Stay current on changes and developments in corporate law with a wide variety of resources and tools.
Former Justice Department Compliance Counsel Hui Chen, now a private consultant, discusses corporate compliance in a regular column for Bloomberg Law.
By Hui Chen
Hui Chen ( www.HuiChenEthics.com) was the Justice Department’s first-ever compliance counsel expert before leaving in June to start her own private compliance consulting service. Before she joined the DOJ, Hui served in global senior compliance lead positions at Microsoft, Pfizer, and Standard Chartered Bank.
Risks seem to lurk in every corner these days: privacy, cyber, environmental, supply chain, sustainability, governance, financial, employment, safety, reputational, and the list goes on.
The breadth and variety of risks have given rise to debates on how risks should be identified and managed, and who should own and manage them. A parallel debate is how compliance—functionally, conceptually, and programmatically—needs to respond to the risks. What currently exists is a hodgepodge of ownerships and methodologies, with different parts of the company focusing on different risks and managing them in different ways: e.g. HR owning labor and employment risks, Legal overseeing regulatory and enforcement risks, Security and IT patrolling cyber risks, etc. Sometimes a single category—supply chain management, for example—can involve multiple risk managers, managing sustainability, financial and anti-corruption risks separately. There are both overlaps and gaps in this fragmented approach.
What results is a bewildering assault on the employees’ and other stakeholders’ time and attention, and the obscuring of fundamental values in the process.
Being a corporate employee today means seemingly endless hours of compliance training and certifications on matters such as cybersecurity, antitrust, sexual harassment, anti-corruption, workplace safety, code of conduct, etc. Managers have added responsibilities of teaching (e.g. “Safety Moments,” “Ethics Moments”) and serving as control points (approving transactions). Vendors are repeatedly vetted and audited from multiple angles (financial, reputational, creditworthiness, sustainability), and it takes longer to be on-boarded than to get paid.
Perhaps it is time to re-think how we define risks and do compliance.
Traditionally, risks are considered activities that may cause significant adverse financial, operational, or reputational impact for the company. This risk definition easily leads to equating risk with legal action: a civil lawsuit for harassment, a class action for product defect, an administrative fine for regulatory violations, a criminal prosecution for bid rigging or bribery. This linkage between risks and legal actions may explain how compliance is often considered a legal function.
What if we reframe the concept of risk as “anything that may inhibit the company from realizing its potentials, achieving its missions, or living its values?” In other words, instead of thinking of risk management as merely reacting to external factors, think of it as proactively removing barriers to internally driven goals.
Such reframing changes everything.
First, a well-run company is mission-centered, where everything it does is in service to its missions. Profitability is not the mission, but merely the result of consistently achieving the mission. Risk management should not be the exception to this mission focus—it should be done to clear the path for the mission. For example, Starbuck’s mission is “to inspire and nurture the human spirit—one person, one cup and one neighborhood at a time.” Its risks, then, are everything that stands in the way of inspiring and nurturing the human spirit, be it a hostile work environment, unfair treatment of suppliers, health and safety hazards, or destructive acts for the neighborhoods (e.g. sustainability, corruption). This holistic view of risks is centered around the company’s mission and rooted in the company’s values, rather than reactive towards shifting practices and regulations.
Second, the mission focus would question how compliance is currently delivered. “Check-the-box” compliance that does not demonstrate effectiveness and results is a drain on the company’s resources. Think about the person-hours spent on irrelevant, repetitive, and un-integrated compliance training—how is that not an inhibitor to achieving the mission, and thus a form of risk itself? To center compliance around mission would require integration of all the different risks—inhibitors of the mission—across the organization. Compartmentalizing compliance, or emphasizing one type of compliance (e.g. Foreign Corrupt Practices Act) at the expense of others, is not only inefficient, but potentially debilitating to the company’s mission.
Finally, as an “integrator” of all functions in the company, compliance no longer functions merely to defend against potential legal actions, or to prevent and detect misconduct in the narrow sense. Instead, it functions as an enabler and guardian of the company’s values and missions in all aspects of the business—it understands how a company treats its suppliers reflects as much about the company as how it treats customers, and how a respectful workplace is directly relevant to a productive workplace. To do so, it is essential for compliance to have a seat at the table with all other functions as an equal counterpart, so that it can integrate and connect all the parts in service of the company’s mission. It would have equal interest in every part of the company: operations, human resources, procurement, finance, legal, sales and marketing, quality control, because every part reflects on the whole and is connected to one another.
Rethinking risk and compliance in service of the company’s mission and values makes for stronger companies.
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)