Rethinking Risk and Compliance

Stay current on changes and developments in corporate law with a wide variety of resources and tools.


Former Justice Department Compliance Counsel Hui Chen, now a private consultant, discusses corporate compliance in a regular column for Bloomberg Law.

Hui Chen

By Hui Chen

Hui Chen ( was the Justice Department’s first-ever compliance counsel expert before leaving in June to start her own private compliance consulting service. Before she joined the DOJ, Hui served in global senior compliance lead positions at Microsoft, Pfizer, and Standard Chartered Bank.

Risks seem to lurk in every corner these days: privacy, cyber, environmental, supply chain, sustainability, governance, financial, employment, safety, reputational, and the list goes on.

The breadth and variety of risks have given rise to debates on how risks should be identified and managed, and who should own and manage them. A parallel debate is how compliance—functionally, conceptually, and programmatically—needs to respond to the risks. What currently exists is a hodgepodge of ownerships and methodologies, with different parts of the company focusing on different risks and managing them in different ways: e.g. HR owning labor and employment risks, Legal overseeing regulatory and enforcement risks, Security and IT patrolling cyber risks, etc. Sometimes a single category—supply chain management, for example—can involve multiple risk managers, managing sustainability, financial and anti-corruption risks separately. There are both overlaps and gaps in this fragmented approach.

What results is a bewildering assault on the employees’ and other stakeholders’ time and attention, and the obscuring of fundamental values in the process.

Being a corporate employee today means seemingly endless hours of compliance training and certifications on matters such as cybersecurity, antitrust, sexual harassment, anti-corruption, workplace safety, code of conduct, etc. Managers have added responsibilities of teaching (e.g. “Safety Moments,” “Ethics Moments”) and serving as control points (approving transactions). Vendors are repeatedly vetted and audited from multiple angles (financial, reputational, creditworthiness, sustainability), and it takes longer to be on-boarded than to get paid.

Perhaps it is time to re-think how we define risks and do compliance.

Traditionally, risks are considered activities that may cause significant adverse financial, operational, or reputational impact for the company. This risk definition easily leads to equating risk with legal action: a civil lawsuit for harassment, a class action for product defect, an administrative fine for regulatory violations, a criminal prosecution for bid rigging or bribery. This linkage between risks and legal actions may explain how compliance is often considered a legal function.

What if we reframe the concept of risk as “anything that may inhibit the company from realizing its potentials, achieving its missions, or living its values?” In other words, instead of thinking of risk management as merely reacting to external factors, think of it as proactively removing barriers to internally driven goals.

Such reframing changes everything.

First, a well-run company is mission-centered, where everything it does is in service to its missions. Profitability is not the mission, but merely the result of consistently achieving the mission. Risk management should not be the exception to this mission focus—it should be done to clear the path for the mission. For example, Starbuck’s mission is “to inspire and nurture the human spirit—one person, one cup and one neighborhood at a time.” Its risks, then, are everything that stands in the way of inspiring and nurturing the human spirit, be it a hostile work environment, unfair treatment of suppliers, health and safety hazards, or destructive acts for the neighborhoods (e.g. sustainability, corruption). This holistic view of risks is centered around the company’s mission and rooted in the company’s values, rather than reactive towards shifting practices and regulations.

Second, the mission focus would question how compliance is currently delivered. “Check-the-box” compliance that does not demonstrate effectiveness and results is a drain on the company’s resources. Think about the person-hours spent on irrelevant, repetitive, and un-integrated compliance training—how is that not an inhibitor to achieving the mission, and thus a form of risk itself? To center compliance around mission would require integration of all the different risks—inhibitors of the mission—across the organization. Compartmentalizing compliance, or emphasizing one type of compliance (e.g. Foreign Corrupt Practices Act) at the expense of others, is not only inefficient, but potentially debilitating to the company’s mission.

Finally, as an “integrator” of all functions in the company, compliance no longer functions merely to defend against potential legal actions, or to prevent and detect misconduct in the narrow sense. Instead, it functions as an enabler and guardian of the company’s values and missions in all aspects of the business—it understands how a company treats its suppliers reflects as much about the company as how it treats customers, and how a respectful workplace is directly relevant to a productive workplace. To do so, it is essential for compliance to have a seat at the table with all other functions as an equal counterpart, so that it can integrate and connect all the parts in service of the company’s mission. It would have equal interest in every part of the company: operations, human resources, procurement, finance, legal, sales and marketing, quality control, because every part reflects on the whole and is connected to one another.

Rethinking risk and compliance in service of the company’s mission and values makes for stronger companies.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Corporate on Bloomberg Law