“I don’t know what Compliance does.” Are you still hearing this as you talk with people in your organization?
I was asked recently what the lines of demarcation are between Compliance, Enterprise Risk Management, and other functions. So I searched the literature and found very little. Some organizations use GRC—Governance, Risk, and Compliance—as a catch-all for ensuring adequate internal controls. Others split responsibilities across several functions.
For example, ERM scans the horizon to ensure the business understands all its risks, including compliance risks, but it doesn’t monitor effectiveness or offer assurance that those risks are being mitigated adequately to prevent misconduct.
ERM also makes sure that the organization articulates its risk appetite, but compliance professionals cannot tolerate any appetite for any illegal or unethical behaviour. Our job is to prevent misconduct, not ensure that cheating is within limits set by management.
Many companies have corporate social responsibility (CSR) programs, recognizing that social and geopolitical ethics make employees and consumers feel good about the organization: “Doing well by doing good.”
Issues like the environment and human rights may straddle ethics and regulatory compliance, but others, such as sustainability and energy consumption, probably don’t have a compliance angle. And as Roy Snell put it, “Solving the world’s water problems will do nothing to prevent the next Enron.”
While we all know the importance of our ethics role, we need to recognize that CSR rarely focuses on the nitty-gritty tools of business ethics or of preventing and detecting misconduct within the company.
Internal Audit is the classic “assurance” function. Audit is one of the elements of an effective ethics and compliance program, and we need to work closely with our audit colleagues. But as one of my auditor friends said, “Audit predicts the past with 90% accuracy.”
Auditors tend not to be the experts in proactive regulatory risk management or in culture as a driver of behaviour. It’s the ethics and compliance team that is asking, “What makes good people do bad things?”
We frequently talk about the need to market what we do. My uncle taught me to always state the obvious, because it isn’t obvious to everyone. Most of our colleagues don’t know what Compliance does, so we need to tell them and then tell them again.
Have an ethics and compliance question for Sally March? Email Sally at firstname.lastname@example.org!
Sally is an international commercial lawyer and certified compliance and ethics professional with extensive experience in Russia and the CIS, as well as the US and Europe. Her interests focus on cultural issues in organizational change and using corporate culture to protect reputation and enhance brand value. Sally March directly contributed to our Ethics and Code of Conduct course.