The latest enterprise risk management news from around the world

Effective compliance starts with the board of directors, who need to use their expertise to ask the right questions. The problem is that many board members do not know what questions to ask… In this article, Thomas Fox offers some suggested questions to kickstart the process.

When I was in the corporate world, I cannot begin to recall the number of times senior management had an overly optimistic forecast regarding some transaction; whether the transaction was the purchase of a smaller company, a joint venture, teaming agreement or you name the business venture. Unfortunately, such unrealistic forecasting is not simply limited to business ventures as the UK learned in the run up to the Brexit vote and the US learned in the most recent presidential election. Tim Harford, writing in his Undercover economist column in the Financial Times (FT), said: “The truth is once Trump secured the nomination, a Trump presidency was always a strong possibility. The betting markets seemed to recognize this, offering odds of three-to-one a week or so before the” election. Of course, three-to-one shots “happen all the time – or at least, about a quarter of the time.”

What I found interesting was three lessons Harford suggested from the wildly inaccurate polling before the US election. Drawing on research by Guy Mayraz from Oxford University’s Centre for Experimental Social Sciences, the first lesson is the bias towards predicting what they hope will happen. If you want your business to increase, you have to believe your transaction/investment/deal will always make money. After all, have you have ever seen a business plan that was designed to lose money?

The second lesson derived from something called the Good Judgment Project and almost sounds like someone channeled their inner Howard Sklar and his maxim of “Water is Wet”. It is that “self-critical, open-minded forecasters do a better job than narrow-minded overconfident ones.” He goes on to further note that dwelling on our own fallibility is not something people do very well; whether it involves hanging out with our friends or on cable news. The result is that “Confident, eye-catching forecasts are the snack food of analysis”. Unfortunately, this is even more true in the business world.

Finally, forecasters must always remember that more than one outcome is possible. A strong possibility may be a possibility but it is not a certainty. Harford suggests that one way to overcome this bias is to develop alternative scenarios. My 12 O’Clock High Podcast host Richard Lummis calls this the ‘devil’s advocate’ role at the business planning table. Harford further formalizes this contra-concept by suggesting every scenario-planner create at least two contradictory alternatives to their rosier, positive scenario.

Harford’s ultimate point is that in any forecast there must be preparedness for contra-events. No matter what your forecasting or scenario planning model shows, prepare for other results. For any board of directors overseeing a compliance program or managing any type of risk, it all begins by asking questions.

Just as any compliance program begins with your risk assessment so should a board begin at this point. However, the board should start by reviewing the process that is being used to identify risks. This risk analysis should be broader than simply a legal/compliance risk assessment and should be tied to other matters, such as business continuity planning, crisis response plans and even basic fraud.

The key is that boards of directors need to use their expertise and ask the right questions. The problem is that many board members do not know what questions to ask in this area. Some of the following are good areas to begin the inquiry:

  • What is the risk assessment process? When was the last time your risk assessment was performed? Was it enterprise wide or limited in scope?
  • How effective is your overall risk assessment process? Is it stale? Here you are focusing not so much on the recency of your risk assessment but have corporate circumstances changed.
  • Who is involved in the risk assessment process? Was it performed in-house? Did you bring in a regular service provider who may have created the processes which are now being assessed?
  • Does the risk assessment process take into account any new legal or compliance best practices developments? Technology development speeds along for every business. Even the US Justice Department recognizes this in every Deferred Prosecution Agreement (DPA) it enters into for FCPA violations by requiring companies to take into account relevant developments in the field and evolving international and industry standards for best practices in compliance.
  • Are there any new operations that pose substantial compliance risks for the company? Where has your company moved geographically or product-wise? Have there been any significant acquisitions or other business developments which have changed thing for the company?
  • Is your company tracking enforcement trends? 2016 has been one of the most significant years in US FCPA (Foreign Corrupt Practices Act) enforcement but anti-corruption enforcement is only one of the major risk developments which can be derived from reviewing the FCPA enforcement actions.
  • Equally important, are any competitors facing enforcement actions? This piece of information has long been a real source of information to chief compliance officers (CCOs) as they have assessed and opened internal investigations based on enforcement actions involving competitors. In a speech at the recent ACI-FCPA Conference, Securities and Exchange Commission (SEC) Director, Division of Enforcement, Andrew Ceresney again said that hedge funds and private equity companies are and will continue to be under SEC scrutiny for FCPA violations around their hiring practices for family members of foreign government officials, as well as other violations of US securities laws. If you are on the board of such an entity, you might want to ask some very pointed questions about such things.
  • Has the company moved into any new markets which impose new or additional risks? This moves beyond the questions I suggested above to consider such things as supply chain and supplier risk. Even a name and shame law like the California Transparency in Supply Chain Act can cause reputational damage. Moreover, even if some types of enforcements lessen under a Trump administration, aggressive states’ Attorney Generals or other state regulators could well pick up the slack.
  • Has the company developed any new product or service lines which change the company’s risk profile? As there will always be some business development along these lines, what changes have increased risk for your business?

For a board of directors to be truly effective and informed it must know where the company stands not only at the present moment, but it must also know that the company has a strategic plan for the management of risk going forward. Arnold & Porter partner Stephen Martin suggests that such knowledge is encapsulated in a 1-3-5-year compliance game plan. I would add that this formulation should be expanded to encapsulate greater risk management. Yet a compliance program must be nimble enough to respond to new information or actions, such as mergers or acquisitions (M&A), divestitures or other external events. If something dramatically changes, you want to get your board’s attention on the changes which may need to happen with your risk management program. This type of agility is best accomplished by obtaining buy-in from the board through its understanding of the role of forecasting a compliance program going forward.

Harford ends his piece with this final lesson from the 2016 UK Brexit vote and US election, “uncertainties are not going away, so it’s not too late to learn.” For every board of director or CCO, you need to start a forecasting review now to be ready to respond if an incident arises so that it will not become a full legal violation. Better yet, such forecasting could lead you to prevent such conduct before it even arises and needs detection and remediation.

The author

Thomas Fox has practiced law in Houston for 30 years. He is an independent consultant, assisting companies with anti-corruption and anti-bribery compliance and international transaction issues. He specializes in bringing business solutions to compliance problems. Tom is the author of the award winning FCPA Compliance and Ethics Blog and the international best-selling book “Lessons Learned on Compliance and Ethics”. He is the author of the seminal text on the ‘Nuts and Bolts’ of anti-corruption compliance, Doing Compliance which was published in October 2015 by Compliance Week. Tom writes and comments frequently on issues related to compliance and ethics. In addition to his daily blog and bi-weekly podcast, he is a monthly columnist and blogger for Compliance Week; a bi-monthly columnist and frequent contributor to the SCCE Magazine and a Contributing Editor to the FCPA Blog. He is a well-known and frequent speaker on issues related to compliance and ethics, the use of social media in compliance and corporate leadership.

This article is copyright © Thomas R. Fox, 2016

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication.

Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.