In my July 12 post, I noted that this blog is all about making better decisions. Consistent and superior business decision making stems from sourcing and assembling all relevant information, coupled with the best analytics available. I noted five areas of relevance in making decisions, namely:
1. Your Corporate Brand
2. Your Financial Performance
The first area is intertwined with customers, markets, products, innovation, partners, and environmental and social responsibility. Brand is what distinguishes one seller's products and services from another. No matter whether it is signified by a name, term, design, symbol, or feature, it is your company's reputation that weighs most heavily in the minds of customers, and in the perceptions of the market, about your brand. In reality, all five of the areas of relevance to corporate decision making are related to one another. It is common for the focus in business to be on the second area, your company's financial performance. In reality, your corporate brand has everything to do with sustainable financial success.
Revenue - Near Term Focus on Winning
Businesses want to go to market, to win deals, to make money, to reward the achievers, and to look for more of the same! Make sense? Seem simple enough? At a high level, that is what appears to go on. But what does it actually take to accomplish this? Probing a bit deeper, we see that commercial organizations must gauge market demand, size up the competition, set goals, approve budgets, acquire resources, provide workforce incentives, sell products/services through various channels, and monitor results. Straight-forward enough, right?
Reputation - Long Term Focus on Value
The reality is that businesses operate in a world that can be quite messy, subject to uncertainty, stressful, complicated, political, and quite unforgiving. As workers march towards achievement of their goals, they are subjected to pressures, which can result in their deciding to cut corners, adopt questionable tactics, take advantage of situations, misrepresent entitlements or capabilities, stretch the truth, compromise standards, fail to report misconduct, retaliate against others for surfacing issues, break the law, and so on. The Open Compliance and Ethics Group (OCEG) has coined the term principled performance, and has defined it as the reliable achievement of objectives, while addressing uncertainty and acting with integrity. As Scott Mitchell explains it, principled performance describes a philosophy and an approach to business that has rapidly evolved over the past few years as a response to the business climate, and its associated uncertainty, pace of change, risks, opportunities, and mushrooming regulatory requirements. Principled performance considers not only attainment of goals, but also how business perform to achieve those goals, i.e. whether they choose to honor, or whether they choose to break, laws, voluntary agreements, and/or their own policies along the way. Tone and behavior at the top of an organization is critical, as Deb Orton noted in her blog on The Ten Truths About Leadership. Corporate executives must either lead by example or not lead at all.
Communication - Sending Double Messages
After top management communicates goals, messaging on what is expected cascades down the management chain and permeates the workforce. During that process, and over time, workers are often confronted with double messages. A double message may occur when the way a message is delivered (e.g. sarcasm or intimidating body language or tone) conflicts with the message itself. In a corporate setting, double messages are more often coming from different departments, e.g. when the sales manager says that "feet will be held to fire" to make quotas, the risk management department prohibits business dealings that are deemed to be too risky, and the business opportunities with associated acceptable risk are insufficient to satisfy the goals. Other examples where management sends conflicting messages would include: “Take the rest of the day off, just have that on my desk in the morning,” or “Work faster, and keep in mind that our credibility rests on quality and accuracy,” and how about “You need to listen to what I say, but if you repeat it, I’ll deny it.” I suppose that my all-time favorite double message is "Do the right thing, and do whatever it takes to meet goal!"
Management can feel pressure from a variety of sources to stretch goals and, perhaps, push the work force to their limit. Directives to cut costs, motivated by the desire to achieve greater shareholder returns can result in loss of product quality, lower levels of customer service, diminished employee benefits, less creativity and lower morale. On the flip side, similarly motivated directives to increase revenue may result in a shift in selling mode from “looking out for the best interests of the customer” to a “buyer beware” mentality. This may result in meeting goals in the short run, but losing business in the longer term as customers realize that they were sold products they did not need, or products that did not live up to their advertising. Even worse, pressured sales people my resort to unfair, or deceptive, acts and practices that destroy customer loyalty and trust. Certainly, some motivations (e.g. to earn a fair return) are more laudable than others (e.g. greed). On the furthest end of the transgressions scale we find bribes, collusion, coercion, corruption, i.e. criminal behavior. The reality is that, in any culture, there is always exposure to those who seek to win at any cost, or who work against team or company decisions in pursuit of their own agenda.
Ethics - How important is reputation to your organization?
The answer to the question posed can usually be found by first examining the corporation's rationale for setting goals and the means by which they are adopted. Secondly, one must examine how employee and agent behavior is rewarded. Last, but not least, you need to look at the way in which decisions are made, and the means by which results are actually achieved. The Ethics Resource Center has conducted research and published findings that support the assertion appearing in the title of the slide below:
Furthermore, their empirical research supports the following assertions:
• Ethical and issue-surfacing culture affects behavior and it can decrease reputational risk
• Tone and ethical behavior at the top has a huge impact
• Peer support of ethical conduct can reduce rates of misconduct
• Regular assessment and careful analysis can surface issues in need of risk mitigation
Oversight - Adopting Safeguards
In my Monday, January 31, 2011 post, I discussed the importance of corporate culture as the foundation of an enterprise GRC solution. I want to pick up the thread now. Consider three possible scenarios:
1. Oversight leads to detection of a problem, proactive development of a protective control
2. Oversight leads to detection of a problem, nothing is done, damage results
3. Total surprise when event occurs, with reactive response
Oversight is a good thing, especially when it leads to detection of a problem. Surprise, after all, is a manager’s worst enemy. Yet, in cases where significant harm occurs, ignorance is a far more popular fallback than knowing a doing nothing about it!
Technology - Do you want the power to know?
For those companies answering in the affirmative, technology can prove to be a great ally. Specifically, an enterprise GRC solution enables a company to reduce the probability of harm (e.g. financial loss, compliance violations, injury to employees or customers, damaged reputation) because it:
• helps to ensure that policies are well-maintained, especially relative to regulatory changes
• provides effective access to, and dissemination of, information to stakeholders
• aggregates and reports information across an enterprise
• continuously monitors risk and compliance exposures
• monitors internal controls
• tracks employee training
• gauges customer sentiment
• supports development of key indicators and associated tolerance levels
• monitors when key indicator tolerances are exceeded and creates issues as appropriate
• facilitates the recording of any issues arising in the business operation and houses them
• associates an action plan with every issue
• triggers alerts and follow-up through resolution of each issue
These GRC solution capabilities, collectively, help organizations to:
1. avoid unpleasant surprises
2. perform with greater efficiency
3. foster collaboration among compliance, risk management and audit teams
4. constantly reinforce, and continuously monitor, compliance with corporate policies, laws and regulations
A fully implemented GRC solution becomes a primary corporate safeguard where problems are quickly surfaced. Once deployed, it rapidly becomes the official system of record for issues in the enterprise.
Please share your thoughts and comments on this post or on culture, ethics, or GRC in general. We’d love to hear from you!
Note: My thanks to Steve Taylor, Chief Executive Officer of BPS Resolver Inc., for his suggestions, which I incorporated into this post. I also want to point to Manoj Kulwal, who earlier this year was primary author on a SAS white paper entitled: Safeguarding Compliance, Transcending operational silos through GRC collaboration and automation. In that paper, Manoj provides a detailed account, complete with practical examples, of exactly how a GRC solution safeguards an organization. For example, he describes how an issue, an action plan, a compliance indicator and a regulation are associated within the SAS Enterprise GRC Solution (see the figure below, taken from the paper).
To download the white paper, just click on the link embedded in its title.