Greetings from the RSA Archer GRC nerve center! There are lots of exciting things happening which I’m eager to share with you as they unfold. In the meantime let’s continue our recap of the Compliance Week forum on organizational policy management that I participated in with Michael Rasmussen and OCEG.
We began our discussion in the first segment with an overview of regulatory change management and the importance of establishing and maintaining a strong diligence program to bolster compliance. To measure we must first detect; tracking internal and external change to the business plays a critical role in enabling an organization to remain nimble. The burden of regulation will only increase going forward. As we learned last time, the reality of climbing this steepening mountain has emerged as one of the key stated risks that trouble executive decision makers.
Keeping pace with change is only one aspect. What do we do about it? The legal and regulatory landscape shifting beneath our feet is one thing, but the business’ foundation itself changes as well. What happens when these intersect or better yet collide? How does this concert of change coalesce into an overall model of risk? Ultimately it comes back to the policies that define and drive how the business functions. Does your organization conduct a business impact analysis on significant changes impacting policy? When we asked this same question of our panel audience, 48% of organizations responded they did not. On the surface it’s troubling that nearly half of organizations surveyed do not formalize this process, but with the blistering pace of business, global economic volatility, and the constant swell of changes it’s an understandable struggle to stay ahead the curve. The question is how long can an organization roll the dice before they eventually fall the wrong way?
For example, suppose Company XYZ operates in a heavily regulated sector but over the past few years has been diversifying into different industries and markets. Now the XYZ execs decide to acquire a specialty alloy parts manufacturer to support a new product they intend to bring to market. Although a pain, compliance was always something XYZ was able to keep under control. They have a couple of key stakeholders that do a good job of keeping watch and handling it, and the regulators seem happy enough.
Right there we have a problem brewing. There’s little transparency into the process of compliance and a big chunk of success is wrapped up in a handful of people doing things in a silo. So what happens when XYZ turns in this new direction and executes the acquisition? Along with the patents, goodwill, and receivables, Company XYZ just unknowingly inherited a ton of new environmental regulations to boot. Because the language of risk within XYZ is not well established, there is no common thread to weave impactful elements together throughout the organization and raise an alert when a gap is encountered. Does your organization have a defined taxonomy of risks and regulations mapped to key subject matter experts and stakeholders? If the answer is no, you’re not alone. 52% of respondents we polled didn’t have any kind of taxonomy or structured process either.
For fun let’s say hypothetically as this acquisition deal is wrapping up that the SEC conveniently announces new revisions to regulations that govern a separate XYZ venture which also happens to be their primary revenue stream. Although these changes had been on the horizon for some time, unfortunately XYZ’s pseudo-compliance team doesn’t have any kind of continuous governance program and were caught off guard. Now they’re completely bogged down trying to scramble an impact analysis and response. Any M&A questions drop by the wayside and the alloy business acquisition sails through without a second thought.
Does any of this sound familiar? It should. The saying “when it rains, it pours” comes to mind, not to mention Murphy and his laws. These things happen all the time. The ability to react and adapt can often mean the difference between sinking and swimming for a modern business. It’s not unusual for the mistake that becomes the undoing to have been made months or years ahead of time in a seemingly innocuous or unrelated endeavor. Companies that maintain sound operational policies are always in a stronger position to respond to change. What would happen to XYZ if they learned post-acquisition that their precious alloy manufacturer was positioned to run afoul of new EPA mandates? An enterprise program with policies and standards for risk-based acquisition analyses as a natural part of its embedded “system of compliance” would have exposed this risk before it could impact.
When the only constant is change, organizational leaders must accept that it very often won’t be on their terms. The best way to hedge against this unknown is to proactively prioritize policy and compliance as the institutional guardians of corporate diligence. Together with sound risk management practices, this becomes a powerful combination that yields value far beyond its cost. Organizations in very highly regulated industries have already learned painful lessons and are embracing this new approach. However any company of any size or industry can benefit from this approach. Impact on policy is impact on the business, plain and simple. Analyzing those impacts and their ramifications is nothing more than intelligence gathering for the executive decision makers. Establishing a common taxonomy of risk within the organization is the best and often only way to piece everything together in a way that makes sense.
How does this contrast with your own organization’s practices? What resonates best with your executive leaders? Are there potential regulatory threats looming on the horizon and if so what do you need to examine and adapt accordingly? I’d like to hear from you and if there’s a way we can help then let’s get connected and start working the problem. From there we can begin to establish consistency and accountability, something I’ll discuss further next time.
