[Reading time: 6 minutes]
As the twenty‐first century unfolds, new and higher stakeholder expectations challenge organizations to achieve performance goals and increase shareholder value while at the same time meeting increased regulatory and compliance standards.
In the eighties, companies realized the strategic significance of human resources and a revolution in management development broke out. In the late nineties, technology and connectivity triggered the phenomenon known as globalization. Each wave brought about enormous opportunities for economic growth and development. However, September Eleven and the unprecedented corporate ethics meltdown of the early years of the new millennium revealed that fast change is leaving many gaps behind.
It is a fact that technological innovation has helped streamline business processes and lower costs. On the other hand, however, issues in areas such as data security remain only partially addressed. As for us humans, we seem to have learned how to organize ourselves a little better. However, in general, we are still struggling to work collaboratively across international boundaries, remain creativity‐challenged, and keep making bad choices. To make matters worse, we are in the middle of a war with terrorism that knows no boundaries or nationalities. This is the confused and unstable reality in which we have to do business today. Welcome to the era of risk management.
Today companies are faced with the double challenge of continuing to perform, that is, providing value and making money, in an increasingly competitive environment, and at the same time complying with a myriad of regulations while actively and continuously managing operational, credit, money laundering, market, political, and many other types of risks.
SOX, HIPAA, Basel II, FISMA, COSO, GLB, CobIT, SAS 94, BSA, GLBA. No, these are not pharmaceutical products or sci‐fi movie characters. They are some of the names of laws, regulations and standards that companies of all types and sizes are obligated to comply with today. Mind‐boggling, isn’t it? I will try to make it clearer for you. These rules and standards aim at nothing more and nothing less than creating a safer, sounder, fairer and more secure business environment. They attempt to protect the rights and enhance the well‐being of citizens, consumers, employees, organizations, and even planet Earth. As most legal norms, they are intended to curb human impulses, which we humans do not like much, especially because complying with those norms has significant costs in terms of time and money.
Just as long as the list of risks facing organizations today –market, credit, compliance, money laundering, political, environment– is the list of stakeholders: federal and state regulators, legislators, investors, employees, consumers.
While navigating this regulatory maze can seem daunting and onerous, these apparent threats should be welcome by compliance leaders as an opportunity to slow down and take a fresh look at our company’s existing processes with the goal of identifying simplification and waste-elimination opportunities, and even to reassess our business strategies. In other words, we have today a unique opportunity to look at ourselves in the mirror and start finding ways to fill those gaps that change is leaving behind.
Through this self‐assessment opportunity we will be able to pursue a second gap‐filling opportunity –the possibility to learn how to communicate and collaborate more effectively, to engage in joint discovery and creativity endeavors, to change our mental habits and work styles.
There is yet another opportunity here –the possibility to engage in an enterprise‐wide integration of our technological resources.
It is through these three compliance‐driven processes that performance will eventually be not only maintained, but enhanced, and costs not only contained, but reduced. In sum, compliance professionals have today a grand opportunity to find synergies and efficiencies between compliance and business performance.
Grandiose and idealistic? I say necessary, fundamental, and feasible.
The human and technological integration that the risk management era is demanding cannot operate in a vacuum. That is simply not possible. The solution is to create the habitat, the environment that will function as the catalyst for integration –a culture that supports both compliance and performance.
A seemingly abstract concept, culture is actually very real and malleable –it can be designed, managed and changed through actions and processes. Yet these changes do not happen magically. They require learning, visioning, planning and, above all, courage. Leaders and managers need to work hard at developing mechanisms to ensure awareness, collaboration, integration, implementation, and sustainability. It is only through these mechanisms –a combination of explicit commitments and carefully thought‐out and relentlessly executed actions– that companies will be able to create a culture of compliance and performance.
The key to this optimistic approach is, in my opinion, to focus on the spirit and not on the letter of regulations. When we do so, we will immediately notice that what these many rules and regulations pursue –safety, soundness, fairness and security– are all desirable values. If we are really serious about our professions and business roles, we all have a purpose that transcends the pursuit of economic profit. Now, does our purpose not match at least partially those desirable values?
There is no doubt in my mind that compliance can and should become a strategic driver. Let us embrace the golden opportunity to self‐assess and search for synergies and efficiencies between compliance and operational performance. Only then will we be able to manage risk, comply with applicable regulation, and at the same time drive business value.
Good business starts with those over-arching principles that we call values and continues with creating value for all stakeholders. Good business is all about value.
[This article was originally published, with minor editing, in The Cayman Islands Journal back in December of 2005. I wrote it at a time when, as I feel it continues to be partly true today (the 2008 crisis was a bit of a wake-up call), financial institutions were building control environments with little concern for their impact on cost and business performance, as a result of an excessive focus on the letter of the laws and regulations. Eight years later, I still believe that both compliance professionals and business stakeholders keep missing out on a great opportunity to optimize the cost/benefit equation by not focusing on a holistic, comprehensive view of risk and performance management, for which technology, now more than ever, is capable of being a catalyst. I trust that the smart minds of cyberspace will see what I mean without further explanation, and hopefully agree with me that this piece is still relevant today.]