Compliance officers are constantly seeking new ways to demonstrate the relevance of a strong ethics and compliance program to their boards and CEOs. We now have another example served up on a platter: boards are increasingly worried that their corporate culture doesn’t encourage employees to raise concerns about risk in a timely manner.
So says the latest annual survey of enterprise risks published by Protiviti and North Carolina State University. The survey polled more than 800 board members and C-level executives to compile a list of their top-of-mind risks in 2019. Unease about risk escalation and culture placed 9th.
Two-thirds of Protiviti survey respondents rated escalation risk as "significant" within their organization.
This is picture-perfect discussion material for compliance officers. Two-thirds of Protiviti survey respondents rated escalation risk as "significant" within their organization, and the overall severity of the risk (rated on a scale of 1 to 10) has been rising steadily for the last three years. Clearly boards and senior executives dwell on this issue a lot.
Moreover, escalation concerns might trace back to any number of root causes — so if this risk does resonate with your board, you can have rich conversations with them about the various compliance failures that might be responsible.
For example, does the company have a culture that pressures employees into silence, or numbs them into disinterest? Do risk management systems escalate concerns quickly enough for the board’s liking? Has the company always lagged in escalating risk, or does today’s accelerated risk landscape give the board new pause?
Fundamentally, if the board wonders whether the corporate culture is raising concerns about risk in a timely manner, that means the board isn’t confident in the culture and escalation procedures the company currently has. Well, why?
Let’s dig a bit deeper into two possible causes.
Cause 1: The Risk Landscape Is Changing
It’s no secret that risks are proliferating in multiple ways. Companies that expand into new overseas markets or launch new products invite more regulatory risk. Companies that run more operations through Internet-based technology invite new cybersecurity risk. Everyone spending more time on social media (your company, your employees, your customers) amplifies reputation risk.
So when boards say, “We’re not confident that our culture escalates risk issues in a timely manner,” the problem might lie more with the systems to capture risk rather than with people and culture. The escalation channels you have might no longer be fit for purpose.
- Easy example: your whistleblower hotline might not accommodate employees in new markets who speak new languages
- Subtle example: your investigation policies say that allegations of harassment are investigated before they’re raised to senior management — a dubious practice in the social media era, when frustrated employees might shotgun allegations of harassment by the boss all over Twitter
In both cases, the controls your company has in place are no longer designed properly, because the company has encountered a new risk or an old risk has changed.
This should encourage you to walk down the hall and talk to the company’s internal control function (whether that’s a formal internal audit department, outside consultant, or even the corporate controller). Assessing the effectiveness of a control — and specifically whether that control is properly designed for the risk in question — is their job.
This will give you a better read on changes to policy, procedure or technology that might be necessary. Those changes might be all that’s necessary to unleash a workforce happy to help senior executives keep their eye on the correct ball.
Cause 2: Company Culture Leaves Internal Controls Unused
The more complicated question is how to respond when your escalation procedures are designed properly, but employees don’t bring concerns to management. The best designed engine in the world won’t run without fuel, and employee observations about corporate activity are the raw material that makes risk management run.
First, employees might be afraid to raise concerns about risk. Fears of retaliation are nothing new to compliance officers, but that’s not the same as fear of raising concerns. Senior executives need to ask why employees are reluctant to speak up. For example, employees might not raise concerns about strategic risks for fear that they could render their job function obsolete. Simple resistance to change is a powerful force in large organizations.
Fears of retaliation are nothing new to compliance officers, but that’s not the same as fear of raising concerns.
Second, employees might not care about escalating risks — or more accurately, they may be so engaged in some parts of their job, they don’t appreciate that working to address risk is also part of their job. Anyone who has worked at a fast-growing startup has seen this mentality in action: everyone so focused on growth, they overlook prudent steps for risk awareness. It’s not deliberate, but it’s not helpful either.
For all of these questions, the answers lie more in executive leadership, tone at the top and the middle, and compensation policies. Does the CEO talk enough about risk-awareness and the importance of calling out concerns? Do mid-level managers do the same? Do compensation policies overweight sales goals, without enough attention to stable, long-term growth?
Every organization will answer all of those questions in their own way. The opportunity for compliance, audit, and risk professionals is to raise the conversation with senior executives and the board.
When framed the right way — “Are we sure that we at the top are getting the right facts at the right time, to let us understand what’s really happening? Can we review our procedures for hearing issues, and how well our culture encourages employees to raise them?” — it’s a subject any capable senior leader should want to discuss.