Sometimes I revisit my compliance roots in the world of Sarbanes-Oxley – a place much more concerned with financial reporting than corporate ethics and culture, I know. Yet lessons from one group that can help the other still abound.
Right now, those costs are off-balance sheet, only reported in the footnotes.
For example, corporate accounting and finance teams are lately starting to focus on a new accounting standard for leasing revenue, which will come into effect in 2019. The short version is that companies will need to start reporting the costs of operating leases (leases to rent real estate, data storage service, an airport gate, office equipment, and so forth) on the balance sheet. Right now, those costs are off-balance sheet, only reported in the footnotes.
The financial implications of that accounting change aren’t important to us today. But I recently attended a panel discussion of CFOs talking about the lease standard, and heard one say: “We have leasing software for the stuff we know about … we do worry about those places where leases are hiding.” Another: “We need to have a process to connect down to other departments.”
For anyone worried about anti-bribery, workplace harassment, or third-party due diligence, those sentences should feel familiar. They drive to a huge threat ethics and compliance officers face today: shadow processes.
Shadow processes are simply processes that exist in the company without your blessing.
Your chief information security officer worries about shadow IT, where someone connects the company to an unauthorized network, computer, thumb drive or application. Where did that item come from? Is it secure? Does it pose a threat? The CISO doesn’t know, because the employee didn’t follow proper procedure and didn’t tell anyone.
Shadow processes are the compliance officer’s version of the same problem.
As a concept, shadow processes aren’t anything new; employees (and third parties) have been circumventing compliance requirements forever. What’s new is their ability to create shadow processes. Globalized businesses have become enormously complex. At the same time, the rise of cloud-based services means employees can create their own processes with little more than a credit card and a Google search.
How to Handle Shadow Process
Compliance officers can’t avoid the reality that shadow processes, and the easy ability to them, are here to stay. So what are you supposed to do about them?
First, remember what shadow processes do, and don’t, tell you. For example, an overseas division might create its own process to generate and approve purchase orders outside your normal controls for third-party due diligence. That doesn’t automatically mean the division managers are trying to bribe their way to more business; it may simply mean your due diligence process is too onerous.
All a shadow process tells the chief compliance officer is that something is amiss. It may be a problem with the process you’ve established, or the policy goals that process is meant to achieve. You need to investigate further.
Second, look for who approves what in the shadow process; that’s the choke point. Processes are meant to get something done, after all. Somebody, somewhere, needs to approve that purchase order they’re hiding from headquarters; or to pass long those projections maintained on a spreadsheet rather than the central database.
When you do find a shadow process and investigate further (see our first point, above), that person in charge of approvals is going to be the most useful conversation you have.
Third, consider conflicts among policy, process and local requirements. That can often be the impetus for some business unit to create a shadow process. Perhaps local law prevents the business unit from following your process, so it creates its own. For example, local law might allows citizens more control over personal information, so the local unit creates its own processes to let citizens see data collected about them.
That’s a very different reason for shadow process than a desire to engage in corruption. Compliance officers need to consider that context. It might well be that you could create a global policy (for, say, due diligence of third parties), while delegating control of the process to local units.
Remember the Fundamental Question
When a compliance officer discovers a shadow process, you need to ask: Is the real problem that you have too few controls, allowing employees to build this shadow process? Or do your own processes have too much rigidity, that you drive employees to circumvent them so they can do their jobs?
That’s a complex question. The answer, however, helps you understand the follow-up questions to ask about corporate culture, core values and risk tolerance.