I always enjoy pulling out the crystal ball and looking forward with due consideration of last year’s trends. It is a perspective that gives us all the opportunity to identify important trends and to set an agenda for the next year – 2023.
The compliance profession continues to grow in overall importance in the corporate governance landscape. Corporate leaders that fail to appreciate this face do so at serious risk to their respective organizations and their own livelihood. Boards and CEOs that ignore the importance of ethics and compliance are doomed – maybe not today but certainly in the near term. No one is that lucky and compliance karma has a way of catching up with those organizations that believe they can dodge risks and reputational damage with little attention to ethics and compliance. I have seen too many organizations operating in a red flag landscape suffer real and significant harm.
Looking back on last year from a compliance perspective, it is pretty obvious what is likely to rise to the top level of ethics and compliance issues – it is ironic to read and hear business leaders embrace the importance of ethics and compliance culture. For years, senior executives would repeat a short mantra on ethics and compliance – “we do the right thing.” This mantra usually masked senior leadership’s complete lack of knowledge (and appreciation) on just how to design, implement and promote a culture of ethics and compliance. Talk about a deer caught in a headlight, I dare you to ask a CEO who repeats that mantra to explain just how to go about implementing and promoting a culture of ethics and compliance.
Putting aside my sarcasm, at the top of every list of ethics and compliance trends, we all know that Culture, Culture and more Culture is number one.
My First Trend: Culture, Culture and Culture
After culture, however, things get a little more interesting. I find it interesting to “pick on” senior executives who usually fail to appreciate the importance of corporate culture. If CCOs want to test a CEO’s commitment to this issue, the logical next step is to elevate an important requirement for every organization’s risk assessment process – including C-Suite risks.
This is prediction number 2 – CCOs have tried to ignore this issue for years because they feel “uncomfortable” raising it with their leadership team. Like all difficult issues, however, there is an easy way to convince senior management of the importance of analyzing C-Suite risks.
The argument is twofold – if you review last year’s FCPA enforcement actions, especially those involving the Justice Department, you might notice a pattern – most of the enforcement actions involved senior management participation, direction or awareness of ongoing corruption schemes. Indeed, in the GOL Airlines case, a director of the organization executed the bribery scheme himself. This is the first point.
The second point involves communications and internal alliances. C-Suite misconduct risks usually include weak to non-existent financial controls applicable to C-Suite leaders. Companies have suffered C-Suite directed scandals because C-Suite leaders are able to fund themselves or direct schemes from their lofty positions atop the organization. CCOs need to reach out to Internal Audit and their CFOs to enlist their support foir a simple proposition – we need to design and implement financial controls applicable to the C-Suite that are tailored to the relevant risks. Well, how do we define those risks? We need to include the C-Suite in our risk assessment process. Wallah!!!
My Second Trend: C-Suite Risk Assessments
My third trend will not be surprising but hear me out on the specific aspects. We hear ad nauseum about the importance of third-party risk management. In the past year or two, this issue has morphed into a broader concept – holistic third-party risk management, in recognition of the fast evolving risk landscape and convergence of technology, remote work, and automation.
The fast pace of this transformation will continue. While the moniker of holistic risk management may continue, in fact, the trend in this area is to dig deeper into these “holistic” risks and start to identify “granular” risks. I am not trying to twist up concepts here but “holistic” requires more that acknowledging or labeling a particular risk, such as “cybersecurity risks” associated with third parties, but the analysis has to turn into a more granular focus on specific functions and processes that each may contain identified risk.
Continuing with my example, cybersecurity risks stemming from a third party requires granular identification of a variety of issues, including identification of the third party’s cyber strategy, awareness, monitoring capabilities, training, and, of course access to technologies such as encryption.
My Third Trend: Granular Third-Party Risk Management
My final trend (Carnac Applause Please) is logically connected to the third trend and derives from the tension inherent in financial controls. It continues to frustrate me how the auditing and accounting profession fails to integrate two ideas into one overall framework. It reflects the fundamental divide or gap between two parts of the accounting profession – the auditor and the forensic accountant.
Auditors live and breathe one important concept – “materiality.” We constantly hear from auditors – oh, we don’t need to dig into that issue because it is not material.” What a cop out. Of course, I get it; they need materiality in order to complete their audit, certify the financial reports, disclose them to the public and move on to the next lucrative assignment. It is the engine of their own financial success.
Unfortunately, I am not ready to let that issue go. Auditors have done a poor job of doing what they should be doing – instead of ignoring, turning a blind eye and covering up, the auditors should be held accountable and be required to respond to red flags. This is a nuanced issue but every financial control scandal usually stems from an inadequate or missed red flag that is the responsibility of the auditor to uncover and investigate.
As a result of this fundamental failure of performance, forensic accountants have played an increasingly important role in cleaning up auditor negligence and misconduct.
The compliance profession is becoming more aware of this fundamental problem. And CCOs and compliance officers are responding by asking more questions surrounding internal controls and specifically financial controls. Let me give you an example – the SEC has repeatedly emphasized the importance of organizations’ financial controls surrounding the contract/purchase order to invoice to payment process. Auditors usually look for ways to avoid drilling down on these issues; forensic accountants are experts in examining this process and identifying risks. Compliance professionals (and lawyers) are jumping into the game because of the importance of this process to overall financial and legal compliance. Hence, my last trend for the upcoming year.
My Fourth Trend – Compliance Participation in Financial Control Review