THE ROLE AND MINDSET OF BUSINESS STEWARDS WITHIN AN INTEGRATED ASSURANCE MODEL
BY KLAUS MOOSMAYER, NOVARTIS
When companies transition from traditional compliance to an integrated assurance model, an isolated and compartmentalised strategy and organisational setup for handling ethical, risk and compliance topics is no longer sufficient to foster trust with internal and external stakeholders.
Instead, we need a comprehensive and consistent system connecting the four dimensions of governance, enterprise risk management, compliance and internal controls. Integrated assurance should be driven by a function, independent from the legal department, with sufficient authority and resources, based on a mandate from the board of directors.
This function does not ‘own’ ethics but rather facilitates dialogue within the company about ethical challenges and dilemmas, while embedding ethics and integrity within the assurance framework. As a practical example, the responsible use of artificial intelligence (AI) needs a comprehensive set of ethical commitments which forms the basis of a practical and not too bureaucratic AI risk and compliance framework.
Considering the characteristics and attitude of individuals involved in integrated assurance functions, what profile and mindset do they need?
The evolution of risk and compliance professionals
Around 20 years ago, risk and compliance professionals often had a reputation for being ‘police officers’ or ‘controllers’. Risk managers often belonged to the finance organisation, both organisationally and professionally. Even today, many companies still assign the risk management function to the finance organisation, which leads to a primarily number-driven approach to risk management based on (financial) controls.
Many compliance professionals started their career in compliance because their companies faced a ‘problem’, a reputational crisis often linked to bribery and antitrust allegations. Such a crisis is like a severe car crash: you need intensive care to preserve the company’s right to do business. While employees may accept a necessary policing approach for a while, it is not a sustainable model post-crisis. If unchanged, companies will inevitably suffer from ‘compliance fatigue’, which leads to cynicism and undermines any genuine discussion on risks and ethical dilemmas.
The compliance community and its leaders have recognised this risk over recent decades. They have made – and continue to make – a noticeable effort to shift from a perceived policing role to a ‘business partner’. Such a bold move comes with risks and opportunities. On the opportunity side, many compliance functions radically changed the profile of the professionals they were hiring. Instead of people with education and experience in control or process implementation, for the first time employees from other company functions, including sales departments, were welcomed in compliance jobs.
A lot of the progress companies achieved in how to communicate and train compliance matters is due to this talent intake from outside the traditional control, process-excellence and legal professions. At the same time, the quality of business advice in compliance and risk matters increased significantly. The new generation of compliance professionals understood and spoke the language of the business.
Over time, this led to a much earlier inclusion of compliance advice in relevant business transactions. Instead of being asked on a Friday afternoon to just sign-off on a topic before it was announced on Monday, compliance advice is now sought much earlier in many companies, often as early as in the design and planning phase. The ‘business partner’ role of compliance has undoubtedly increased the quality of compliance functions and their involvement in topics that really matter for companies.
The risk of being ‘only’ a business partner
There are also risks involved in positioning the compliance function as ‘only’ a business partner. The compliance professional may – intentionally or inadvertently – be reduced to a pure advisory role. Even in the case of a risk that the compliance officer assesses as ‘high’ or even ‘unacceptable’, the business may just say ‘thanks but no thanks’.
Many well-meaning compliance business partners are then afraid to draw the line or to escalate the issue. They fear being perceived as ‘old-style’ policing and losing their seat at the table. This attitude is dangerous in several regards. It is dangerous for the assurance and integrity culture in the corporation when significant risks are simply waved away with the justification that ‘advice was given, but ultimately it is a business decision’. It is also dangerous for the compliance professional.
When a risk materialises, the standard excuse from the risk-owner is that ‘compliance was involved, and the compliance officer knew’. This is why the most relevant international standards suggest an element of oversight, reporting and escalation when it comes to the role and responsibility of the compliance function (for example, the Organisation for Economic Co-operation and Development’s ‘Anti-Bribery Recommendation’ or the US Department of Justice’s ‘Evaluation of Compliance Programs’).
Business stewardship and its three aspects
Where to go from here? We do not want to lose the achievements and opportunities a business-savvy compliance function provides. Rather, it is about creating a well-balanced model which provides both business partnering and business steering within an integrated assurance model. We call this model ‘business stewardship’.
An ethics, risk and compliance business steward combines three different but connected aspects into their role, as outlined below.
First is being a business partner, ensuring that relevant policies are effectively implemented, and commitment is fostered to fully meet compliance requirements across all parts of the business. This includes providing critical guidance and insights into ethical considerations and regulatory requirements, enabling business leaders to make informed, risk-based decisions. In this context, it is crucial to ask the right questions, identifying potential compliance risks and suggesting measures to mitigate. It goes without saying that this task requires a sound understanding of the business, its players and mindset.
Second is being an enterprise connector, embracing an enterprise-view to connect functions and people, removing silos, managing complexity and co-creating solutions. The business steward serves as a crucial link between teams, helping to align their strategies and operations in the spirit of integrated assurance. As a practical example, as an enterprise connector, the business steward assures that a comprehensive risk assessment is conducted for a third party, which includes aspects beyond classical anti-bribery, such as human and labour rights, cyber security, health and safety, or trade sanctions. He or she will never be an expert in all of these assurance fields but will bring together the necessary expertise as an enterprise connector. Indeed, this aspect also means escalating detected risks when they are deemed unacceptable by the business steward.
And third is being a thoughtful influencer with a distinct mindset who supports business leaders to strengthen an ethical culture by driving open-minded discussions on dilemmas and creating a safe environment to speak up. For this aspect, it is essential to foster a dialogue with employees within the organisation about ‘doing what is right’ and the importance of protecting the company’s reputation.
A true business steward also shapes the external environment in a thoughtful way, by engaging with relevant stakeholders from the private sector, regulators and civil society. To level the playing field for integrity, the importance of collective actions between like-minded corporations is of paramount importance and requires influencing skills.
To implement the concept of business stewardship in corporations is a complex and demanding undertaking. It requires a true change-management process in risk and compliance functions. It demands professionals ready to transcend traditional roles of enforcement, control or mere consultancy. It is also clear that – depending on the specific role of the individual business stewards within an ethics, risk and compliance function – the impact of each of the three aspects – business partner, enterprise connector and thoughtful influencer – may have differing significance.
Considering the career goals of employees within an integrated assurance function, it is critical to cultivate not only the ‘muscle’ but also the mindset of business stewardship through both training and daily assurance work. This applies to all assurance professionals regardless of whether they are engaged in business-facing compliance advisory roles, enterprise risk and crisis management, policy and control governance, monitoring or corporate investigations.
Conclusion
An integrated assurance model will only work with ethics, risk and compliance professionals who have a distinct mindset and who act as true business stewards by going beyond policing, control or providing mere consultancy.
Both concepts of integrated assurance and business stewardship are intrinsically connected and depend on each other. Where integrated assurance sets the organisational frame for sustainable ethics, risk and compliance management in corporations, it needs business stewards to fulfil its demanding task to keep the company on track, and build long-lasting trust within the company and its stakeholders.
Oct-Dec 2024 Issue
Klaus Moosmayer | Executive Committee Member & Chief Ethics Risk and Compliance Officer, Novartis
