Until fairly recently (and still for many corporations today), the compliance function and the enterprise risk management function were separately organised – and even more problematic, they worked in standalone silos. There are several root causes for this ‘silo approach’. First, surprisingly, risk and strategy people often do not talk with each other. Second, the compliance department was, and in many companies still is, part of the legal organisation, which mainly focuses on legal risk assessment. And third, due to process-driven external certification needs or regulatory requirements, risk functions have developed individual process empires, for example in quality or health, safety & environment (HSE).

Times are changing

In the meantime, many compliance organisations have become independent from the legal function. In fact, in certain jurisdictions regulatory authorities advise or even request this separation, especially in the financial services sector. In parallel, as the roles and responsibilities of compliance professionals become significantly more diverse, so has the need to be more independent from the legal function. Of course, these developments will not replace the importance of excellent collaboration between the general counsel and chief compliance officer (CCO) or the contributions of skilled lawyers in the compliance function. However, if a compliance function wants to position itself as a trusted adviser or even a business enabler (in a best-case scenario) to the business, the function needs a diverse workforce, especially colleagues with business experience.

An effective compliance system and its challenges

Now, let us take this a step further. In recent years, experienced compliance functions have developed a unique skill: designing and implementing processes and projects in a risk-based way across an entire corporation. This competency was developed by driving what is now recognised as the three main pillars of an effective compliance system: prevent, detect and respond, including remediation measures in case of detected deficiencies and their reporting. Today, this system is equally valid for all relevant risk functions in a corporation, including HSE, business continuity and emergency management, data privacy, quality, IT security, finance and others.

Traditionally, these ‘second line of defence functions’ operate their own risk processes and controls, and it is a challenge for the (often quite small) corporate risk office of a company to collect the results and come to a meaningful risk assessment for the corporation. In most cases, a shared IT platform does not exist that allows the risk office to combine data across the different risk workstreams for data analytics across all relevant functions. And even worse, due to independent and isolated risk assessments that take place, it can be very difficult for company executive committees and boards of directors to follow up on remediation activities and execute their respective management responsibilities. This situation is in itself a potential risk for corporations.

A company’s resilience in challenging times is directly related to its ability to detect risks early and to mitigate and remediate them. Companies will only be able to implement an effective and efficient compliance system successfully across the company if all associates are aware of the company’s risk exposure and personally own responsibility for managing them.

An integrated enterprise risk management system

The solution to address these challenges is an integrated, enterprise risk management system and a consolidated communication effort. This integrated system unites the compliance organisation, which drives the risk-based ‘prevent-detect-respond’ model, and the function-specific risk activities in a corporation in one framework with one coordinated process. Such a risk and compliance function provides a competitive advantage through an integrated risk management approach, and this is the basis of sound decision making for sustainable business development and innovation.

But there is more. Having a clear and solid risk and compliance framework is non-negotiable for corporations that want to survive in today’s disruptive political and business environment. However, companies whose purpose is to serve society need to think beyond policies, guidelines and smart risk taking.

Companies are really part of society

It is a common misunderstanding that companies which need to be profitable, not only to stay attractive for investors but also to be able to invest themselves, are distant or even separate from society. In fact, the opposite is true. Companies are really part of society. They employ and educate citizens and sustain the living of their families. They invest locally. They drive free trade, which is the basis for growth and wealth, and they can be frontrunners for digitalisation and much needed ecological change.

Of course, there is no denying that some companies also do significant harm to society. Environmental damage or corruption are only two examples where bad actors in public administration and in the private sector collude to the detriment of society. But even the biggest and most ‘powerful’ companies alone cannot change or solve the most burning issues of our global agenda. However, they can and must start a dialogue. It is crucial that companies bring real and present ethical dilemmas to the table – with their employees and stakeholders – for open and honest discussion and first steps towards a joint resolution. One example is the question of how to source and supply in a sustainable way globally. We will only able to change the current situation if actors in the private and public sector work together in policy making and conduct real-life initiatives.

Top management needs to lead the way

Now, the real question is: who in a corporation is best suited to drive this ethical discussion? In order to have impact, senior management must be the drivers, but they need to do it with a structured process. When corporations fully integrate all three dimensions of ethics, risk and compliance into a comprehensive framework, they can best support management with their responsibility and duty to act responsibly on behalf of their corporations and as members of society. As ethical dilemmas and considerations directly impact the risk approach and risk management of a company, they should be seamlessly linked with an effective compliance system, which also includes remediation and structured reporting. This also provides valuable input on the next enterprise risk assessment cycle.

Dr Klaus Moosmayer, Chief Ethics, Risk and Compliance Officer and Member of the Executive Committee, Novartis International AG.

Jul-Sep 2019 Issue

Novartis International AG