My answer to that is: “Why not”? …more than ever! That was the short version.
I will now gladly take you on the road to why I came up with this answer of “Why not”. Many of you are board members, entrepreneurs, auditors, or consultants – I speak to you today as a human being with all your different roles and responsibilities you act in day by day. Be it social, professional, or private.
That is why it is especially important to me to illustrate my way to this answer with a practical example from everyday life and to leave the theory which you already know, in the background.
The impulse “Why not?” triggers further questions. Because: Implicitly “Is compliance possible in the crisis?” would mean: “Dear shareholders and stakeholders, in crises all agreements, regardless of their form, are void.” True to the motto: “None of my business”. This regardless of responsibility, hierarchical level, and role. You agree – this does not tie into all we pursue in our responsibilities.
In my view, this is an answer that neither the individual, entrepreneurship, the economy, and society – nor our culture can or better said, should tolerate!
Culture of Trust
When I talk to people in charge – who have never been harmed by misconduct (also known as non-compliance, fraudulent action, cyber-attack, etc.) – about topics such as compliance, governance, risk, controls, specifically also rules of business conduct (code of conduct) etc., I very often hear statements such as the following:
- We do not need that
- We have already written something like this but not in writing
- Only the auditors need this s
- I trust my employees
- We have been a well-rehearsed team for years
- Non-compliance “happens” only to the others
And if this excuse does help, next ones are already in place as this acts of non-compliance only happens to either
- Larger companies
- Smaller enterprises
- More global companies
- National companies
- Younger companies
- Older companies
you name and understand where the acceptance of the potential risk starts. The list can be continued if you wish.
We love illusions
We claw at each other for so long to be able to trust. Because we – this is our species – want to do so! Until it is no longer possible. And this point, when it is no longer possible, we learn to a very small extent about the real events – from the press. A small fraction only, gets to the public.
Most of the damaged companies and those responsible for them go down this path of loss in camera This loss involves more than financial loss. In particular, a large part of the original trust is lost.
The fact is that any company can become a victim of misconduct. Just like every responsible person.
Therefore, companies that want to remain successful in the market in the coming decades need more than a culture of trust.
So, in answer to the question a YES and…
Who trusts you and your company to take asset protection seriously and to do everything possible to guarantee it? – Your shareholders and stakeholders.
How do you protect your so-called “crown jewels” – the company’s crown jewels? What do these – recently more and more often mentioned “crown jewels” which can be described as “assets” in the broadest sense, comprise?
- Tangible and intangible assets
And very important – which most people are slowly but surely becoming aware of:
I am talking about “business driven compliance” in the corporate sense and not about a reduction to purely regulatory requirements. Every organisation, regardless of its size, is based on rules. Unspoken, spoken, documented, undocumented. These rules are designed to protect the organisation and its vision. This has been the case for thousands of years – and a proven recipe.
Compliance is called into question with the title
The reason (or almost the excuse) for not having to be compliant is crises. We in our industry do a lot – at least we think we do… And yes, I know the discussions that take place with our customers and perhaps also in the various committees in which we have our functions.
What do these safety nets in our companies look like?
“Safety net – the potential of an Internal Control System”
I am convinced that the term “Internal Control System” alone does not only trigger enthusiasm while you are reading these sentences. Many of us – and our rather our customers – still associate it with “contaminated sites, “necessary evil”, “must be done”, etc.
The changes in recent years have meant that many organisations now only need to be audited to a limited extent or not at all. From the perspective of these organisations, I hear time and again that since their opting-out, the Internal Control System is gathering dust. “We no longer have to, you know, the auditors no longer look at it”.
When asked whether they do this for their auditors, the answer is often: “We certainly don’t have to do this voluntarily”. What is going wrong here? How do these companies protect their crown jewels?
I am not talking about hundreds of controls – but key controls to ensure internal and external compliance. To protect the assets…
What I see and what I find is confirmed by the studies on the market – ACFE, which was prepared in May 2020 based on COVID-19
- Non-compliance increases significantly
- Expectation of further increases are high
- Reports from whistle-blowers have increased (detection method no. 1)
You wonder why?
Those of you who know me know that I like to use the Fraud Triangle to analyse misconduct. I am only showing you here the additional characteristics and not those that apply even without the crisis.
As a result of the current crisis, priorities have been redefined – into the so-called crisis mode of those responsible. Consciously or unconsciously. There is a strong suspicion that this happened unconsciously in many organisations, which increases the risk of misallocation.
Projects in Compliance Management Systems, Fraud Risk Assessment, Fraud Management, Incident Management were stopped, not started, or completely aborted.
Any measures that have been decided are therefore not implemented, which in turn increases the opportunities and thus the risk of non-compliance – regardless of the pattern, which includes the whole range of cyber-security issues.
“Opportunities increase during crisis.”
- Fear of unemployment
- Failure to achieve targets (sales, projects, etc.)
Dilemma situation of every person of integrity. Analogous to “times without crisis:
- Is it my right
- Work more / better
- They all have enough
- Do not notice it
- Pay it back
Especially in crises, we depend on social control working. I can tell you that if someone in our seamanship had not done what we had agreed, things would have been uncomfortable! And everyone saw that the rules – which were supposed to protect us! – were respected.
In terms of compliance, that means that misconduct is addressed and reported. The still frowned upon “SPEAK UP” culture uncovers and protects.
Think for a moment about a situation / an organisation in your direct sphere of influence that could take a turn for the better here.
With these constant and currently also crisis-related changes, which lead to an increase in fraud cases, more than a “Culture of Trust” is needed. Knowledge of the processes in the old world alone is not enough, but requires adaptation to the new requirements.
“It needs a “Culture of Integrity.”
Many companies – especially in the international environment – have successfully completed the transformation towards corporate integrity or are on the way to doing so.
Courage and leadership.
From my point of view (especially in crises) the most important character trait of all those involved across all hierarchical levels!
The conscious movement towards a Culture of Integrity consists of different components and begins
- Role model function (walk the talk)
- Integrity of those responsible (Tone@Top)
- Strategic decision (sponsorship) for integrity
- Binding nature & reliability of implementation (measures, sanctions in case of misconduct)
- Implemented “Speak up” culture
A further advantage (as current events show): corporate integrity also enables rapid adaptation to changes (technologies, crises, etc.). For the compliance of a company this means not waiting for what is required (regulatory) but evaluating what is needed to be successful on the market in the next decades.
“The question is not whether compliance is possible in a crisis, but how.”
Creating a “Culture of Integrity” during a crisis overburdens those responsible. For this reason, it is crucial that it is continuously established and lived. Regardless of whether the auditor checks compliance with the regulations.
Reflecting how we behave in times of crisis
Shifting priorities due to crises – at the expense of compliance – exposes organisations to increased risk. The ability to adapt strengthens the resilience of companies and enables them to survive these crises. Social control intervenes (better?) in crises due to increased individual pressure.
Please do not forget what you implicitly already know: “Business driven Compliance” remains the number one competitive advantage – especially in times of crisis.
The fact of normalcy bias hinders us.
There is no certainty. Neither before, during nor after COVID-19, but we are currently more aware of it.
We too often succumb to the cognitive bias of the normalcy bias “Because what cannot be cannot be”. The belief things will continue to be as they have been in the past, hindering the ability to plan for the unforeseen events.
The normalcy bias makes people unable or unwilling to plan for unexpected circumstances. The first step towards avoiding these biases is being aware of the existence and risk of tapping into it.
The distortion of normality makes people unable or unwilling to plan for unexpected circumstances. The first step towards avoiding this bias of normalcy is, to be aware of it.
Let us invest in and live our abilities to deal with this fact. Be it in our private environment, in organisations, in our society and on the high seas.
“Purpose driven Compliance” is indispensable even in times of crisis to protect assets (no matter which are important to you, you name it…)!
Is compliance possible in the crisis? “Why not! And more important than ever”!