The GlobalEthicist – How to prevent the next business scandal
Too many executives and boards continue to take a reactive rather than strategic approach to risk and reputation management
The regulatory responses to the many scandals of the past dozen years (Enron, WorldCom, Siemens, Wall Street and Fleet Street) should have curbed the excesses that caused them. But they didn’t.
The endless parade of troubles continues – if it isn’t one industry it’s another, if it isn’t one company it’s another, if it isn’t one hedge fund it’s another, if it isn’t one CEO it’s another, if it isn’t one insider trader it’s another, if it isn’t one briber it’s another.
What is the reason for all this malfeasance and recidivism? A root cause is that so many C-suites and boards don’t understand and have not adopted a strategic approach to governance or risk and reputation management. Risk and reputation management requires constant protection, care and feeding – it needs a strategic long-term approach, not reactive responses.
A strategic approach identifies stupid risk, unknown risk and illegal risk. A good system creates an early warning system to prevent serious reputation damage. It will also prepare an organisation for the scandal that will inevitably happen. It will build and embed better processes in the system that will curb or thwart bad behaviour.
Reputation v revenue
But many C-suites and boards don’t think risk and reputation management is as important as revenues or profits. They’ve got by through a more or less haphazard, almost always reactive, patchwork approach to risk. A finger in the dyke solution, deployed when and if the occasional scandal pops up. At best and at worst they see risk and reputation issues through a pure “cost of doing business” lens.
In the banking industry alone, non-compliance and outright malfeasance have involved almost every big name – JP Morgan, RBS, HSBC, Standard Chartered, Citibank, Barclays, UBS, Deutsche Bank and the list goes on and then repeats itself. As we’re working through the five-year-old mortgage backed securities and derivatives nightmares we’re just seeing the tip of the iceberg on the emerging rate-fixing scandals, which will include criminal prosecutions.
And when you thought it was safe to go back into legitimate banking, the US authorities this summer uncovered the allegedly biggest underworld money-laundering operation ever: Liberty Reserve, a global online currency trading operation, suspected of laundering $6bn to serve a “shadowy netherworld of cyber-finance”. There seems to be no end to human criminal creativity when it comes to the business of managing money.
Businesses usually deal with scandal in one of two ways. Because of regulatory pressures or other stakeholder “demands”, they grudgingly create an ineffective and under-resourced internal compliance programme that’s supposed to prevent future bad behaviour. They build a compliance “Potemkin village” where there’s a pretty veneer but the substance and guts of proper risk and reputation management barely exist.
Or, once they are “caught” in the act, they get a government-imposed solution with a monitor or a deferred prosecution agreement requiring a new or revised compliance programme.
Both solutions are reactive. Both solutions are partial at best. And neither solution provides sustainable and strategic risk and reputation management or any other value-add.
It could be different. Corporate officers are responsible for managing their companies, which in addition to financial management includes managing risk, reputation and brand. Boards are responsible for overseeing risk, reputation and brand, not just financial results. Without strategic risk and reputation management, a brand can lose its value overnight and shareholders (and other key stakeholders such as employees) see their investment, livelihood and retirement suffer or disappear.
Smart risk and reputation management also adds value to the bottom line – through liability avoidance, cleaner and leaner processes and improved products and services. Indeed, properly deployed and integrated, strategic risk and reputation management will have a direct and positive impact on the financial bottom line.
Look at the examples of Starbucks, Unilever, Costco and Nike. Imagine the difference a strategic approach would have made to the debacle surrounding the London Whale – aka JP Morgan trader Bruno Iksil. Perhaps a few billion dollars in enterprise value?
It’s not good enough to throw our hands up in the air and say that there are no solutions or that certain institutions are too big to fail, too big to nail or too big to fix. That’s the easy way out.
Some of the global banks may be starting to get it. Some are appointing higher-level chief compliance officers who are part of the executive team, have a seat at the table and/or have access to the board (HSBC, JP Morgan). Others have taken a different approach. For example, after its troubles in 2010, Goldman created a high level committee and issued 39 business standard principles.
And yet others are creating sustainable investment, community engagement programmes and green measures to demonstrate their reformist bona fides (Morgan Stanley and Goldman come to mind). But smart risk and reputation management involves the creation of a long-term strategy, not a one-time fix – while the jury is out on these recent developments they do give room for hope.
Another tack some of the “too big to fail” players have recently taken is to throw vast amounts of money (billions of dollars) and people (thousands) at their “compliance” problem. They are, however, missing the critical point here. Theirs is not a “compliance” problem – theirs is a systemic cultural and leadership problem in need of a more strategic solution. It’s not enough to throw vast resources at a systemic problem. The real challenge begins and ends at the very top.
There is a solution. Let’s call it the magic triangle involving the CEO, an empowered risk executive and a risk-savvy board. Global enterprises as complex financial actors must adopt a strategic approach to risk and reputation management, preferably with an empowered chief risk and reputation officer (CRRO), sitting on the executive team, reporting to the CEO and the board.
Ownership of risk
Boards have a critical role to play. They need to own risk oversight. They need to hold their CEO accountable on these issues. They need to have a board risk and compliance committee with at least one independent director, savvy and experienced in these issues, not just tangentially but directly, proactively demanding a strategic approach from management and to whom the CRRO reports.
This is the magic triangle. Together the CEO, the CRRO and the board will be able to triangulate risk and reputation management for the enterprise. It’s possible that the London Whale and other such disasters wouldn’t have happened under these circumstances, at least not to the extent that they did. And it is also possible, indeed probable, that such a strategic approach will uncover hidden business value that otherwise lies fallow and unexploited.
The real obstacle to avoiding scandal and to creating better risk and reputation management isn’t that there’s no solution, it’s that those with a vested interest in the status quo have little desire to change things. Boards and executives have a choice – take a strategic instead of a pastiche approach to risk and reputation management and unlock new value. Sure, risk and scandal can and will happen, but when they do, they’re likely to be less severe, consequential or debilitating. And, in the meantime, the enterprise will become more resilient and maybe even more profitable.
Dr Andrea Bonime-Blanc is chief executive of GEC Risk Advisory, a global governance, risk and reputation consultancy to boards and the C-suite. She is chair emeritus of the Ethics and Compliance Officer Association, a member of Ethical Corporation’s editorial advisory board, a programme director at the Conference Board and a life member of the Council on Foreign Relations. @GlobalEthicist