Business is risky. There is no avoiding it. If you run a business, you are in the business of managing risks.
Risks come in many different flavors, but for purposes of this essay I’d like to segment them into two basic categories:
–Operational risks-Risks associated with adverse events like fires, storms, strikes, poor cash flow, power outages, supply disruptions, poor product quality, bad advertisements, transportation slowdowns, communication problems.
–Legal/ethical risks-Risks associated with failures to follow laws and the reputational damage caused by legal activities that breach accepted behavioral norms.
Regardless of what kind of business you have, you are managing both operational as well as legal/ethical risks. So, in answer to the question about whether you need to have a compliance and ethics program in your business-you’ve already got one. Your compliance and ethics program is the sum total of all of those things you do, and all the systems you have invested in to abide by the law and earn the trust of employees, investors, customers, suppliers and other key stakeholders.
So the question is not whether you need a compliance and ethics program. Instead, the real question you should be asking yourself is: “Is my compliance and ethics program as strong as it needs to be to effectively manage my legal/ethical risks?”
Now, before I suggest an approach you might take to answer this question, let’s be honest with one another. As a businessperson, you hate this stuff. Of course, you want to play by the rules and you know that governmental mandates and behavioral norms are a necessary evil-but you also think they are “evil.” They cost you money and time-lots of it. They stunt your business growth and competitiveness. Many times they are ridiculous and don’t make any sense. And, there are just too many of the damned things for any normal human being to keep track of. Besides, you didn’t start your business just to keep lawyers and accountants employed. You got into business to build something great!
But, alas, the “evil” is here to stay and those who figure out how to manage it effectively will have a competitive advantage over those who do not. They will maximize their chances of recruiting, retaining and motivating the best work force. They will earn the trust of their customers, the investment community, governments, suppliers and other key stakeholders the old-fashioned way-by being trustworthy. They will reduce their legal fees and avoid costly lawsuits, fines and penalties. Oh yeah, and they won’t have to worry very much about ever spending time in jail.
So, let’s get back to the basic question: “Is my compliance and ethics program as strong as it needs to be to effectively manage my legal/ethical risks?” Books have been written about how to do this, but here are a few steps you might consider in getting started:
Step 1-Systematically determine what your legal/ethical risks are.
Such a risk assessment can be very elaborate and time-consuming, but it need not be. Get the right people in the room and simply have them make a list. Rank-order the items according to their importance to your business.
Step 2-Systematically evaluate how reliable your current systems are in managing the legal/ethical risks identified in Step 1.
Again, you could invest significant resources in performing this work, but it need not be any more sophisticated than having knowledgeable people evaluate system reliability by using a simple capability maturity model to characterize the reliability of each key system element. You can make your own up, or hire a consultant to design one for you, but such a model could look something like this:
–Level 1-We don’t have one of those, or the one we do have is really bad.
–Level 2-We’ve got a system, but it is just hanging on by its fingernails, is not sustainable or is not producing reliable results.
–Level 3-We’ve got a system and it’s well-staffed, well-resourced, stable and producing reliable results.
–Level 4-We have a Level 3 system and we are actively optimizing its performance by an iterative process of gathering key metrics and implementing improvements.
Step 3-Evaluate the results of steps 1 and 2 and identify opportunities for improvement.
Step 4-Prioritize your opportunities for improvement and select some for implementation. This step is vital, because you will always identify more opportunities for improvement than you could ever afford to implement.
Step 5-Develop and implement action plans for selected opportunities for improvement and track them to completion.
Step 6-Institutionalize the discipline necessary to engage in Steps 1 through 5 at least once per year in each of your businesses and key functional groups.
There’s no magic in conducting such an exercise. It’s really a matter of applying the same discipline you use every day to manage your operational risks. The end result, however, can be very powerful. If you have not done this kind of systems evaluation/risk assessment before, you will likely have a much greater appreciation for and understanding of your business’ key legal/ethical risks. You will also be able to make a rational allocation of scarce resources to improve key legal/ethical risk management systems that you are counting on to run your business well and keep you out of trouble.
Jim Nortz, compliance director at Bausch & Lomb Inc., is a member of the Rochester Area Business Ethics Foundation and serves on the board of the Ethics and Compliance Officers Association. For more information about RABEF, visit www.rochesterbusinessethics.com. Jim Nortz can be reached at (585) 260-8960 or [email protected].
10/03/2008 (C) Rochester Business Journal