Category Archives: Risk Management

How to Simplify Your Risk Management System

Risk management is a big and complex topic… but that doesn’t mean your approach to risk management has to be. In fact, the simpler it is, the more likely it is to be adopted and successful. Understanding the 7 levels of process maturity can keep you in compliance and mitigate your risk exposure. 

RECOGNIZE

Admitting the need for change is always the first step. But you can’t admit that need until you recognize the nature of that need. Whether you’re just starting with risk management or managing a long-neglected risk, it’s important to examine the risks that threaten your company and your ability to manage them. Is your organization fully compliant with good clinical practice? If not, then it’s time for a change. Make sure you communicate that to all the relevant stakeholders so you can get the ball rolling on these changes.

DEFINE

Risks can come in all shapes and sizes. Financial, reputation, moral risks are just some that may impact your company, and your management and staff should have a pretty good idea of what they are – and what they could be in the future. Gather them together and brainstorm the possibilities.

Once you have these risks defined, identify which have the most realistic potential of disrupting your operations. Decide which strategic approach makes the most sense: avoidance, acceptance and mitigation, or reduction.

MEASURE

Even if you haven’t begun your risk management, it’s time to gather whatever relevant data is available to you regarding that risk. How is your company performing around that risk? How has that performance evolved? Recording and storing this data will help your company measure and track your risk management process over time.

ANALYZE

Once the relevant data is collected, analyze it. Record the causes of risk as well as your assumptions. Track your company’s risk management progress over time. From this analysis you may establish processes to assess ethics and compliance risk.

You’ll want to include plans for a quality assurance team that will check the accuracy of your internal assessments. Having this internal check will help ensure there are no surprises when external auditors or regulators show up.

IMPROVE

Done correctly, the analysis phase should highlight areas for improvement. Using these insights, develop practical solutions tailored to your organization. Innovate, establish, and test potential solutions to problems with relevant stakeholders.

New threats may emerge at any time and sometimes your solutions simply won’t work. Make sure your plan is flexible enough to adapt to evolving circumstances and make updates as necessary.

The key to success is regular assessment and improvement. Staying on top of compliance demands is essential as well. In addition to the other relevant risks, make sure every assessment you perform covers compliance risks.

CONTROL

With your solutions in hand, it’s time for action. Communicate them to relevant executives, key managers, and employees so they can buy into the process and execute. Make sure to include a plan for auditing their compliance as well, ensuring that everyone is held accountable and issues can be addressed quickly.

Ask the right questions to make sure you have the necessary control over all aspects of your company’s strategic risk response. Everything should be accounted for. This includes the triggers that initiate responses to risks, the individual tasks and activities employees must take in response, and the ability to accurately forecast deliverables and outcomes in these situations.

SUSTAIN

Setting up a risk management system takes time, and it’s important to protect that investment by sustaining your program through a continual review process. This could be an annual, monthly, or quarterly depending on what works best for your business.

No matter the size of your organization, it’s always possible to miss something. Stay on top of trends by seeing what other organizations are doing.

How to Protect Yourself against Employee Misconduct

Misbehaving bosses and employees are a fact of life. At some point, every organization will likely have to deal with them. But when the misconduct crosses a line, the fallout can ripple through your company costing you millions. Between hits to your reputation, fines, lost clients, decreased productivity, ongoing litigation, and increased insurance premiums, hanging onto bad employees can be an expensive mistake.


Here are 3 things you can do right now to protect yourself from the bad behavior of your employees:


Create a compliance program

If you don’t have a set of policies in place that address misconduct by employees, create one that clearly outlines what is and is not tolerated at the company and the associated consequences. Be sure to consult with attorneys and other experts to ensure that these policies are legal, enforceable, and match the needs and expectations of your organization.

Next, you’ll need the buy-in of your managerial staff. It’s up to them to communicate the mission and vision of the compliance program to employees. This messaging should be robust, scalable, and repeatable. Having a method for doing this should provide your managers with the tools they need to deliver these messages to your employees effectively. The better these messages are communicated, the lower your risk of employee misconduct.


While your managers will play a significant and important role in the roll out of these messages, they cannot do it all on their own. To really make sure everyone knows about them you’ll need compliance training and a code of conduct for employees to sign on to. Taking the time to train employees on the intricate ins and outs of your policy will help clear up any ambiguities in the code. Having them sign on to the code will communicate its importance to their continued employment and send a message that these codes of conduct are serious business. 


Incentivize compliance and enforce consequences

Laws are only useful when they are enforced. But enforcing the laws you’ve made may require additional resources. Assuming you planned for these during your policy formation phase, the next step is to gather the resources you need to enforce compliance through auditing and investigation.

Make sure employees are aware of the legal implications of non-compliance – both for the company as a whole and for them as individuals should they be held personally liable. This should be done throughout the program messaging, training, and in the actual code of conduct.

With enforcement resources in place and the stakes around compliance known, it’s time to formulate and implement screening standards for employees. These standards should be robust, scalable, and repeatable processes that provide your company with the assurances it needs to mitigate the risks you face.


Assess risk and be prepared

Once you have a documented and well-communicated set of policies in place, you’ll need to prepare for the worst case scenario. Begin by identifying potential areas where misconduct could take place and perform necessary audits to ensure policies and procedures are being followed. 

Next, consider those groups who would respond to a violation such as regulators, law enforcement, shareholders, employees, and even the general public. What do they expect from your company? How do they expect you – and your brand – to resolve the issue? 

Having a response plan in place will allow you to respond quickly and decisively to a crisis, in a way that inspires trust and confidence in your stakeholders that it won’t happen again.

The Top 4 Sources of Compliance Risk

When it’s your job to protect the company’s bottom line, the last thing you want is to get the company in needless and expensive legal trouble. Lawyers are expensive as are fines, and even the suggestion of criminality or unethical practice is bad for your reputation. So legal compliance is a fact of life for every company.

But while you want to be a good “corporate citizen”, you also don’t want laws and regulations to ruin your business model either. Changes in regulations and enforcement can have an enormous impact on your business. There’s really no ethical way around it. But, with proper risk management, you can play by the rules without being played by the rules.

To get you started in thinking about these risks, let’s review the top 4 sources of compliance risk:

Laws & Regulations

Failure to meet regulatory requirements can lead to fines, penalties, loss of operation licenses, and more. Other times, changes to trade regulations and agreements can affect international sales. Keeping up with constantly changing regulations and other legal requirements is difficult, and careful monitoring and prompt adoption is critical. Falling behind can slow operations and affect overall company performance.

In May 2019, British Steel announced it was on the verge of bankruptcy thanks to Brexit-related issues. Between the Brexit negotiations and the US-China trade war, the UK steel industry was not ready for their European partners to delay purchases nor the resulting in up to 25% tariffs on most of the steel exported to France, Germany or the United States.

Over 4,000 jobs at risk at their main plant, an estimated 20,000 more jobs along their supply chain were also in danger. The British Steel jobs were only saved once the company was sold to Jingye, in March 2020. As of March 2021, changing laws and regulations still leave the entire future of the UK steel industry in doubt.

The uncertainty around anticipated export laws made the Brexit-related regulatory risks nearly impossible to manage. While British Steel’s Brexit breakdown is an exceptional case, it serves as a cautionary tale of how regulatory risk can bring an entire industry to its knees. Every company needs to do their best to identify such risks and manage them as best they can before a crisis hits.

Employee Misconduct

Employees who break the law or violate ethical standards can have a disastrous ripple effect on a company. Company morale, culture, and stature are all put at risk for substantial legal and financial repercussions when employees, especially executives misbehave.

This happened to Alphabet, the parent company of Google. In 2019, shareholders filed a lawsuit against the board of directors. In the suit, the shareholders accused the board of shielding senior executives from claims of sexual misconduct. The shareholders claimed Alphabet had breached their fiduciary duty, abused their control, enriched themselves unjustly and wasted corporate assets. Google employees around the world walked out of their jobs in protest of a $90 million exit package awarded to an executive who was asked to resign over credible sexual misconduct claims.

Alphabet settled the suit in 2020. As part of the settlement, $310 million went to fund a council on diversity, equity, and inclusion initiatives. They also created a new Employee Disciplinary Committee and mandated coaching that would hold executives to a higher standard of conduct.

While Alphabet managed to mitigate the fallout with a legal settlement, the costs of employee misconduct were still incredibly high. The effects of employee misconduct rippled through the company, down to the employees and the shareholders. Had they managed this risk better from the start they might have avoided this entire mess.

Product Failures

Products that fail to deliver on your company’s promise can ruin your reputation and bottom line. But in some cases, they can get you sued by your shareholders as well. 

CD Projekt Red (CDPR) hyped up their Cyberpunk 2077 video game for over 8 years before its release in late 2020. Promotional videos promised a fully immersive futuristic world for gamers to play in. Despite countless production delays, over 8 million people purchased pre-order copies.

But the game completely failed to deliver a product worthy of that hype. It was full of game-breaking bugs and lacked many of the promised gameplay features. Those who bought and played the game were upset. The glitches and became the butt of jokes and memes for weeks following the release.

The product was so shoddy that Sony, which sold digital versions of the game in its online stores, halted sales and offered full refunds. In an open letter, Adam Kiciski, the CEO of CDPR, urged disappointed fans to take advantage of the offer. He even opened a phone hotline to help those having trouble getting refunds. As a result, the company’s share price plummeted 31% in a matter of weeks.

Following the drop, CDPR was hit by two shareholder lawsuits. The suits claimed that CDPR made statements about Cyberpunk 2077 that were “materially false and misleading” citing the many bugs in the console versions of the game.

While CDPR’s ultimate fate remains to be seen, what’s clear is the fallout that can result from a failed product. Even if CDPR manages to recover, it will be an uphill battle to rebuild their reputation both with consumers and shareholders. 

Safety Violations

Accidents happen. Sometimes human error is to blame, other times it’s the equipment. Having a culture of workplace safety can help reduce accidents and keep your company compliant. But if there is a lapse in those protocols or maintenance procedures, the results can be catastrophic.

The infamous 2010 Deepwater Horizon accident in the Gulf of Mexico, off the coast of Louisiana, is the largest offshore oil spill in US history. After the fact, investigators found the rig operators did not sufficiently conduct safety inspections on the very systems that failed. Fines from the US government totaled $20bn and the company was charged with manslaughter (later dropped) for the deaths of 11 of their workers.

Of course, safety issues of this scale are unique to the oil and gas industry. Still, this tragic event shows how overlooking a safety violation can snowball into a disaster for all involved. 

Conclusion

While the examples above are not the only sources of compliance risk out there, they do help illustrate their nature. It’s never just about following the rules to avoid a fine. Sometimes it’s adjusting to the changing rules to preserve your business. Other times it’s about being a good corporate citizen. At the end of the day, these are all things your company’s stockholders, future employees, and clients will look at when deciding if you truly are acting in their best interests. 

The best thing you can do to honor the needs and expectations of your stakeholders is to assess your compliance risks and manage them. They may not notice when things go right, but they will certainly notice when things go wrong