What factors define a good risk and compliance culture?

The promotion of a sustainable risk and compliance culture across the enterprise is a responsibility of the board and the executive-level leaders, particularly, the chief compliance and risk officers. Their tone at the top filters down the elements of a “good culture” through the layers of management and risk takers. Where culture is favorable, behaviors are more desirable in terms of policy compliance, risk prevention, whistleblowing and accountability.

Regulators and authorities have pronounced about a “poor culture” in enforcement cases to extend liabilities to governance areas. For instance in Spain, the State Prosecutor recently indicated that compliance programs should build the true compliance culture of a company rather than being an instrument to avoid criminal liability. Inadequate culture led by performance complacency, tolerance of improper behaviors or the justification of compliance breaches diverts resources from strategic objectives.

We need to understand the internal and external factors of the risk and compliance culture to change them for the better. Perceptions of the governance structures such as remuneration incentives and performance measurement are critical to adjust risk behaviors. The compliance program should specify these desired expectations to align practices in all part of the company with business ethical values and shared risk tolerance.

Research evidence suggested that culture is strongest in business units when:
  • have smaller (up to 5) and less diverse members (Colquitt et al. 2002), 
  • staff well-being, engagement and tenure are higher (Huhtala et al. 2015, Beus et al. 2010) 
  • social interaction is high and leaders provide clear guidance (González-Romá et al. 2002), 
  • communication network is more dense (Zohar & Tenne- Gazit 2008), 
  • are focused on customer needs (Bedarkar et al. 2015), 
  • more interdependent and have higher group identification (Roberson 2006), and 
  • more cohesive with leaders who are transformational, share a clear strategic vision for the work and behave consistently (Luria 2008) 

The ISO 31.000 on risk management defines that the organization's culture should be assessed as part of the internal context to adjust and to improve the risk policy. Strong culture factors suggested by research can be promoted by:
  • setting a risk tolerance policy to consistently manage holistic risks including compliance, operational, financial and strategic functions, 
  • focusing cost saving and performance programs to investigate accidents and losses, including those covered by insurance and fraud, 
  • adjusting the remuneration scheme to taken risks and internal control reviews, 
  • setting HR policies to avoid mutual accountability and to promote open door communication, issue escalation and whistleblowing reporting, 
  • developing a comprehensive training program to build skills to support behaviors such as detecting fraud red flags, team management and objective settings, workplace incident response, and regulatory compliance, 
  • building a risk and compliance reporting channels for governance oversight, to aggregate risk management information and indicators and to decide on the risk reduction plans, the development of the compliance program, and the internal control effectiveness, 
  • articulating an value-based compliance system with policies and procedures enhancing personal accountability, and 
  • involving suppliers, investors, clients and regulators in creating and developing action plans to support a transparent culture and to anticipate risks. 

What lessons have you learned to create a strong ethical culture? Expand this article with your comments.
More GRC news: Twitter Hernan Huwyler

Why compliance is such a hot topic in Spain?

The Spanish Criminal Code was amended in 2010, and subsequently reformed in 2013, to introduce the concepts of criminal liability of legal persons. Many domestic legal entities are now criminally responsible for penal offenses committed in their name or for their benefit by those being empowered to manage and to control the business, and by their employees or contractors due to the lack of adequate controls. The responsibility of a legal person does not exclude any criminal proceeding against a natural person, such as the perpetrator of a criminal offense, but it significantly increases the compliance risks and affects the corporate sustainability. The first prosecuted case was recently confirmed by the Supreme Court to ratify a €776M imposed penalty to a machinery rental company for drug trafficking from Venezuela to Spain.

This law responded to local business crime trends and it was focused on assigning moral culpability for the commission of serious offenses to the corporate entities lacking effective compliance surveillance and ethical measures. Companies are excepted to be criminally liable if they provide evidence of effective supervision policies over their administrators and staff. The law provides a detailed description of an appropriate compliance management system, domestically known as "corporate compliance", "corporate defense", "compliance program" or "crime prevention plan".

During the past five-year period, the scope of compliance evolved from the criminal offenses to include business ethics in general, from external compliance to internal compliance, and it moved from the legal departments to the internal and external auditors, boards, shareholders, risk managers, consultants, information technology and security areas. The offenses expressly mentioned by the Criminal Code are general key compliance risks, such as bribery, tax evasion, market abuse, fraud, environmental crime, personal data breach, money laundering, and intellectual property infringement. They can all be treated by accepted international standards including the ISO 19.600 guiding the compliance systems, the ISO 37.001 for anti-bribery controls, the ISO 31.000 to identify compliance risks, best practices to manage whistleblowing reports, or just having comprehensive codes of ethics.

The wide scope of compliance and the greater reputation and financial risks increased the need of professionals managing the implementation of compliance programs, the chief compliance offices, in all kinds of businesses and organizations whatever their size or activity sector, including multinationals, domestic subsidiaries, political parties, unions, and even soccer clubs. The compliance officers created a new association called CUMPLEN to share practices to implement accepted international frameworks.

Spanish companies are moving from "makeup compliance" to create effective compliance programs in order to ensure the business sustainability and to improve the overall corporate governance. These new ethical objectives require much more professionals and with a new profile being able to translate legal requirements into comprehensive ethical behavior while designing and building risk-based cost-effective preventive controls. This is the real challenge for Spain.
More GRC news: Twitter Hernan Huwyler

Rogue Trading and GRC

"When you have supervisors who rely on computer software rather than human contact, there is a false sense of security."
Stephen Brown, Professor of Finance at New York University's Stern School of Business (2011)

"You haven't heard of financial scandals where a rogue trader has earned $2 billion extra for the company"
Barry Staw, Professor of Leadership and Communication at the University of California (2011)

"Compliance monitoring is still regarded in most organizations as a second-class operation."
Stewart Hamilton, Professor of Accounting at Switzerland's IMD (2011)

"The current volatile market circumstances significantly heighten the chances that inappropriate trading practices could quickly lead to record losses, so early discovery and remedial action are even more important than in 'normal' times,"
UK's Financial Services Authority (2008)

Rogue trading risks are related to fraud, undetected errors (eg. typing an extra zero) or hedging strategies outside trader limits. Rogue traders usually deal with high risk investments expecting to create unreported large gains or win large bonuses. However, high risk investment may also create huge losses. A trader is, at the end, a trained professional to place large bets in a competitive environment. For the worse, trading losses can usually accumulate over time.

In the case of the Union Bank of Switzerland, all rogue trading risks were not properly managed for a bank bailed with $ 5 billion from the Swiss taxpayers. According to the explanation from this bank, a junior trader exploited a loophole in contentious synthetic ETFs that caused a $2.3 billion loss on fake over-the-counter positions over the past three years. In Europe, these transactions were not required with a confirmation from banks on the the other side of the trade. The trader allegedly evaded detection by booking fake hedging trades to cover the magnitude of his losses. Because the losses do not affect client accounts, only proprietary trading was done.

Rogue trading is generally prevented by controls including:
a) checking for confirmation from the counterparty or broker by back office,
b) segregating back, middle and front offices (traders should not access to middle and back office systems, order entries and adjustments should be segregated),
c) monitoring the number of cancelled and suspicious trades,
d) requesting continuous holidays for traders,
e) implementing BI controls (real-time transaction monitoring, higher than normal profits, extended settlements),
f) reviewing trading activity by managers (settlement position reconciliations),
g) hiring practices for a strong GRC culture,
h) conservative remuneration structure, and
i) independent internal audits.

Without the conclusions of the investigations at this moment , it is not clear if all these controls could have prevented the USB case. Rogue traders can create complex structures and exploit control loopholes.

In response, some banks diminished the trading units and delta one desks, other banks split off its investment banking business from its core wealth management to shield private clients. Policymakers are also reacting by proposing new regulations intended to limit banks from making high risk transactions.

PS: The last facebook update in the accused rogue trader account was a “Need a miracle".

What events do not need to be included in ERM?

Risk is defined as the effect of uncertainty on objectives (ISO 31000 § 2.1). This effect is a deviation from the expected, either positive or negative. Even though the statistical science provided well-grounded notions of risk, non-quantitative variables affect their use in business environments. In this post, I would like to establish criteria about what events cannot be treated by ERM.

Risk needs both a probable frequency and a probable impact. It implies that statements of absolute fact are not scoped by risk management. When the frequency or the impact is known, we are dealing with business facts and not business risks. For instance, a contract containing a penalty clause is not fulfilled because it is not longer profitable. At the time of the contact breach, there is not any risk involved since the company already knows its indemnity costs and when to pay them.

Uncertainties are a deficiency of information about an event. They are intrinsic in risk (as well as unavoidable for most business decisions). Different from risks, uncertainties cannot be valued. Therefore, it is not possible to calculate an average loss associated with the event. For instance, goods not passing the quality tests are delivered to comply with a contract. For this contract, there is not any risk of lack of compliance. The company knows for sure that the quality is not acceptable under the contract terms and it will affect somehow the client relationships.

Risk should be identified taking into account a future point in time when problems and opportunities will be treated. Immediate problems and opportunities are not scoped by risk management. It is usually said that rain is not a risk when it is raining. For instance, untreated risks in time would become an issue to have urgent attention. When risk is reality, crisis management becomes risk management, and the contingency plan becomes just the plan.

Risk is not a single point view. Events can have an impact in the financial, operative, legal & compliance or environmental categories. They may have a different impact and frequency for each category. Uncertainty may partially affect the information about one or more of these aspects, but others may be certain. In this case, it is safe to consider the whole effect as certain and to treat it outside ERM.

As a summary to treat issues in the right framework, risk management does not cover:
- events with all the information to foresee their outcome and moment to occur
- events which are not volatile
- immediate issues

Risk in New Business Ventures

The most critical opportunity to perform a risk analysis is at the development of a business plan. Investors do not expect business plans without risk, but entrepreneurs often fail to include a solid risk analysis into their business plans. Business plans need to anticipate risk in order to build flexibility to react by creating alternatives. In this post, I would like to discuss how risks need to be analyzed in aiming new business ventures.

Traditional ERM approaches are not tailored for startups (or proposals, or new projects) (1), however, risk is the source of their competitive advances. The skills of the entrepreneurs to strategically manage risk determine the success of their endeavor. Potential losses need to be assessed in other to prioritize the venture vulnerabilities.

There are particular decision-making needs involving a business idea. Then, risk categories for startups could be different than those for well-established companies. Most relevant risk categories for startups may include:

Product development risk can be defined as the likelihood to successfully transform a prototype or a business idea into a marketable product. This risk can be mitigated by extensive I+D and customer research.

Market risk can be defined as the likelihood to reach a smaller target than expected (for a given period). This risk can be mitigated by indentifying secondary niches or segments (for instance, a market for by-products) and performing a reliable competitive analysis. Having a good strategy to reach early adopters could mitigate this risk too (for instance, by discounts for first purchases).

Managerial risk can be defined as the likelihood to loss key members or to not attract the right employees. The managerial ability to adjust and strive is affected by this risk. As managerial incompetence increases costs, Cost controlling can be very effective to treat this risk.

Cash generation risk can be defined as the chance to become unable to get liquid moneys. Balanced scorecards and projected cash flows can play a key role in monitoring this risk. In order to mitigate it, budget assumptions should be validated, potential funding should be available, and capital requirements should be adequately calculated.

There are also several tools to identify risk and create strategies. For instance, Monte Carlo simulation can be an effective method to indentify the variables with the highest impact in profitability. Some of these tools are included in by the traditional ERM systems.

A compressive risk analysis adds the reality check to business ideas.

(1) For instance, there are not references to startups in ISO 31.000

Opportunity-based Audit

Business risks are increasingly the prime focus of Internal Audit (1). Risk-based Audit (RBA) is the methodology which provides assurance that risks are being managed to a level considered acceptable by the board. This methodology covers the enterprise risk management (ERM) framework (2). Risk-based auditing is increasingly widening the coverage to support management decisions to achieve more objectives. By adding opportunities management to this process, the decision-making process will be improved. In this post, I would like to take a first step towards a definition for Opportunity-based Auditing.

Effective since 2006, the SASs No. 104-111 required that auditors should evaluate the design and implementation of internal control on all audits to properly identify and assess risks. The assessed risks need to be linked to the nature, timing, and extent of audit procedures performed in response to those risks. These new standards significantly altered the methodology that audits were performed over the past three decades. Risk-based audits focus on the areas of the highest risk to the business. These audits start from business objectives rather than controls. Their recommendations are then risk-evaluated to ensure highest benefits (3).

Auditors have the chance to look right across their companies and identify not only best practices but also business opportunities. So, internal auditors should be seen as business partners by directors. Directors (as well as investors) don’t like unexpected risks, but they are attracted to make profit of unexpected opportunities. They need systems to promptly indentify both business risks and opportunities.

An ERM system aligns the risk involved in a process to the accepted risk appetite. The risk appetite depends on the profitability of a business. Business needs more profits to undertake greater risks. In order to adjust the risk level of a business, new opportunities should be identify. An ERM/EOM system should link the targeted profitability with its risks and opportunities.

An Opportunity-based Audit (OBA) refers to an examination of processes based on a previous assessment to indentify the most promising opportunities to increase profits for a given risk appetite. Its goal is to recommend a strategy to change existing processes to make them more efficient.

Traditional Auditing + Enterprise Risk Management = Risk-Based Auditing

Performance Auditing + Opportunity Risk Management = Opportunity-Based Auditing

The traditional role of internal audit was reviewing the internal controls for financial statements reporting. The RBA modified this role to review the ERM system to reduce risks to an acceptable level. The OBA adds the review of the opportunity management (EOM) system to recommend business strategies. Its areas to audit are Corporate Planning, IT Planning, Marketing, HR, Public Relations and Project Management.


(1) According to the PWC surveys to CEOs, the role of internal audit gradually changed from being focused on financial and operations (2000) to risks (2007).
(2) ISO 31.000 defines risk as a deviation form the expected, both possitive and negative (2.1.1). However, the described risk treatment options to avoid, transfer or mitigate can only be aceptable for dealing with threats (not opportunities). When defining risk as a threat, managing risk is managing controls.
At the time of publishing this post (August 2011), there are not references to a framework for "opportunity-based auditing". The process to indentify and manage opportunities is generally overlooked by auditing.
(3) ISO 31.000 includes a chapter about risk monitoring and review (5.6). It encompasses the assurance that controls are effective and efficient. There is not a more detailed look to audit these controls when dealing with opportunities. Controls to deal with opportunities are done, for instance, by marketing, corporate planning and HR.