Behind compliance management failures at Mitsubishi, VW, Target

  • by gcarroll@fasttrackaust.com (Greg Carroll)
  • 17 Jun, 2016
2016 has seen a virtual tsunami of compliance failures involving some of our largest companies. From Mitsubishi to VW, from ANZ to Target, almost weekly there have been media reports about some company employees having run amok – unbeknownst to their executives and boards. People are asking: “What happened to the compliance management systems that are supposed to monitor and prevent such abuses?” Executives and boards are naturally starting to question the entire compliance management function. 

Behind compliance management failures at Mitsubishi, VW, Target

It’s time to admit compliance management systems are failing their owners. A guard dog is no help if it fails to protect the asset. Most guard dogs are used as a deterrent – making any would-be wrongdoers think twice about their next action. What if the wrongdoer goes ahead anyway? For the dog to bark at the spot where missing items once stood would be noticeable but pointless.

We need to understand how and why compliance failures occur. The weakness in most modern compliance management systems is their reliance on predictable policing, followed by periodic (historical) reporting. Yes, the system ‘works’, in that we did eventually find out about Mitsubishi and Target – but after the real damage had been done (see: Target managing director resigns).

The fallout from these systemic compliance failures commonly results in executives and board members having to commit professional Seppuku. With ignorance no excuse for those who are ultimately responsible for corporate governance, and the risk of being blindsided by disaster seemingly unavoidable, it’s no wonder the demand for fail-safe compliance management is coming from the top down, rather than from compliance managers at the middle level.

The paradigm shift in compliance management systems

Albert Einstein defined insanity as doing the same thing over and over again, expecting different results. Yet whenever compliance has suffered an epic fail, and leaders are sacrificed, the same type of system that failed to prevent this catastrophe will survive in usage to fail elsewhere, and cause another. Nothing short of a paradigm shift in compliance management can protect even the greatest captains of industry from ‘hanging’ over breaches within the rank-and-file.

This much-needed shift can be made possible only by changing prevailing attitudes towards compliance management – from ‘good’ compliance management being about ‘meeting the necessary regulatory controls at minimal cost’, to nothing less than a truly defensive business intelligence system of immense value to the organisation, and all of its stakeholders.

Corporate accountability without complete visibility?

When visibility and accountability is based on post-event periodic reporting, it allows time for the manipulation of data, the promotion of nebulous excuses like ‘reporting period transition errors’, and lack of avid interest by top management with its tendency to be forward-focused.

Also, the deterrence factor is lost as soon as managers realise their ability to “massage” figures is not actually being detected from above. The classic case of visibility failure stars Nick Leeson (sole protagonist in the Barings Bank collapse) who has always maintained his actions were ‘not for personal gain’ (see: Original rogue trader tells story). The shock destruction of the UK’s oldest merchant bank started with Nick Leeson covering a colleague’s mistake. When this relatively minor breach went undetected, his breaches snowballed until it was too late to save Barings.

The dangers of management desensitisation

Minor corporate infractions that ‘slip through’ have the effect of desensitising management and compliance to the erosion of ethical mores across the organisation. Without a formal, real-time monitoring and reporting system, the organisation becomes wholly reliant on peer-pressure to enforce proper norms and practices. The increasing desensitisation among colleagues, combined with personal benefits gained from improper actions, leads to the development of a ‘rogue culture’, however surreptitious its risk-laden encroachment.

The only solution is to transform existing compliance management systems from the traditional mode of ‘checking what has happened’, to using an applicable compliance framework as a real-time assessment framework for operational performance and decision-making. This paradigm shift requires four major changes.

 

The four changes needed to achieve fail-safe compliance

1. Link all management collateral (objectives, KPIs, risks, tasks, decisions) back to specific regulatory clauses.

Whether ISO standards, governmental regulations or corporate/legal obligations, most are reasonably mature, meaning they have been developed to cover most causes of negative outcomes. This is shown by the fact that compliance management systems usually expose the shortcomings, but what we really want is to know in time for something to done about it.

 

2. Cross-reference all management collateral pieces to determine how they are affecting one another.

This is not a preliminary step but an on-going function. Don’t be dissuaded by the perceived enormity of it. If each manager can list a few of their obvious cross-references on a piece of collateral when working with it, it won’t take long to develop an intelligent neural network.

 

3. Introduce traffic lights on each piece of collateral, based on business-rule triggers, with drill-down capabilities.

Traffic lights become the compliance management system’s real-time visibility and accountability flags. They become both an effective tool for prevention and the harbinger of ill winds. What’s required is an enterprise graphical representation dashboard. The ultimate corporate governance dashboard denotes current operational performance levels – with their traffic lights – and provides a method of drilling down to see why the traffic light has been triggered.

 

4. Integrate with an Enterprise Risk Management (ERM) system for complete situational awareness of the business.

Traffic lights are great for drawing attention to real-time issues without any argument over discrete values, but data is needed in order to make insightful decisions on moving forward. A true ERM should include both quantitative analysis methods and aggregation of risk across the enterprise. The triggering of a traffic light should cause an immediate re-evaluation of target risks, and their effect on corporate objectives, either automatically or manually.

 


With this effective compliance management protocol in place, variations of activity out of the norm (> 2 standard deviations) are flagged (for good or bad, right or wrong), delivering the accountability needed, while the real-time compliance dashboard delivers the visibility.

Organisations are full of people. Some people do bad things – a fact of life which cannot be changed. What ‘good’ compliance management really means is that when bad things are first starting to happen, the situation is detected, contained, and mitigated in ‘good’ time.


 

by gcarroll@fasttrackaust.com (Greg Carroll) 5 April 2017
The benefits of SharePoint as a content management system and information portal tool are indisputable.  With great search functionality and user definable portal pages SharePoint is now the leading Content Management solution chosen by most IT departments. But what if your business demands strict document controls protocols, not just because it’s good practice but life depends on it?  Unfortunately there is generally a poor appreciation by IT departments of the importance of document control in mission critical business. 
by gcarroll@fasttrackaust.com (Greg Carroll) 11 October 2016
It is not uncommon for laboratories to be saddled with maintaining both ISO 17025 and ISO 9001 certification. Although it is simpler to create and implement two QMS – and to "merge" those activities which can be merged – this approach is arduous, inefficient, and prone to mistakes.
by gcarroll@fasttrackaust.com (Greg Carroll) 15 September 2016
Senior management have to come to grips with the fact that Digital Transformation is not an Event but rather the operating environment of 21st century business. 
by gcarroll@fasttrackaust.com (Greg Carroll) 22 August 2016
Last week saw the latest in misguided innovation talkfests, the AFR Innovation Summit #Innovation16.  For several days academics, public servants, journalists, and corporate employees put forward their insights into how Australia can develop an Innovation culture. 
by gcarroll@fasttrackaust.com (Greg Carroll) 25 July 2016
Effectiveness is the holy grail of Compliance Management.  Whether regulatory or ERM, ensuring business is conducted as intended is the base requirement to optimising your organization’s performance.
by gcarroll@fasttrackaust.com (Greg Carroll) 7 September 2015
The Compliance Manager’s role in the modern organization is to enable/empower decision makers to take action and leave the building defensive walls to the Risk Manager with his heat maps. So how can compliance managers start realising their value adding role?
by gcarroll@fasttrackaust.com (Greg Carroll) 18 July 2015
With the release of the Final Draft of ISO9001:2015 this week and its focus on risk-based Compliance Management, I thought I would share our approach to Risk-Based Auditing from our experience with the likes of Defence Aviation and the Australian Quarantine Inspection Service, both leaders in the field.
by gcarroll@fasttrackaust.com (Greg Carroll) 3 July 2015
Mere compliance with a Framework is an insufficient audit approach; it is critical to assess whether it is current, timely, communicated broadly, and meets the needs of the business. The 4 biggest mistakes are:       Not being Outcome focused      Not using Risk base targeting      Not Value Adding      Not being timely
by gcarroll@fasttrackaust.com (Greg Carroll) 28 May 2015
Why, with the number of fertile minds that exist in our field, is it still a case of an irresistible force meeting an immovable object.  The paradox I believe, like our would-be entrepreneurs, is one of approach.
by gcarroll@fasttrackaust.com (Greg Carroll) 22 April 2015
Return of Investment (ROI) does not come for automating a process but from using it to add value.  Value adding comes from targeting time and resources, risk based thinking, and Business Intelligence where they can deliver the greatest benefit to achieving the organisation’s strategic goals. 
Show More
Share by: