Heraclitus developed a theory that ‘Life is Flux’ (or Panta Rhei in Greek), – in short what he said was that ‘everything’ or ‘all things’ change. What Heraclitus meant was that the world (everything or all things) is in a constant state of change. He illustrated by this example: one may step from the banks into the body of a river one has always known, the waters flowing over one’s feet will never be the same waters that flowed even a moment before.
What is the parallel to compliance and GRC management? – the essence of compliance documentation and reporting of compliance states is a split between two main driving forces; external and internal stakeholders and processes. Traditional methods and tools used in compliance management are basically methods and tools for collecting, migrate, analyze, report and store the results from such activities. Some might generate basic aggregated statuses or KPIs. The tools and applied methods that we have been using till now in form of basic tables, spreadsheets and manual processes and tasks, lacks the ability of being dynamic and provide snap-shot reports and KPIs. The static spreadsheets with manually controlled compliance data grow and becomes so immense they will at one point be uncontrollable and impossible to maintain in a trustworthy and prudent manner. The effect is just like this; one morning you need to get your current balance of your savings accounts, you travel in to the nearest city, you walk in to the bank, you queue up and when it’s your turn you ask the clerk for the balance of your saving accounts. The clerk then asks you to come back a few weeks later (or months dependent upon how many accounts you have) in order to give you the numbers. When returning to the bank, let’s say four weeks later, your balance sheet will not be current anymore, – just a historic documentation of what it was at some historic given time.
For an organization that operates within a heavily regulated, audited and controlled domain, or e.g. new regulations that effect everyone, consequences for breach of the data privacy regulations is set to 4% of global turnover, or in worse case imprisonment of chief executives. So, compliance management with the traditional tools and methods is a high-risk business solution and cannot longer be an option for any serious players. Organizations are likely to take these fines seriously, especially large tech firms, financial institutes, banks, insurance and global cooperation’s because non-compliance could potentially result in fines of billions of dollars. Although we have seen resent resilience or plain miss conception on what’s really on stake here. In May 2015 the former CEO and later chairman of Wells Fargo went on public stating that spending money on compliance is ‘absurd’.
«Banks are getting rid of sales staff and investing in technology and so on, in order to pay for compliance. It’s absurd that we are investing that kind of money on compliance that, in my opinion, is way over the top». ~ Richard Kovacevich, former CEO at Wells Fargo intervju with cnbc news.
On October 12 2016 the CEO and chairman of Wells Fargo, John Stumpf (Mr. Kovacevichs successor) was stepping down with immediate effect. The reason Mr. Stumpf left Wells Fargo came clear in form of a $185 million fine by the Regulators. Compliance Lessons from the Wells Fargo Scandal. point to the correct answer to the scandal namely failed leadership ‘The CEO of Wells Fargo claims that he knew nothing about these illegal transactions. If that’s true, then it is an admission that the company did not create a culture that made compliance the primary factor in all business decisions’. Similar cases have surfaced the past year in all corners of the world. The documents popularly referred to as the Panama Papers, revealed that Norway’s leading bank DNB (34% state owned) had failed to monitor their Luxembourg branch operations. Rune Bjerke, CEO of DNB stated in an interview ‘We do not know everything that happened in the past, he knew nothing about what had happened before Aftenposten contacted him before Easter’. On question why he have not known about this before, Mr Bjerke states ‘There is something of the circumstances we will investigate now. Because this has gone under the radar of the Board, corporate management and internal audit. It should not have happened, but the fact is that it happened’.
The pattern from these and many other cases not only within the Banking and Finance sector, but within telecom, engineering, medical and pharmaceutical, defense, public governance etc – they all have almost an immature or banal conception on the basics within business, quality and risk assurance. My conclusion is that leadership, even within prominent global organizations don’t understand the what’s, they might have and understanding or acceptance on the why’s, but they lack the tools and methodology in order to perform on the where’s, who’s and how’s.
The key to really cope with compliance (or governance, risk management and compliance in general) is in many ways a banality dependent upon an organization managements ability and willingness to accept that everything (or all things) directly and indirectly involved have changed, is changing and will change through time – and therefore there is no such thing as a status quo for compliance – compliance is flux!
Want to know more? Come meet us at C5 conference 1-2. November! My colleague Erik Warberg will be talking about why compliance programs should move towards fully integrated GRC in businesses. Hope to see you there!