Compliance Week had another one of its editorial roundtables this week, and as usual I had the privilege of leading an excellent discussion with compliance and risk executives facing some of the most formidable governance challenges out there. Our full coverage of the forum will appear in Compliance Week’s Dec. 1 newsletter, but for now I want to jot down some quick impressions.
First, the working title of our roundtable was “Metrics for Compliance and Risk Management”—but very quickly I realized that metrics for compliance are no longer a primary worry for this crowd. By now, six years into the Sarbanes-Oxley era, the manic focus on compliance has faded. Everyone knows what metrics to track: calls to the whistleblower hotlines, training certifications, internal control weaknesses, progress on remediation plans, and so forth. At the roundtable I asked every participant to give examples of the metrics they use, and the compliance metrics were all essentially the same; one executive actually said, “Oh, you know, we track all the usual stuff.” Granted, getting those compliance measurements done might not be easy, but apparently most executives do know what metrics they should use.
Metrics for risk, on the other hand, are much more problematic.
The challenge of measuring risk, attendees uniformly said, is that it must be measured in the larger context of something else—and understanding exactly what that “something else” is for your particular company is the hard part. For example, if you want to gauge fraud risk, you might decide to run credit checks on every employee and flag those with troubling scores. That’s a metric, but without putting it into the context of what each employee does or how each employee’s circumstances change, it could prove meaningless. You might end up firing the employee with a low score who has no access to company cash (wasting your time, losing an employee, increasing your litigation risk), or keeping the employee with a higher score who has two children about to enter college or a spouse just diagnosed with cancer.
Risk, after all, is simply the likelihood that something might happen. The circumstances that could make that event happen are the “context” my roundtable attendees found so frustrating to identify.
No surprise, then, that several participants said they had already launched risk management efforts for financial risks. Financial risks—currency fluctuations, credit lines, derivative instruments and so forth—are mathematically precise. You can create all sorts of circumstances to test what might happen to your holdings, and then test them easily with scenario-planning software. Perhaps your ideas about what might happen are wrong, but the ideas can be tested, and a metric found.
But what also arose repeatedly in the roundtable was a desire to graft that approach to financial risks onto operational risks: system failures, supply shortages, lawsuits filed, and so forth. That’s where lots of people admitted they were stumped. It stumps me too. But clearly, the great new frontier of risk management—and of finding the right metrics to report those risks, so the company can be governed more effectively—lies in down that path.
No comments yet