Appetite for Risk

In general, if you ask the CEO of a company what their appetite for regulatory risk is and you will get the same answer:  “low” or “very low”.  In many cases it is a visceral and automatic reply; equivalent to asking if they’ve ever robbed a bank or beaten their neighbor senseless – of course not.  After all, it is the job of the CEO to protect shareholder interests and their employees.  Unfortunately, It isn’t until you begin to dig into the details of how they systematically measure and manage corporate governance, risk and regulatory and standards compliance that you begin to separate reality from words.

I distinctly remember a chain of events a few years ago with a company in the Oil & Gas space I will refer to as O&G Inc.  O&G Inc. is a fictitious name, but have no doubt this is a true story.  O&G Inc. had urgently reached out to us looking for a way to manage regulatory compliance at the 5+ facilities they had in 3 states.  They recently came under intense regulatory scrutiny due to an accident at one of their facilities, much greater scrutiny than they were accustomed to.  That scrutiny resulted in a slew of negative compliance findings and a rather hefty fine.  Additionally, they were getting eviscerated in the local press; a general PR nightmare.

They began the first meeting by pulling up their mission, vision and values published off their public website.  They were very passionate about creating and sustaining a compliance oriented culture that was harmonious with what they showed on the overhead.  We were excited; it sounded like we were in alignment.

We engaged with them, delving into their existing business processes and their requirements. O&G Inc. desperately needed help with regulatory change management.  In many cases they had controls in place, but those controls were wrong or outdated, and they were managing to non-compliance.  We had the perfect solution.  We put a proposal together and sent it off to them, excited about helping them to achieve the compliance culture they were so passionate about.

Months passed, phone calls were made, voicemails left, emails sent, but silence ensued.   Our sales team was about to resort to carrier pigeons in order to get a hold of someone at O&G Inc. when on a lark I decided to skip the CEO, VP of EH&S and the project lead and to call one of the people on their technology team.   He had participated in one of the very early discovery meetings to validate the solution we were offering.  He answered the phone.

He didn’t know who I was immediately; I refreshed his memory and then asked him about the status of the project.  He was embarrassed, but he gave me a surprisingly frank answer.  They had opted to “cobble together some dubious improvements” to their existing “error prone and manual processes” for managing regulatory change; his words not mine.  The calculation was made that after they weathered the current scrutiny and PR hurricane, the chances of being audited so thoroughly again were minor and didn’t justify the cost; after all, they had survived and prospered as a company for many years doing the bare minimum.

There are two pieces of irony here.  First, the discord between reality and their publically stated mission, vision, values was glaring.  When I pointed this discontinuity out to him, he really didn’t have a response, and I could tell that he was embarrassed.  Second, the cost for of the solution was very reasonable for the size and scope of O&G Inc.’s operations– it was less than a quarter of the dollars they had already paid out in fines for that fiscal year.  They still didn’t see the value.  Why?  In my opinion their lofty mission, vision and values were just words; compliance wasn’t really a core value.

I can almost guarantee you that you would never get O&G Inc’s CEO to admit that his appetite for risk from a GRC perspective is actually quite high, but in O&G Inc’s case and many other company cases that is the ugly reality.  Actions speak louder than words.  Responding to a comment on my last blog post, I made the statement that I believe the minimalist approach to Regulatory\GRC compliance is on the wane as evidenced by the growth in the GRC market and by what we at 360factors are seeing on the ground.  More and more companies are looking for a comprehensive way to manage the ever-expanding regulatory and governance landscape and bring their actions in line with what they say.  It is an exciting time in GRC.

Do you have an appetite for risk?