Empower the Business to Own Compliance Risk

Sixty-six percent of CEOs expect business model change in the next three years — largely to avoid being “Amazoned” by a new entrant. As organizations change the way they operate, generate revenue and create value for their customers, new compliance risks are emerging — presenting a challenge to compliance, which must identify, assess and mitigate risks like those tied to fundamentally new technologies (e.g., artificial intelligence) and processes.

In today’s disruptive, transformative business environment, compliance-led risk management can’t keep up, but compliance still owns many of the risks that could be managed more effectively and efficiently if owned by business units. Currently, business units are the primary owner of only two of the 25 top compliance risks.

“ The key to creating meaningful ownership of risk is empowering employees to make decisions about risks themselves”

Compliance programs often try to build business ownership of risk by prioritizing risks for the business to address, prescribing specific mitigation actions and monitoring the business’s progress. This hands-on guidance undermines business ownership of risk, reduces the likelihood the business will act on risk and reduces the confidence of employees in managing risks.

“The key to creating meaningful ownership of risk is empowering employees to make decisions about risks themselves,” says Christina Hertzler, practice leader at Gartner. “Empowered employees are significantly more likely to identify and act on compliance risks and are more confident in their ability to manage risks on their own. They are also more likely to overperform against individual, team and enterprise objectives.”

Few employees feel equipped to manage risk

Empowerment translates into greater business ownership of risk because:

• Business leaders are more likely to own risks they themselves prioritize and deem important.
• Mitigation steps developed by the business feel more natural and less burdensome.
• Business leaders and employees feel a greater sense of accountability for completing mitigation steps they help develop.

However, more than half of all employees don’t feel empowered to manage risks and they tend to be concentrated into pockets of the organization, including mid-level managers, older employees, and those with less than five or more than 20 years of tenure. Region and industry have no consistent impact on empowerment, but the less empowered tend to work in larger companies, in communications, research and development, or quality functions.

“ Only 45% of employees believe they can act on their own to reduce compliance risks without seriously disrupting their work”

More specifically, compliance rarely equips the business to act on risk. One in three employees believe they lack guidance from compliance and ethics on how to take action to address compliance risk. Only 45% of employees believe they can act on their own to reduce compliance risks without seriously disrupting their work processes. Fifty-seven percent of employees say they can’t easily obtain tools and resources needed to address compliance risks.

Read more: 6 Ways Compliance Can Build Data Analytics Skills

Three steps to empower the organization

To feel empowered, employees must understand their role in acting on risk, feel able to act on risks and feel responsible for risk management. Compliance and ethics leaders therefore need to do three things:

1. Clarify risk management roles and responsibilities. Engage in cross-functional dialogue to identify optimal risk owners, coordinate with other assurance functions to minimize conflicting risk management expectations for business partners and build a framework to distinguish tasks requiring compliance expertise from those that can be transferred to the business.
2. Provide tools and resources that empower the business to own risk. Enable business leaders to discuss, prioritize and action-plan risks on their own by prompting discussion, setting the agenda and providing sample conversation topics. Help the business self-sufficiently manage risk by granting access to self-service resource centers that provide a comprehensive suite of simple risk guidance. Teach the business to make the right risk decisions by increasing transparency into the risk process and democratizing compliance and ethics risk reduction strategies.
3. Ensure employees feel accountable for managing risks. Narrow down and regularly monitor a small set of compliance risks to gain insight into business ownership of compliance risks. Discuss business ownership of compliance risks at the same level as business performance — among executive leadership and the board — to establish true accountability.