InsideCounsel magazine recently reported the results of an innovative study undertaken by another publication, Corporate Board Member magazine and FTI Consulting. In the survey/study, over 1000 General Counsels and board directors were asked about the steps they are taking to mitigate risk within their organizations. The eye-opening results suggest that the "ostrich head in the sand" approach to compliance is being rapidly replaced by a growing awareness of the risks of federal and state enforcement and the catastrophic damage enterprises face when they do not take broad scope compliance seriously.
The catchword du jour is "Enterprise Risk Management", or ERM, and it's actually the latest incarnation of something that's been around for over a decade. In 2002, the Sarbanes-Oxley Act turbocharged the need for internal controls, and public companies scrambled to comply. Here's what how Wikipedia defines ERM:
- "In business, Enterprise Risk Management (ERM) refers to the methods and processes used by organizations to manage risks (or seize opportunities) related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring progress. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall.
But Sarbanes-Oxley didn't really address the more mundane aspects of corporate governance and risk reduction dealing with operational compliance issues. Instead, the Bush Administration, through the aggressive effort at enforcing laws already on the books, has prompted this new push toward comprehensive, enterprise-wide risk reduction. Consider the findings of the aforementioned survey:
- 75%= GCss who spent more time on compliance in 2006 than in 2005
- 48%= GCs who spent more time on ERM in 2006 than in previous years
- 35%= GCs who said that governance changes are the focus of their ERM Assessments
- 57%= GCs who would seek personal ERM advice from outside counsel [emphasis supplied]
That last statistic is the -- hang on, another French term coming, I'm on a roll today -- raison d'être for the cost of most risk management today: utilization of outside counsel for the implementation of operational methodologies designed for daily use. The facts are:
-Most attorneys -- no mattar how high their hourly fee -- are about as qualified to design a company-wide regulatory compliance implementation scheme as they are to command the Space Shuttle. It takes a combination of legal expertise, intimate understanding of client IT and administrative processes already in place, and process management wizards to establish a viable ERM suitable for daily use by all employees.
-The new ERM focus goes far beyond the technicalities of Sarbanes-Oxley to address everything from Social Security "no match" letters to I-9 compliance to EEO, ADA, and other federal, state, and sector-specific requirements which can cripple a company during one swift inspection or audit.
Which brings me to my point: yes, it takes top tier legal expertise to define the requirments of ERM and distill them into a distinct series of client tasks. But the difference between a visually impressive compliance plan which no one understands and therefore cannot implement and a practical, usable compliance plan embraced throughout the organization for its ease of use and simplicity is one thing: process integration.
Email me to discuss what we can do establish a bullet-proof Workforce Compliance Manangement plan for your company.