Assignment: Compliance Management
Transcript
JAMES LEACH: As we know, controls are used in managing risk by shaping the way people behave. Controls could be forms, policies, systems, lines of approval, training. The list can go on and on. Phrased simply, controls are central to the risk management method, but they also shape the way an organisation functions and operates.
A control is typically a type of process, as it aims to achieve a desired outcome: in our context of compliance risk management, managing either the likelihood or potential impact of compliance risk.
Designing controls
LEACH: The ideal situation is when controls function as they should, that they are effective at not only managing a particular risk, but they are built into the way the organisation runs or does business. Controls must be designed in such a way that they are fit for purpose. So, controls should be designed so that they are easily incorporated into the employees' everyday operations without being unduly burdensome, bureaucratic, or costly.
As organisations develop and change over time, so should controls. A control designed and implemented today may be optimised out the box: It does what it is designed to do ensures compliance in a particular context. However, that same control may not be optimal for its context in a few years, months, or even weeks, depending upon a number of factors.
Reviewing existing controls
LEACH: It is for this reason, then, that controls should be consistently tested and reviewed to ensure that they are appropriate for their context, thereby having a positive impact on managing compliance risk.
Let's look at the following simple example. Imagine a factory that produces a range of solvents and bonding materials, such as glues and sealing agents. In a factory and storage facility in this context, it is clearly imperative that all factory staff wear safety gear in their day-to-day operations, including safety masks, gloves, eyewear, non-slip boots, high-visibility jackets, and helmets. We can also assume that there must be no smoking anywhere near the factory or warehouse floors.
Imagine too that one of the key challenges facing the productivity of the factory lies with unplanned production stoppages due to health and safety issues. If a hazardous chemical is to spill and someone is hurt as a result, not only would the clean-up process take time, thereby shutting down production for some period of time, but also, there may need to be an investigation into what happened, once again taking time and delaying production.
So, one of the key ways of ensuring that both these risks are managed is for the employees to wear safety gear and high-visibility clothing. Doing so limits not only the potential impact, but also the probability of the harm occurring.
So far, that all makes intuitive sense, and it would, therefore, make sense for the company to provide their employees with all the relevant gear and clothing. After all, the risk and subsequent potential cost to the organisation of employees not wearing the appropriate clothing and safety gear far outweighs the investment required to purchase it for their employees. But, to ensure that none of the expensive gear is lost or stolen, there are controls designed and implemented that require the clothing and safety gear to be stored on-site in a secure location, and that it must be collected and returned daily.
One of the key elements and concerns is the security of the gear, so it is stored behind lock and key. The warehouse managers are issued with keys and required to oversee and manage the signing in and out of the gear. Forms are developed for them to do so, and each manager is required to sign off at both the beginning and end of each shift. Once again, all of that makes intuitive sense and is a reasonable measure of managing the risk.
However, that set of controls would only work if, and only if, employees were able to readily access the room - so it wasn't a long way away from the entrance to the factory - and if the warehouse managers were effective in keeping a formal log of the gear, they were always at work early, and stayed late to oversee the signing out and return of it.
So, a simple change to the context, such as the positioning of an entry point to the factory has changed, or if there is a once-off event such as a warehouse manager being involved in a car accident on the way to work and there are no spare keys on-site, or if the keys are simply lost, may then render the controls ineffective, because even if the employees are aware of all the risks, in that they have been trained in what the risks are and in the importance of wearing the protective gear as well as what to do when something goes wrong, if getting the gear in the morning becomes a chore or can cause delays, they will either not be incentivised to get the gear and wear it prior to starting their shift, or, even worse, they are simply unable to do so.
Not only this, but as you should have noticed, there is a substantial burden placed on the warehouse managers in the scenario. This burden may incentivise those individuals to either not properly comply with the controls or, alternatively, to purposefully circumvent them, such as allowing staff to take safety gear home or not locking the room so that employees can come and go without them needing to be present.
Practical implementation of control
LEACH: Implementing a technological solution may be one viable option in this case. For example, each employee could be issued with an access card, which is linked with their ability to enter into the warehouse. There could be two access points - one at the entrance to the area where the safety gear is stored, another at the entrance to the warehouse. A simple code could be developed that an employee will only be allowed entrance into the warehouse if they have already accessed the safety gear room.
Further, there are other benefits of this too. That same access card could be used to monitor employees' working hours. Their working time for the day will only be logged upon a return of the gear into the secure room, meaning that they would need to swipe their access card again at the end of the day. In this way then, the controls would be designed in such a way that, A, employees have access to the safety gear without the need for managerial oversight, B, the burden on managers is greatly reduced, meaning that they can focus on simply ensuring safety in the warehouse where their skills and expertise really matter, and C, there is the added benefit that you can track the working hours of employees and thereby allocate overtime bonuses or hold individual employees to account for their absence.
In this way, you are accomplishing a number of important outcomes with one change in your control design. There is no perfect method for reviewing and evaluating controls. Some controls should be reviewed on a more frequent basis than others. What is important, however, is to ensure that you're properly communicating with those that are impacted by them.
In this example, a simple meeting, even a relatively informal one with the warehouse managers, would have highlighted the burden placed on them, as well as the potential risks if they did not properly comply with the controls.
Conclusion
LEACH: It is imperative to ensure that you know and understand the reality of what is done on a daily basis, and to use that as a starting point for designing any changes to current controls, or when considering additional ones. Despite this, there will be instances where even if optimally designed, a control may still place an additional burden on employees. That is simply a reality of compliance practice.
Finally, it is important to never lose sight of what the real risks are. In this case, it is not the loss or theft of the safety gear that is the greatest risk to the organisation, but rather the risk that something will go wrong in the factory and an employee will be seriously injured because they were not wearing the appropriate safety gear.
Phrased another way, it is compliance with the regulations associated with occupational health and safety, and ensuring that warehouse employees are properly protected in a hazardous working environment that is the real risk here - not the risk of having to repurchase some safety gear resulting from misuse, loss, or theft.
Task
For this journal entry, critically consider controls relevant to your context. Reflect on some controls you might have been involved with developing in the past, or others that you have interacted with that have been implemented in your organisation.
Think of a few concrete examples of controls that attempted to alter human behaviour, and try to evaluate their efficacy. Additionally, try to identify an example of each control type, namely policies, processes, and systems.
In formulating your journal entry, you may find it valuable to consider the following:
A. What kinds of human behavior resulted in the creation of these controls?
B. Were these controls successful in altering human behavior?
C. If not, try to imagine what would have been a more seamless fit for the organisation's employees and office culture.
D. Can you identify any control-based nudges used in your organization?