Karima Mariama-Arthur (consulting@wordsmithrapport.com) is CEO of WordSmithRapport in Washington, DC, and Christopher Mayer (christopher.mayer@westpoint.edu) is Associate Dean for Strategy & Initiatives, United States Military Academy at West Point in West Point, New York, USA.
Colonel Mayer’s views are his own and not the views of the United States Military Academy, the United States Army, or the Department of Defense.
As our world becomes more connected and equally complex through global stakeholder engagement, advances in technology, and an ever-changing regulatory framework, organizations everywhere face new challenges, increased expectations, and greater exposure to compliance risks. Yet the concept of risk is hardly straightforward. And, even though good governance rarely relies on a single approach for mitigation, the process is often siloed. This is why practicing federated compliance—true collaboration across departments—can be a game-changer for organizations that prioritize it.
Evaluating risk is designed to be a meticulous process, where heightened scrutiny is the norm, rather than the exception. For this reason, due diligence requires tangible opportunities to diagnose, troubleshoot, and provide ongoing prescriptive guidance. While all organizations must confront their fair share of common compliance issues, most are unique. A large portion is industry-specific; others arise because of changes in the regulatory landscape. Still more are triggered in times of volatility, uncertainty, ambiguity, and complexity, such as during our collective experience with the COVID-19 pandemic.
Whatever the motivation for mitigating risk, a hard truth remains: Too many organizations simply don’t know where to begin. And, the failure to close this knowledge gap can be disastrous, as subsequent remedial measures do not always work. According to a joint survey conducted by Deloitte & Touche LLP and Compliance Week, 40% of companies do not perform an annual compliance risk assessment. That’s 40% too many.[1]
Choosing to ignore potential risks only puts an organization’s business, financial, operational, and legal structures in jeopardy. Regulators are keen on having their compliance expectations met and are prepared to escalate enforcement when they are not. To avoid the worst result, organizations must be proactive about identifying their susceptibility to risk and implementing a compliance management program that effectively safeguards their future.
We have learned a great deal over the last two years and, as a result, have had to change the way we view and plan for risk. What follows are some important points to consider.
A necessary shift toward agile crisis management
Not all crises can be broadly predicted, suggesting the need to raise the frame on how we deal with the unknown. Interestingly enough, an organization’s past performance, coupled with its institutional memory, provides valuable context for its current crisis management practices. Even still, when governing in real time, organizations need the dexterity to move swiftly and sustainably through a current, unforeseen crisis. If not managed well, an unexpected chain of events can dismantle an organization and its stakeholders.
In 2020, our cozy realities were upended by the COVID-19 pandemic, a crisis that shook the foundations of our society and battered its infrastructure. If that wasn’t enough, add several deadly natural disasters, along with a barrage of social and political unrest, and we were at our wits’ end. Forced to operate outside of our comfort zones, we soon learned that none of the battles we were waging could be managed in a vacuum. To survive, we needed to act responsibly and expeditiously. The good news is that we learned to be agile.
Agile crisis management, the process of successfully addressing crises by leveraging technical expertise, continuous learning, collaboration, and flexibility, is a well-recognized approach embraced by high-performing organizations worldwide. It takes into account the fact that “the world is ever-changing and consistently serving up challenges that represent volatility, uncertainty, complexity and ambiguity,” and as a result, organizations must be able to effectively “connect the dots between clients, suppliers, marketplace twists, technology, processes, economics and politics.”[2] At a very basic level, this is a nonnegotiable aspect of mitigating risk.
The term “agile” also describes a results-oriented, nimble approach to problem solving that focuses on iterative development, where outcomes are produced incrementally through rigorous communication and collaboration among cross-functional departments. This encourages divergent thinking, helps to address potential knowledge gaps, and allows for the discovery and correction of mistakes along the way. Because the process is ongoing and adaptive, it readily incorporates creativity and innovation within its framework. An organization is free to create the way forward by leveraging incremental change, continuous improvement, radical change, or paradigm shifts to produce desired results.[3]
While there are infinite models of agile crisis management available, there is only ever a need to implement one, and it doesn’t need to be elaborate. The litmus test is simply whether the concept helps an organization adequately prepare for, prevent, cope with, and recover from a crisis.[4]
