Previously in this series we have addressed leading by understanding and embracing ERM.  We also covered establishing polices, procedures and processes as the foundation of implementing the core values, operating philosophy and compliance requirements necessary to survive as a viable entity. Last month we focused on the importance of effective and recurring training and awareness programs to ensure that all stakeholders and partners have a solid understanding of expectations. 

As the old saying goes, “People really only pay attention to those things that they think someone is going to check up on (and of course things that are important to their boss)!” There is more truth to that statement than fiction! The importance of audit reviews validating compliance, business reviews of operational effectiveness and efficiency, root cause analysis of compliance failures and investigations of egregious violations of policies, procedures and processes cannot be over emphasized.

Assessing and validating compliance with policies, procedures and processes is at the heart of most internal audit programs.  Compliance failures not only can adversely affect the quality of product and services, but can result in regulatory, civil and criminal actions against the enterprise. In worst case scenarios, the resulting fall-out of these actions can negatively impact the brand, reputation, valuation and the survivability of the entity. In severe cases, those in charge may end up facing personal financial ruin or wearing brightly colored jumpsuits provided by a state or federal penitentiary’s haberdashery. 

Routine evaluations of policies, procedures and processes are important to ensure that they remain current with regulatory and business requirements. It is also critical that these reviews ensure that management systems and controls remain efficient and effective. The world is constantly changing, and the focus and scope of regulatory requirements and the manner in which things are done also evolves rapidly. An enterprise’s policies, procedures and processes must remain up-to-date with its environment.

When something egregious occurs, (for example, potential acts and regulatory violations), an investigation is typically conducted. The goal of an investigation is to determine the routine who, what, where, when, how and why of what happened. It also examines the exposure of the entity (and individuals involved or in charge) to regulatory actions and fines, as well as civil or criminal prosecution.

Due to potential civil, criminal or regulatory action exposure, many times investigations are conducted by an outside law firm engaged by the general counsel of the entity to protect the entity under “attorney client privilege” as the facts of the case are discovered. Lawyers inside the legal department may also conduct investigations under attorney client privilege. In certain circumstances, an entity’s general counsel also has the ability to engage other internal functions of the entity to conduct an investigation under the same privilege.  

Many jump to a conclusion that protecting an investigation under attorney client privilege is done to facilitate a cover-up. While that may be the perception of some, in reality, attorney client privilege allows the general counsel to have time to assess all of the facts and advise the entity on the proper course of action. Many regulatory requirements establish obligations and timeframes for disclosure. Navigating the regulatory landscape demands a high level of knowledge, experience and finesse.

Investigations are an area where many security executives and members of their staff unwittingly perpetuate the label of “Corporate Cop.” One of the best ways to avoid this label and inherent risk is to form a “Business Practices Review Team” (BPRT) within the entity to investigate incidents that are deemed egregious violations of company controls, as well as issues that have the potential of resulting in civil, criminal or regulatory actions against the entity or individuals. Members of the core BPRT typically include HR, Internal Audit, Legal and Security. When establishing a BPRT, the charter should not only establish the authority of the BPRT and its ability to enlist the engagement of any function in the investigative process, but should also establish the obligation of personnel within the enterprise to cooperate fully with the BPRT and the investigative process.

Finally, conducting a root cause analysis is a critical step in determining what changes are necessary to policies, procedures or processes to prevent a compliance failure or a control weakness from reoccurring. 

About the Authors:

Jerry J. Brennan is the founder and Chief Operating Officer of Security Management Resources (SMR Group), the world’s leading executive search firm exclusively focused in corporate security. Prior to founding SMR in 1997, Brennan enjoyed a 26-year career in domestic and international enterprise risk and security roles. Lynn Mattice is Managing Director of Mattice and Associates, a management consultancy focused at the development and alignment of Enterprise Risk Management and Business Intelligence Programs, as well as Intellectual Property Protection and Cybersecurity. He has more than 35 years of experience heading these programs at the executive level of three major multinational corporations and one mid-cap company in diverse industries.