Sometimes people cannot see what is obvious. Sometime businesses cannot react to what is obvious. Why?
Is it institutional ambivalence? It is the old adage that change is hard?
Businesses are not reacting, are not risk planning, and are not asking a simple question – how should we plan to minimize risk in view of the Obama Administration’s overall enforcement attitude? What should we as a business do to protect ourselves against federal criminal and/or regulatory enforcement?
Forgive me for asking businesses to take into account what is going on in Washington, D.C., or inside the Beltway, but you cannot ignore the obvious trends. The Obama Administration has instituted an unprecedented enforcement regime in Washington, D.C. and throughout the federal system which cuts across every area of interest to businesses.
It is easy to develop a narrow view – anti-bribery enforcement is not the only risk in the marketplace. The Obama Administration has appointed individuals who have little business experience but have lots of government experience and are happy to exercise the full scope of federal regulatory and enforcement power.
The aggressive enforcement regime has appeared in anti-corruption, antitrust, financial, environmental, food and drug, health and safety, labor, export controls, money laundering, securities and every portion of the economy. The Obama Administration’s enforcement regime is built on one important principle – criminalization of regulatory and civil enforcement.
We have never seen a more aggressive use of federal criminal laws against businesses. At the heart of the matter, the Obama Administration recognizes that criminal laws are the most effective tool to enforce “change” in business behavior. The threat of criminal enforcement, where civil and regulatory enforcement was used in the past, is an efficient way to enforce the laws because corporations can never challenge application of the criminal law in court, or they may suffer the Arthur Anderson consequences, and dissolve.
In the face of this enforcement environment, businesses have been slow to react. Businesses need to develop realistic risk assessments and revise their risk tolerance, risk review and ultimately their compliance programs to reflect this new reality. If not, they run the risk of suffering at the hands of federal enforcement.
What should businesses do? It starts with corporate governance and risk management at the board level.
Directors need to follow this ten step program:
1. Review with senior management how risk is measured and work collaboratively to set aggregate and individual risk limits and how to respond if the limits are exceeded.
2. Review with senior management the types of risk the company faces, the likelihood that such risk will occur, and the potential impact of such risk.
3. Ensure that senior management has developed and implemented adequate procedures to identify new risks as they may develop and that new and significant risks are addressed.
4. Review and direct that senior management has identified managers in the company who are responsible for risk oversight and protecting against such risks.
5. Ensure that there are adequate policies in place to make sure that management reports matters to the board and appropriate committees and provide updates on such issues.
6. Ensure that the senior management takes steps to report risk-related information to the board and appropriate committees.
7. Ensure that there are adequate procedures to raise risk issues when business operations conflict with risk identification.
8. Review with senior management all communications strategies to ensure that the company’s risk strategy is communicated to all interested groups and integrated into the overall business strategy and operations.
9. Review and assess all internal communications to ensure the accurate and timely reporting of risk-related information within the business and appropriate procedures exist for raising issues with senior management, board committees and the board.
10. Review all reports from senior management, independent auditors, internal auditors, legal counsel, regulators, stock analysts, and outside experts as needed to supervise overall risk management within the company.
The Audit Committee (or a Risk or Compliance Committee) should take a primary role in risk oversight. The full board should conduct an annual risk review and should engage outside consultants and advisers as necessary. But the board has to recognize that risk is an evolving concept and can change during the year and should react when appropriate to address new and significant risks.