Enterprise risk management makes it possible to thrive even when the environment surrounding your business is a cloud of uncertainty.
Starting in 2016, political risk seemed closer to home after the United Kingdom voted to leave the European Union, often referred to as Brexit, causing instant turbulence across the globe. Now in the United States, under a new administration with an ambiguous agenda, political risk no longer seems like a distant phenomenon to American businesses.
Most businesses are now forced to operate in a constant state of uncertainty and turbulence. Although every new administration brings a change in priorities, President Trump’s changes to major regulations, trade relations, tariffs, healthcare, work visas, and taxes have sparked unprecedented confusion in the business world. The same change and uncertainty impacts different businesses in different ways: office locations, supply chain decisions, business partner strategies, data center locations, factory construction, and so on.
A recent trend that has started to emerge out of President Trump’s administration is a decrease in the enforcement of accountability-related regulation. For example, financial regulators at the SEC, FINRA and the Commodity Futures Trading Commission have imposed a third of the amount of penalties in President Trump’s first six months in office, compared to the first six months of Barack Obama’s 2016 term. In August, The Wall Street Journal found that FINRA imposed 77 percent less financial penalties than previously levied.
Some corporations will reason that increased leniency of such enforcement by the federal government means that they can ease up on compliance efforts and costs. This reasoning, however, is wrong. It has been a long standing Republican platform to move more power to the states’ hands. Therefore, when the federal government loosens its grip on regulatory enforcement, it only means that states, as well as consumers, will tighten their grip.
We can see this shift in responsibility in the aftermath of the Equifax data breach. States have taken it upon themselves to sue the credit bureau for putting their citizens’ personal data at risk. Massachusetts has entered into a class-action lawsuit with Equifax, and the penalty for violating Chicago’s consumer fraud ordinance includes a fine of $2,000 to $10,000 for each offense and for each day that a violation continues. Attorney Generals in New York, Pennsylvania, and California have indicated they intend to file lawsuits, as well. If the average penalties were $5,000 per incident, as in Massachusetts, Equifax could face more than $700 billion from the states alone. Compare this with the largest bank settlement in history by Bank of America totaling $16.65 billion.
If the responsibility of enforcement now falls in the states’ hands, uncertainty will increase. New compliance regulations, penalties, and laws can arise at any moment from any state. Compliance will no longer be a matter of looking out for changes to one federal regulation, but for changes coming from multiple, unpredictable angles. Managing this change and uncertainty will take more than compliance software. It will require an integrated risk management software that can keep up with the sheer volume of changes.
Leniency is not an all-encompassing stance taken by the current administration, however. Consider regulatory changes that tighten anti-money-laundering efforts to fight global terrorism. Money launderers tend to seek out sectors in which there is a lower risk of detection due to weak or ineffective AML programs. Penalties, although increasingly severe, can be dwarfed by the financial costs associated with damage to an organization’s reputation.
These changes don’t just affect banks and credit unions with Automated Clearing House (ACH) payments, wire transfers, and credit cards. They affect many non-bank activities, including exports, travel tickets, restaurant transactions, and FinTech solutions like Bitcoin. There are now 645 crypto-currencies in the world with a combined market cap of $12.5 billion (USD).
This presents AML professionals with new challenges that require a risk-based approach to overcome. Adjustments need to be made to existing transaction monitoring, risk rating, and Know Your Customer (KYC) documentation methodologies.
The many manifestations of domestic political risk mean every organization must take unique action to change and adapt. Regardless of your political leanings, everything from your job to your mortgage to your company’s operations depends on your ability to manage risks stemming from new and frequently changing policies.
Three Considerations Regarding Domestic Political Risk and the New Administration
Step One: Separate Political Opinion from Impacts on Your Company
The new administration is pursuing a momentous agenda. When it comes to managing political risk, filter personal feelings from the sustainability of company operations. Managing the fallout of political risk in your work life should be unrelated to your personal life.
Step Two: Recognize Uncertainty is Here to Stay
Uncertainty is and always has been present in the business world; the changes (regulatory and otherwise) brought about by the current administration are just new instances of an age-old problem. It’s simply not possible to assume our environment will become more predictable under any administrative change.
Step Three: Make Your Business More Agile
Managing risk effectively means being able to assess vulnerability and react quickly. Businesses that can’t pivot in the face of an unpredictable, rapidly changing environment will not be able to sustain operations. Compliance should not be your goal; compliance should be a mere byproduct of the achievement of your goals. The reason regulatory enforcement will undoubtedly shift to the states is because compliance isn’t about checking boxes. Regulations are designed to protect the rights of the consumer, and if the federal government won’t ensure corporations are protecting consumers’ rights, states or consumers themselves will.
The Equifax data breach is a perfect example of this. I view this scandal as a point of no return for enterprise risk management. Scandals are always accompanied by reputational damages; however, the reputational damages of this scandal are unique. While customers cannot always control whether they are customers of Equifax, they can control the banks, stores, and other businesses they give their patronage and loyalty to. After all, it is these institutions that gave away our information to Equifax without instituting appropriate third-party risk management due diligence. I believe that customers’ outrage will cause a massive shifting of funds and business to institutions that can demonstrate competent risk management, not just effective compliance management.
The bottom line is that your organization needs to sustain/improve performance, no matter the state of the exterior environment. This means pursuing innovation, not compliance. It means identifying and prioritizing the most important processes – and what might interfere – within the business. Once you have this transparency, you have the tools you need to mitigate and monitor those risks.
Why Compliance Solutions Are Inadequate for Managing Regulatory Changes
Regulatory compliance is mandatory, but it’s not the end goal; it’s the minimum operating standard. For strong companies, compliance is a mere byproduct of performing well and managing uncertainty. Compliance solutions can also cause difficulties in the face of domestic political risk, which includes significant fluctuations in the regulatory environment.
The biggest differences between regulatory compliance and risk management are:
- Regulatory compliance has a known, black-and-white outcome (meet a set number of specific requirements).
- Regulators give companies a predefined amount of time to adjust their operations, meaning there is no uncertainty as to when (and what) actions must be taken.
The ROI of a software solution can be represented by:
However, when using compliance-specific software, this formula for return falls apart in the face of uncertainty. Software specializing in regulations like Dodd Frank or SOX is only useful when you know the regulation will not change.
Now, with regulations being rescinded, altered, and drafted in an unpredictable environment, it simply doesn’t make sense to invest in compliance-specific solutions. In order to manage domestic political risk, organizations need to be able to do the following:
- Thrive in an atmosphere of uncertainty by identifying root-cause risks and creating
- Stay abreast of regulatory changes, adapting as policies change.
- Prioritize those risks so high-impact issues can be dealt with more quickly.
A risk taxonomy helps corporations reorganize their processes, policies, and requirements while automatically preserving the links to underlying risks, controls, monitoring activities. Change management is built into integrated risk management software with robust taxonomy technology. Spreadsheets, Office products, and compliance solutions simply can’t do this. They’re not designed to manage change over time, which is within the inherent definition of effective risk management.
Why Is ERM the Answer to Regulatory Changes and Political Risk?
The cost of non-compliance is far greater than monetary fines or lawsuits; violations can substantially impact a company’s reputation for years. When it comes to protecting your company’s reputation, as stated by Ben Franklin, “an ounce of prevention is worth a pound of cure.” The cost of a proactive solution is minuscule compared to the cost of sustained reputation damage.
As is becoming more and more evident as time goes on, the straightforwardness of compliance – a concrete “what” and a concrete “when” – vanishes when regulations are altered. Even in an ideal world, where line items remain constant and unchanged, regulatory risk is but one source (among hundreds) of uncertainty.
Enterprise risk management makes it possible to thrive even when the environment surrounding your business is a cloud of uncertainty. It accomplishes this by helping you answer a simple question: what’s best for the business? Different processes, products, and assets have different value-adds, and ERM is the tool that provides senior management the means of identifying connections between activities to objectively prioritize and address emerging changes.
When the “when/what” is removed (or was never present, as is the case with all risk except regulatory risk), what’s the priority? Compliance solutions can’t help with this; they can only ensure you’re able to provide a report to a particular regulator. That report doesn’t even mean your business is managing uncertainty, it just means you won’t be slapped with a particular penalty.
Determining what will deliver a healthy ROI and ensure compliance is the key to operating amidst significant political risk. As an example, consider a bank or other financial institution: meeting FFIEC requirements for third-party management should be a mere byproduct of robust contracts and vendor due diligence.
These activities allow for uninterrupted, safe operations, and must occur even in the absence of FFIEC requirements. Enterprise risk management, by helping organizations discover both vulnerabilities and opportunities, provides an ROI far greater than the direct cost of potential penalties.
Steven Minsky is the CEO of LogicManager.•