The troubles on Wall Street have created a renewed and heightened interest in business governance, risk and compliance (GRC) issues.  The Open Compliance and Ethics Group is a leader in this area and a great resource for those interested in strengthening their own corporate cultures. 

A recent set of OCEG initiatives focusing on technology solutions that can help achieve unified GRC caught my eye, particular an article titled “Risk Intelligence”.  The premise is that information technology tools are available to assist companies in achieving “risk intelligence”, but there are three steps that need to be taken before companies develop such knowledge.  

First, companies must identify their risks and determine at what level each risk becomes an “issue” worth addressing or resolving.  It’s basically a process of categorizing and prioritizing risk.  Once identified, that information becomes the building block for determining what risk indicators need to be tracked and how they should be quantified.

Second, the collected information must be evaluated and quantified. Third, the risk must be responded to and the response data collected and examined for effectiveness.  This response database can then serve as a resource if the problem recurs and management wants to see what’s been done before and whether it worked.  It’s an institutional memory.

The technology tool sounds wonderful and will no doubt play an important part in automating and integrating GRC initiatives.  But I can’t help comparing the situation to the fellow who buys a big fancy project planner in the hope that he’ll get better organized.  Buying the planner may make him feel better, but if the data is not input properly and maintained, the system will be just as cluttered and ineffective as the pile of jumbled post-it notes on his desk.  Relying on an IT system could therefore lull some companies into the same complacency trap.  

Quantifying risk may create the appearance of turning soft concepts into hard science.  But, IT systems are no substitute for good GRC practices any more than a project planner will organize your projects for you.  To be effective, the IT system and the project planner will require care and feeding on both the front and the back end.  Sure, the data being collected will need to be analyzed and responded to.  But, the risk being measured will also require a periodic reassessment of whether it is still an appropriate risk to be measuring.    

Markets and business climates change.  They are dynamic.  These changes can impact your company’s legal risk profile.  That’s why there must be a periodic review of what is being measured to determine whether the metrics continue to be meaningful.  If not, you could be measuring the wrong thing and wind up with a bunch of feel good numbers that offer a false sense of security instead of a robust system for identifying and managing unwanted legal risk.

What could your business be doing to keep its finger on the pulse of its changing legal risk profile?

It’s hard to digest the Wall Street headlines of the past week:  Lehman filed for bankruptcy, AIG got a huge loan and Uncle Same as a business partner, Merrill Lynch got a new home, and other bank merger talks were in high gear.

It’s the latest after shock of the collapsed U.S. hosing (sic) market.  It’s a collapse that has led to foreclosures of brick and mortar homes and now the collapse of Wall Street’s house of cards.

Some fingers wag and point to the “Housing Bubble” as the source of all our woes, as if there is a Mr. Bubble* out there plotting and planning the demise of Western capitalism by giving us all a “bath.”  Others point to insufficient regulation.  The situation appears hopelessly tangled to Main Streeters, and to a few Wall Streeters too.  But there is probably one thing we can all agree on: we feel betrayed.

There has been a colossal breach of trust involving obscene amounts of money.  Tax payers are now being asked to foot the bill for a financial frat party while those who work at the other end of the salary/bonus food chain are losing their homes and struggling to keep gas tanks full.

Last week I found an interesting piece by Michael E. Lewitt shortly after the Bear Stearns fiasco last Spring.  As an industry insider, Mr. Lewitt provides a fascinating look behind the scenes.  He points to short sightedness, excess leverage in unregulated activities (sounds like Enron’s off the books accounting, doesn’t it?), as well as a narrowly focused notion of fiduciary duty as part of the problem.  The structural problems we’re facing, he says boil down to “bad economic policies and bad political values.”

The blame game will no doubt continue for the next 18 months or more while our policy makers in Washington, including the new administration, figure out what to do.  If Enron and Worldcom have us Sarbanes-Oxley, you can be sure that this debacle will bring additional regulation and oversight too.  It’s merely a question of when.

So what does all this stuff on Wall Street have to do with Main Street and your day-to-day business activities?  Well, it’s food for thought on several fronts:

1.  To what extent is your business turning a blind eye to the ethics of certain profitable activities?  Is overconfidence creating a business blind spot?  Relying, for example, on lax enforcement of certain regulations or the fact that there are no regulations can backfire.  Being accountable to a government regulator is no fun.  But having one look over your shoulder and help you make business decisions, as AIG is about to find out, is even less fun.  Yet, that’s exactly what happens in deferred prosecution agreements.  Big Brother won’t prosecute, but in exchange they become your business “partner” until there is sufficient confidence that you have the necessary systems in place to “do the right thing.”

2.  To what extent are lawyers giving their clients the green light on whatever they want just to keep the clients happy and make a few bucks?  Take for example the case of the alleged Ernst & Young tax shelter fraud:  Wealthy clients asked friendly law firms to write opinion letters assuring them that their tax shelters were “likely” to survive scrutiny if the IRS challenged their legality.  One big firm lawyer has already pleaded guilty to tax fraud charges, another has paid the IRS $39.4 million to avoid criminal charges and his lawyer says his client and the accounting execs were “only guilty of greed.”  He makes it sound like a temporary head cold instead of the character flaw that it is.

3.  To what extent is your business tying compensation to short-term performance and encouraging risky behaviors that jeopardize long term stability?  Take a moment to stand back and examine your business policies and the behaviors they are driving.  Could they be improved to better align company actions with sound business practices and good decision making.

Let’s keep the bubbles in the tub.

*Mr. Bubble is a registered trademark of Ascendia Brands.