by Dov Seidman
“Men can’t escape from being governed. They either must govern themselves or they must submit to being governed by others. If from lawlessness or fickleness, from folly or self-indulgence, they refuse to govern themselves, then most assuredly in the end they will have to be governed by the outside.” Teddy Roosevelt
How would a global company build a big enough bureaucracy to ensure that all 100,000 employees in its operating companies worldwide follow each and every law and regulation? Even further, how could the CEO of that company be assured that his or her people were acting according to the even higher standard of behavior demanded by its stakeholder community?
The answer? They can’t. Even if this company were 99.9 percent successful in its compliance efforts, that’s still 100 instances of non-compliance every day.
Most companies today are committing a fundamental mistake: they are “doing” compliance –the U.S. spent $29.8 billion on compliance activities in 2010 according to a study from AMR Research – but they are not “getting” more compliance. The frequency of compliance violations is increasing rather than diminishing and the impacts of non-compliance in a more interconnected and interdependent world are much more dramatic. When one banker exposed his company’s unethical culture in the New York Times, his bank lost $2.15 billion overnight in market value and a debate erupted on social media over banking industry practices. Another banker lost his company more than $2 billion in unauthorized trading that wiped out bonuses at his bank and sparked more global economic volatility. In 2008 yet another spectacular costly lapse occurred in France when a ‘rogue trader’ gambled away $6 billion of the assets of his large European bank; his actions caused stock market turmoil and contributed to a Fed decision to cut interest rates.
GRC Rivals ERP
The compliance discipline, which is commonly known today as the Governance, Compliance and Risk (GRC) profession, has grown into a mature services industry, replete with software providers, consultants, analysts, and text books. (It’s a great industry and one that attracts the best and brightest experts and firms, including my own company LRN, who all have the right intentions.) Organizations, in turn, are implementing new frameworks, software, training and other control infrastructure at a pace that calls to mind the enterprise resource planning (ERP) implementation era of the late 1990s. Much of this mass adoption is a direct result of increased regulatory mandates and external auditor expectations.
I felt compelled to write this column because I believe there is inherent risk in our reliance on, and confidence in, these current systems as appropriate management tools and techniques. After all, regulators require us to place more controls on our businesses because of a failure to self-govern according to the highest ethical standards. However, I don’t believe this is the moment to aggressively lobby against more risk controls. I embrace the primacy of law and cherish that we live in a rule of law society. And while I accept the need to promulgate rules-based laws and regulations and some rules-based corporate policies, I also know that we need to understand what rules can do and what they can’t. I am grateful that rules, for example based on solid science, have been implemented to govern the construction of buildings to make them earthquake-resistant as I’ve written about before. We need rules that prohibit sales of new drugs before they are approved by the U.S. Food & Drug Administration. Regulations can also promote transparency, as do laws that require publicly held companies to disclose their earnings, governance structure, and executive pay. But rules are less successful when they seek to govern human conduct and behavior.
That’s why I believe this is the moment to rethink how we operate, how we govern, how we lead and how we relate to society. As we do this, we should identify the kinds of behaviors we need to protect us lurching from crisis to crisis and propel us toward growth in our more interconnected and interdependent world.
Evolving from GRC to GCL
There is a limit to what “compliance programs” can achieve in this regard—a limit that many companies have reached. Beyond a certain point, compliance activities can actually harm the organization, imposing unnecessary costs, undermining proper conduct and restricting creativity and innovation. We’ve made similar mistakes in other areas. Companies spend millions on “doing” employee-engagement programs, yet engagement remains at an all-time low. Companies “do” retention programs and top talent still flees for better compensation packages offered by competitors. The companies with the best retention “get” employee loyalty as an outcome of being a highly innovative company, having a superior organizational culture or fostering inspirational leadership.
To be truly effective in shifting behavior, and moving an organization forward, leadership must move from a “governance, risk and compliance” to a “governance, culture and leadership” mindset. Focusing on actions that will build and maintain a values-based system of “governance, culture and leadership” will mean less compliance activity, less cost, and more compliance as a result of real, tangible and sustainable behavior change.
Although businesses have programmed nearly everything (HRIS, TQM, CRM, safety, Six Sigma, ERP, GRC and more), we haven’t yet systematized our HOWs. Another way to say it is we haven’t synchronized our systems of governance, culture, and leadership. We need to create a human operating system mapped to the realities of today’s world where companies are proclaiming their humanity. I am all for GRC; LRN believes in the industry and we will continue to invest and innovate greatly in our GRC solutions. But it is an outcome of the right governance, culture and leadership. To implement a human operating system organizations first need to build cultures that place value governance, culture and leadership at their core.
Continue reading on Forbes.com.