The rise of technology in risk management, in particular non-financial risk management, has been accelerating over the last decade. Significant advances in data science, machine learning, and artificial intelligence, as well as increased interest by regulators in how these technologies may be used to drive corporate accountability and good outcomes for customers and markets, have been fueling growth in Regtech innovation.
Generally, these technologies develop faster than the pace of change within business and risk management. As a result, much vaunted technology solutions often do not perform as the marketing brochure promised or are subject to such delays that they are no longer fit for purpose by the time of eventual implementation.
If these technologies are sports cars, the business and risk management systems that they need to serve or integrate with, are often not more than gravel paths. One can think of disparate platforms creating fragmented data environments, very high volumes of poor-quality unstructured data, no data in place, or impractical and competing risk policies and programs. Most often, all these factors act in concert to impede the timely and proper application of technology applications to support risk management.
The risk technology solutions that are relatively simple to implement are, unsurprisingly, less platform or risk program dependent or have been purposely designed to compensate for their expected deficiencies.
Two good examples are:
- Electronic discovery tools that apply increasingly sophisticated machine learning to find relevant documentation among very high volumes of unstructured data, much quicker and more reliably than can be done manually. Apart from now well-established application in legal proceedings, the use of such technology to assist organizations in responding quickly and consistently to growing volumes of day-to-day regulatory requests to produce information can be fruitfully explored.
- Voice analytics applications that leverage existing but otherwise underutilized voice recordings to identify noncompliant market conduct is a growing area. Interestingly, these technologies are also being applied to assess the psychological vulnerability of customers at the point of sale. In an age where concepts such vulnerability and information asymmetry have entered regulatory parlance, having a risk strategy for voice assets is no longer a luxury.
These examples solve important but narrow problems. For risk technology solutions to be more versatile in their application and broader in their benefits, these technologies need improved information architecture environments, especially on largely digitized platforms, and more future-fit non-financial risk management programs.
It is useful to focus on the trends that are shaping non-financial risk management program needs to enable us to determine a must-have set of non-financial risk management technology solutions. By understanding the key trends that are shaping non-financial risk management design – and bribery and corruption specifically – one could evaluate solutions for their ability to assist organizations in non-financial risk management and responding to these trends.
Given the challenges described above, non-financial risk management practice would need to be responsive to a number of key trends.
The evolution of legal design and regulatory obligations
Anti-Bribery and Corruption (ABC) legislation has been leading the way in introducing so called “failure-to-prevent” clauses to legal frameworks. These clauses require regulated entities be able to demonstrate, upon demand, adequate cultural attributes, and control procedures to combat bribery and corruption.
These procedures act as a type of insurance policy that, when well designed and implemented, protects the regulated organization from liability for systemic failures to prevent misconduct. While this concept has its origin as far back as the introduction of the US Federal Sentencing Guidelines for Organizations in 1990, the adoption of this legal feature in the UK Bribery Act (2010) has added momentum to what is essentially a shift of the burden of proof from the regulator to the regulated entity.
When combined with the adoption of deferred prosecution arrangements, the practical effect is a lowering of the burden of proof, and as a result, significant expansion of regulator power to pursue ABC matters. Following the UK example, French bribery and corruption law reform culminated in Sapin II (2017), and contains broadly similar provisions, while proposed foreign bribery reforms in Australia will introduce both a failure-to-prevent provision as well as DPA scheme to the Asia Pacific region.
This trend – of combining failure-to-prevent provisions with DPA arrangements – is set to continue within the global ABC landscape, while it can be reasonably expected that regulators having these instruments at their disposal, will be increasingly inclined to use them. It is also prudent to expect the use of such instruments to expand to legal risk themes other than ABC but sharing similar high legal burdens of proof and major financial, but also significant social consequences, when such risks are not prevented. Bribery and corruption are certainly financial crimes, but often go hand in glove with human and environmental rights abuses.
The evolution of corporate crime and corruption
Academics such as professor Adam Graycar of the Stretton Institute at Adelaide University in Australia, point out that globally organized crime is becoming more sophisticated, and is shifting activities from violent crime to corruption. Corruption pays more than violence.
At the same time, corrupt activities are becoming less individualized, more coordinated among multiple groups, and as a result, increasingly complex in organizations. An example of this phenomenon is state capture. In South Africa, a dedicated commission of inquiry, the Zondo Commission, has been set up to investigate incidences where institutions of state and corrupt private sector businesses have colluded to gain access to the purchase power of those organizations for their illicit gain. The consequence is corruption on a massive scale, abusing institutions with legitimate and other very necessary social mandates while these captured institutions are steadily robbed of their ability to function and deliver on key social mandates such as healthcare, energy production, and potable water provision.
As a result, the distinction between legitimate and illegitimate institutions is becoming more difficult to establish at face value. Jurisdictional risk indicators, often used by risk managers to set in-country risk appetites will need to increase political and institutional intelligence gathering, while organizations will need to make enhancements to their third-party, supply chain, and customer risk analysis programs.
The evolution of community expectations and social obligations
The reputation and business risk impact of corporate misconduct is rising. Broadly termed as community expectations, these expectations encapsulate environmental, social, and governance issues. Importantly, these community expectations are coalescing into social obligations that have the potential to deeply impact organizations while they are developing faster than formal regulatory obligations. This momentum appears to be sustained by a global trust crisis impacting almost all major institutions.
At the heart of the global trust crisis, appears to be a crisis of hopelessness – a deeply held concern among many ordinary citizens that a future characterized by rapid technology changes such as robotics and artificial intelligence, will leave them, and their children vulnerable and financially insecure. As a result, they distrust the institutions they perceive to be at the heart of the changes they fear.
This dynamic is deeply embedded in our modern social fabric and as a result, the distrust feeding the velocity and impact of social obligations is not likely to dissipate anytime soon.
Prudent organizations are responsive to these social obligations. A good example is major financial institutions who are increasingly using their considerable influence in lending and investment to require investees, and to encourage clients, to pursue business practices that prioritize environmental sustainability and good governance practices that go beyond minimum legal obligations. The same dynamic is causing large global companies to be more willing to openly advocate for specific social justice positions that until recently would have been considered outside of the realm of business to publicly opine on. This generates risks, but also opportunities.
In practice, we are experiencing a convergence between legal and social obligations that makes the business and the risk management landscape increasingly complex and challenging to navigate. As a result, a non-financial risk management strategy that only focuses on legal obligations, and does not deeply consider social obligations in the context of these statutory duties, will no longer be sufficient to manage serious reputation and business risk.
The rise in the importance of business integrity and an ethical culture
The practical effect of this convergence of legal and social obligations is that it places more demand on organizations to consciously understand their own organizational culture, in particular, how it adopts values and make decisions – its ethics.
Organizations need to take care to understand what these values are, for they may not be the ones in the code of conduct or on the banners in the lobby. Following on this concept, it is important to understand whether these values are the most appropriate ones, and in turn, how able senior managers are in applying these values to business decisions across many jurisdictions. A key objective of future orientated non-financial risk management would need to be programs of work to enhance the quality of responsible business decision making.
Ethics has often been on sidelines of risk management. It is now moving to the core of non-financial risk management strategy as it becomes a key skill to enable faster, but also more responsible decision-making. Business ethics long understood to be a soft topic, would need to be managed in a hard way – in a deliberate, and a considerate manner.
Another aspect to consider is measurement. There are many valid dimensions to organizational culture and culture assessment. Employee engagement is a common lens, while attitudes to risk management – so called risk culture – is another. These remain useful approaches but would need to be supplemented with a conscious and deliberate focus on how organizations adopt values when balancing increasingly complex legal and social obligations both competently and consistently, and in a commercially sustainable manner. This is a tough ask and not easily captured in single surveys. However, the data points for such insights often already exists, within existing survey data, but also other data sources. These existing data points need to be interpreted differently, with the factors influencing the quality of decision-making in mind. If one could understand these factors, one may develop culture data that is strongly correlated to latent risk and thus more predictive in nature.
So where does this leave us?
It is clear that non-financial risk management landscape is changing. It is changing because the society is changing. The combination of enhanced legal obligations, increased sophistication of organized crime, and prevalent distrust fueling the velocity, and impact of social obligations, are placing new demands on our ability to formulate and manage controls, as well as understand and shape organizational culture to propagate ethical business decision-making.
These trends require changes in the skillset of non-financial managers. Persons with a legal background have often dominated this profession, especially in compliance. Yet, in the context of the trends discussed, the non-financial risk professional would increasingly need to show proficiency not only in law and regulation, but also the ability to traverse social, cultural, and technological domains.
Building on the technology point – senior non-financial risk managers would need to consider technology solutions to:
- Enable and demonstrate cultural attributes and adequate control procedures on demand
- On the control front, technology needs to support books and records as well as continuous monitoring,
- On the culture front, technology may be applied to produce culture data, from existing survey material and other data points to identify, where and by whom decisions are actually made, and the conditions that could impede or enable the likelihood of these decisions being made in a sound and ethically defensible manner.
- Generate meta data and insights to identify increasingly complex and camouflaged organized crime risks
- Identify weak signals of social obligations early on and analyze possible policy impacts before they become greater risks
There are many other areas of application for technology solutions, and I am not suggesting these others do not hold value. Yet, it seems that at the core of your technology suite would need to be solutions that aid responsiveness to the trends discussed above in order for non-financial risk management to remain future-fit.
Let me conclude with a word of caution. Often the greatest challenge with technology is not the technology itself, but knowing what you need to tell it to do. Technology cannot compensate for inadequate policy formulation as much as it cannot compensate for poor governance or a lack of leadership commitment to build and sustain an ethical culture. The greatest risk benefits are derived from business programs aimed at establishing appropriate information architecture across product and service life cycles. This means that often, risk technology solutions offer the best value when they are understood not as separate risk solutions but as enablers to culture programs aimed at fostering good executive decision-making, and business programs that have risk objectives and controls embedded into those business processes. This is initially harder to do, but once established the costs to compliance, the ratio is highly beneficial.
Good compliance is an outcome, not a goal.