Updated: Jan 3, 2022
In a recent risk and compliance survey it was reported that the pandemic did not significantly disrupt risk and compliance programs although it did impact priorities. The fact that programs emerged relatively unscathed was interpreted as a good thing which I find difficult to understand and even troubling. The report goes on to say that risk & compliance programs were under-resourced with leadership commitment wavering. Data was also reported as not being effectively utilized to reduce risk and by enlarge risk and compliance was struggling. Now with an increase in risk awareness over the last year we should have seen a corresponding increase in leadership commitment with greater resolve to improve risk and compliance programs. These would have resulted in risk & compliance programs being disrupted although in a positive way rather than remaining the same; relatively “unscathed.” Programs would have increased in capabilities, maturity, and most of all effectiveness – all of this in earnest. However, this kind of disruption was not observed. Only priorities were changed weakened by competing interests. So what happened? Why didn’t risk and compliance change during the pandemic? Perhaps for many organizations the answer was one or more of the following:
We don''t believe that risk has changed - the underlying uncertainties and its possible effects have not substantively changed that would warrant changes to the risk and compliance programs.
What we are doing is adequate - greater investment in risk and compliance is not needed as existing measures are sufficient to cover any changes to risk.
We have not seen any or enough benefit from our existing programs - risk and compliance programs have lacked effectiveness and further investment in measures would most likely be wasted.
We don’t know how to improve - there is no process or adequate know-how to advance risk and compliance maturity so we are stuck where we are. Essentially, we are not prepared to expand risk & compliance.
We are are too reactive to change - too much time is spent fighting fires to plan and effect needed improvements.
Whether the reason was one of the above or something else the end was still the same for many companies – status quo. It appears the only defence was the tactic to change priorities. This may have resulted in minor improvements to programs but these will be short lived subject to further changes when priorities yet shift again. The way forward is to not only change or introduce new tactics as important as this may be. What is missing from many organizations which needs to be addressed is a program to govern risk & compliance effectiveness that includes processes to adapt and improve performance over time. Resiliency is built through continuous improvement not by fixing fires, closing gaps, or changing near-term priorities. Do you agree? What do you think?