All corporate scandals are preventable. These scandals are buried deep in the operations of the company, often known for six months to several years ahead of time and typically reported to supervisors and mid-level managers. The problem is that these individuals often can’t identify the root-cause of these incidents, and do not have the means to connect with employees across the silos of their work groups to understand how related risks transpire in other areas of the business. This means systemic risks aren’t addressed, and managers aren’t able to engage the right resources to fix the heart of the problem.
These days, companies seem to be in constant fear of the see-through economy. At LogicManager, we find our customers embrace it. Companies can use enterprise risk management to empower employees, making everyone a process improvement specialist. Instead of treating scandals, such as the one Facebook is embroiled in, as reactive one-off incidents, companies should be using enterprise risk management to identify the root causes of their concerns and address them.
If you’re a company like Facebook with countless third-party apps and partners that are using your data, there’s no way to manage all of those relationships effectively without enterprise risk management. In vendor management, the primary concern is prioritizing high-risk vendors, while ensuring that all vendors are held to the same standards. The capabilities of traditional audits, by the nature of their mandate, are limited, and can only adequately cover between 5% and 10% of operations at best with an in-depth independent investigation.
Implementing an enterprise risk management program is a complementary cost-effective and efficient means of prioritizing and managing all types of risks, including third-party relationship risk, something Facebook failed to do with Cambridge Analytica. This risk-based approach decentralizes the risk identification and monitoring process, allowing front-line employees to bring attention to the vendors and partners they know their company relies on most, and score relationship risks objectively. ERM systems then find the connections between risks, controls, policies, and outcomes and escalate the gaps to the right level.
The truth is, it’s not enough to give your employees the power to escalate incidents, although this is an important step that most companies aren’t doing. You must take it further and connect incidents to root cause risks that can be evaluated, prioritized, and addressed accordingly. The effect of doing this brings attention to the root cause of problems and eliminate 100s if not 1000s or more of symptomatic effects, as seen in the case study we did with Winona Health.
When this type of governance is put in place, you are crowdsourcing process improvement to specialist doing the job every day who are dedicated to accelerating the mission and success of their company.
Enterprise risk management is not only about preventing corporate scandals but will help organizations to build an operational culture designed around making processes and operations better; it gives all employees a voice and empowers them to initiate change at the right level with the right priority.