Why are so many companies missing the point? ERM’s Role in Incident Prevention

Regardless of guilt or innocence, FedEx’s indictment reminded us that in today’s world of complex global interactions and increased regulations, organizations must have a strong handle on interrelated risk, business processes, and relationships.

FedEx made headlines for knowingly assisting illegal online pharmacies, according to the U.S. Federal Government. The company was charged with conspiracy to distribute controlled substances and drug trafficking, as reports claim the shipping company willfully delivered unprescribed medications for over a decade. Whether or not management and the Board of Directors were aware of the situation is a major factor in the case but nevertheless, FedEx has been indicted on a violation of the Controlled Substance Act.

A few years ago, FedEx’s competitor UPS found itself in a similar situation. UPS admitted to knowingly distributing controlled substances through illegal means, and they agreed “to establish a compliance program designed to ensure such customers won’t be able to use its services to illegally distribute drugs.” – Business Week 7.18.14

Unfortunately, FedEx failed to take preventative steps and was caught in a legal battle, facing possible fines over $800 million. Although such a compliance program may seem standard practice, FedEx is not alone with its lack of governance.

Many companies are far behind in establishing effective controls and processes relating to risk management. Linking policies and procedures that are already in place to the specific compliance and regulatory standards they support, uncovers business process gaps and allows for efficient mitigation activities. Without transparency into compliance gaps and existing oversight, events such as those experienced by FedEx and UPS are all but inevitable.

To ensure full transparency, it is critical to take things a step further and create an enterprise-wide governance program. Compliance management only goes so far on its own; integrating other existing governance areas such as risk, audit, and business continuity planning (BCP) drastically increases the value of compliance efforts. Coordinating and sharing overlapping information between these functions ensures that all risks are identified and remain uncovered. In other words, creating a true enterprise risk management (ERM).

Damage control and press release statements can only go so far once an incident, like FedEx’s, occurs. The repercussions can be nearly impossible to bounce back from, regardless of a company’s size or financial standing. Taking a reactive approach versus a proactive, companies are left facing consequences instead of preventing surprises in the form of effective enterprise risk management.