THERE IS NO BALDRIGE AWARD for Corporate Integrity, but if there were, the CSOs of this world would be among those with a bullhorn on the nominating panel. Or at least they ought to be.
I can't think of a role more attuned to the mission of overseeing risk than ours. In my view, no member of the corporate governance team is more qualified to deal with the key elements of oversight than the CSO. The security department can administer the programs required to assure the organisation's integrity, and the CSO is in a good position to be an advocate — an owner of sorts — of a variety of business-conduct policies. In addition, he can fill the role of adviser to top management on issues affecting the reputation of the enterprise.
Some would argue (and current governance movements underscore the notion) that it is the auditors, both internal and external, who are the logical overseers for integrity assurance. Not so. Audit is cyclical, and it is not meant to be an investigative function in the same way that security is. As a matter of fact, the corporate ethics or compliance department of an organisation may have input into security policy, but neither group would — or should — have the scope and reach of security.
How about the members of the human resources team? They certainly can participate as an employee advocate, but as a department, they lack the objectivity that security brings to the table.
No — at least as I see it — it is the security department that has the unique perch to see the cautionary signals that are a part of daily corporate life, and we're paid to understand that aspect of operational risk better than anyone else on the executive team. When corporate security provides its share of oversight and control maintenance in an organisation, it can see a variety of red flags that others don't.
Yet in all of the current commentary and debate on corporate scandal and wrongdoing, I've not seen one word acknowledging the CSO's — or even the corporate security department's — role in risk management. If you don't believe me, just do some research on corporate governance and see how many times you find a reference to the security function or the CSO as a member of the team. You won't, I promise.
Connecting the Dots
"I was so busy, I never saw it coming!" This from the line manager who's just fired an employee for misconduct. With downsizing, rightsizing and just plain working our butts off to do more with less, the velocity of business dealings often masks control weaknesses.
Yes, indeed. It is the rare and clever CSO who understands the importance of getting involved in the governance of his business organisation and establishing a policy that encourages a corporate culture that will influence and eventually reinforce the integrity of the entire organisation.
But given the dynamics of risk in the world today, can anyone reliably claim that their organisation has bulletproof safeguards around the assets that contribute to shareholder value? I doubt it. Most corporations have a limited knowledge of risk because the risk analyses they do are insufficient to uncover key vulnerabilities. Yet if a company isn't doing effective risk analysis, it will have to assume it has exploitable vulnerabilities. (I underscore exploitable because risk is increased as vulnerabilities become known to an increasingly large group of knowledgeable, trusted and empowered insiders.)
Security is in a position to see such weaknesses in its investigative findings and should influence managers to pause and understand the risks we are all charged with monitoring. In fact, we have a fiduciary obligation to ensure such vulnerabilities are addressed at a sufficient level to deter opportunity. That dictates one part common sense and three parts due diligence.
First-line managers are the key to maintaining a climate of integrity and effective risk management. Even when top management makes its commitment to integrity clear, the action is in the trenches. Unless supervisors are risk-aware and work within an accountability model that makes their roles clear, they are not likely to be part of an effective system of controls.
Beyond the internal supervision, outsourcing and offshore relationships are also integral parts of the competitive environment. Yet we are increasingly assigning high-risk jobs to individuals or vendors about whom we know very little or nothing. Our relationships with these outside organisations need to follow our integrity model — we must insist that they apply the same standards of ethical expectations to themselves as we do to our own organisation. Easy to say, but not so easy to do.
Where is the CSO's role here? Think back to the "I-was-so-busy-I-never-saw-it-coming" guy. "Look," he says, "it's your job to give us a heads up! You guys in security may see this stuff as a routine part of your job, but I've got a committed team here busy working 24/7, and we didn't have a clue."
If your culture shoots the messengers of bad news, don't be surprised when various managers — even those who have been diligent enough to have "seen it coming" — may clam up when concerns are aroused. Explore this issue in your organisation. You'll probably discover that a lack of notice is more indicative of a climate of fear or wagon circling than anything else.
Then there are the interesting places we find ourselves housing critical business processes. We are working in very complex global and technical environments. We depend on global data networks and dispersed computing environments that live within very risky local infrastructures with differing standards of care. While it is recognised that a resilient recovery strategy is essential, don't forget that the cultural issues around corporate hygiene can land you on the front page of The Wall Street Journal faster than you can say "scandal."
And then there's honesty. It's acknowledged that the "honesty quotient" within our workforce has declined during the past few decades. Don't argue with me — the evidence is everywhere. Effective background investigations, however, will screen out the most serious threats.
On the Radar
If you think the rank and file doesn't watch to see how the stars get treated when they trip and fall, you're fooling yourself. And the whole process of integrity administration is up for question. It's great that security folks are learning new things and passing that information along. But at the end of the day, the CSO needs to translate into a clearly articulated set of expectations the view from the top. And that needs to be reinforced by equally consistent applications.
The CSO should manage a formal takeaway process from every internal misconduct or criminal incident. If you have no plans for doing post-incident analysis and sharing lessons learned, your organisation is destined to repeat its mistakes.
What would you think about a business unit that had either multiple or a broadly based misconduct experience that combined little or no risk analysis? What if it failed to pay attention to security recommendations on background or due diligence findings? What if it didn't participate in post-incident learning efforts or failed to hold managers accountable for problems on their watch?
That's why it's important to have a governance team. That's where it's important to connect the dots.
Security and other inputs from colleagues on the governance team provide a vibrant picture of health and hygiene in the company. A quarterly interchange between human resources, security and internal audit on issues within specific risk-ranked business units can yield a synergy — you know, that 1+1+1=4 thing — on assessing the adequacy of applicable controls and influencing the audit plan. When presented as a collaborative give-and-take exercise with no surprises, the result can be very positive in terms of the relationship as well as in the measurable improvement of issues of concern.
And where proactive doesn't work, maybe the courts can help get attention. The Organizational Sentencing Guidelines in late 1991 imposed an affirmative duty on corporations to create compliance programs to detect and respond to criminal misconduct. The Sarbanes-Oxley legislation, in response to Enron and other abuses, reinforces this precursor and pins the tail on the CEO, CFO and the board.
Prior cases have broadened the risk awareness parameters of the officers and the board, and even allowed that a corporate officer can be convicted for the criminal acts of subordinates — even if he lacks the intent and has no knowledge of the specific wrongdoing. The concept of responsible agent expanded dramatically in the Caremark International ruling in 1996. In that case, the court recognised the possibility that directors could be held personally accountable for a failure to detect and correct violations. The court reasoned that the board's failure to keep itself informed of illegal conduct was considered a breach of the requisite duty of care.
Perhaps this incremental trend of corporate accountability was best dramatised by Time magazine celebrating three whistleblowers for its 2002 Persons of the Year.
So, where does this bring us?
First, it argues for creating a role for the chief security officer that encompasses a 360-degree view of the operational risk environment. It means letting the CSO serve as a peer with the other members of the senior corporate governance team. The CSO's ability to connect the dots within his scope resulting in a perspective unique to the management team is an asset that cannot be missed in these risky times. Second, it argues mightily for a CSO with clear strategic and operational accountability for the full scope of security functions.
OK, so there is no Baldrige Award for Corporate Integrity. But there is a booby prize: If companies don't pay attention to ethical behaviour, they'll reap their rewards with a lack of shareholder confidence and customer defection.
This column is written anonymously by a real CSO at a major US corporation.