Too much data, too little information.
This problem crops up with increasing frequency from a growing number of organizational sources.
As the era of analytics deepens, the challenge of distinguishing between noise and signals steepens. The board of directors represents one of the most important sources of this complaint. As the importance of risk intelligence grows, CFOs, risk officers, chief audit executives and chief compliance officers must get smarter about what risk information they present to the board -- as well as when they present it and how.
I recently chatted with Steve McGraw, GRC president for SAI Global Compliance, to find out more about the type of risk information the board needs -- as in how this information should be presented (e.g., trend lines are important) -- so that it can fulfill its duties.
Eric Krell: What are some common shortcomings related to the risk and compliance information board members receives?
Steve McGraw: Some of the common shortcomings we see are that the board is not fully aware of the key risk and compliance obligations required by law or regulatory agencies. As a consequence, in an attempt to compensate for this lack of regulatory expertise, information on compliance and risk programs is often presented to the board in great detail. This can be overwhelming and at times, counterproductive. In short, some focused training on the front end will save time later.
As the volume of risk data available to compliance officers, risk officers and CFOs increases, the risk of providing too much data and too little information also increases. Can you recommend any steps to address this challenge for those who furnish risk and compliance information to the board?
McGraw: It is important to put the data in the right contextual framework. One important area that every board should be reviewing is risk management. For example, if you are an insurance company you may be tracking the number of claims that are paid late. It is helpful to remind or educate the board that late payments will run afoul of the state insurance authorities and thereby increase the risk of financial penalties or other sanctions. I am sure you can easily think of other examples such as data breaches, disaster recovery and business continuity, loss events, as well as new laws such as the Dodd-Frank Wall Street Reform and Consumer Protection, Patient Protection and Affordable Care, and the Bribery Act of 2010 in the United Kingdom.
Another technique is to present the data within trend lines. It is important to remind the board how this data has changed over time. Benchmarks can also be used with trend lines to provide reference points for the board. Whether you use industry-standard benchmarks or your own, they can help the board see your data with respect to your desired outcomes or objectives.
For example, if you are concerned about anti-bribery laws, you may wish to track your vendors' compliance with your training programs and their acceptance of your code of conduct. If your objective is that within 90 days, all vendors have met this standard, then you may show a chart with the number of vendors in compliance within 30 days, 60 days and over 90 days.
Finally, the right data is important. For example, a board should be seeing data that helps it evaluate whether management is effectively executing the compliance or risk management program; data that reflects whether the company's program meets the minimum standards for such programs; and data about how effectively the company fixes identified problems. Properly structured, these reports should neither lengthy nor time-consuming.
In some cases board members may not know what they should be asking of their executive counterparts or who should provide them with risk and compliance education. What are some useful practices for educating the board about the risk-related questions and information requests they should be asking and making?
McGraw: All board members should be educated on the company's risk and compliance program. Why does it exist? Who developed it? How was it constructed and how is it managed? Additionally, the board should receive annual training on industry topics and technical topics such as enterprise risk management (ERM).
For example, if you are a healthcare company, your board, and especially your non-healthcare outside board members, should receive specific training on the intricacies of healthcare compliance and risk programs. It is well worth the time and money to bring in an authoritative independent third party to educate the board. I recently attended a session taught by Dan Roach, vice president, compliance & audit for Dignity Health, at the HCCA Compliance Institute conference. This session was specifically designed for non-healthcare board members and received outstanding reviews.
Similar to healthcare, each industry has its own unique challenges and it is essential to educate the board on these topics.