In this second episode in Protiviti’s podcast series on the Responsible Technology Firm of the Future, Managing Directors Gordon Tucker, Matt Moore and Jim DeLoach discuss how technology firms can achieve the right balance between innovation, corporate governance and regulatory compliance.
These companies, if you look back, have been unbelievable growth engines. Back up 10 years, and none of them were in the top 10 in terms of market value or, frankly, many other metrics. You look at the largest companies on Earth right now, and the majority of them in the top 10 are technology companies. In addition, most every other industry is starting to think of itself in some ways as a technology company in how they deliver their services, deliver products, etc. So, I think the overall urgency around this issue is high, and rightly so. I think the industry – again, correctly – is saying about itself, “We probably do need some form of regulation.” The question is, how much? The question is, how will companies embrace that technology? So, this is that swing between not wanting to tamp down on the growth of these organizations and also not letting them run wild.
One of the clear lessons and real opportunities for the technology industry is approaching compliance from the standpoint of “Compliance is a risk.” It’s a risk to the organization, it’s a risk to enterprise value, but at the same time, it’s a risk to be managed. So, the management of compliance risk is most effectively done when there is a clear, well-established program in place, a framework through which it occurs, and recognition that the prioritization of the relative risk and the impact can drive the investment decisions that are necessary, the mitigation strategies to be executed.
Finally, acknowledging that these compliance requirements are not static, and so they will continue to evolve, new requirements will come on board, and therefore, any compliance program that operates, by design and by necessity, must be dynamic to adapt to that changing environment and those changing requirements. So, where many financial institutions went through and strengthened their compliance programs, that was accomplished by bolting on after the fact to existing activities. Candidly, that wasn’t always the most efficient or effective way to go about that, but due to time constraints, due to scrutiny or pressure, it was done out of necessity.
Where the real opportunity exists for technology firms is, in many respects, they’re starting with a completely clean sheet of paper. They have core competencies in the development and the release of products and services that will allow them to, frankly, leapfrog what are known today as the leading practices around compliance risk management, because they will deliver it through their core capabilities, and not by adapting and adopting something that has worked in another industry but has not been done optimally.
For many firms that have operated in that environment, you make choices: Where do you want to be on the spectrum? At one end of the spectrum, we want to do the bare minimum, we want to stay out of jail, just meet the requirements. At the other end of the spectrum, and maybe a more progressive way to approach it, is, how do we want to deliver our brand into the market, and how do we want that to be perceived? Related to that, if trust is something we inherently value, and we would like our customers and our stakeholders to have trust in us, then we might anticipate not necessarily what we have to do under the regulations, but what’s the right thing to do and what’s the way that we can do that to be able to strengthen the trust they have in us, and therefore strengthen the brand.
So, where many organizations that have taken the more progressive view have gone is looking through that their products and services and trying to anticipate or plan out scenarios to where, “What could some of the negative consequences be? How could our customers or clients be perceived as unfairly treated or not benefiting from what we deliver?” Then, frankly, working that back to ensure that the processes that they operate, the products that they deliver, have controls built in to ensure that the outcomes they desire are delivered consistently, thereby reinforcing their brand promise and strengthening the trust they have.
I mean, it’s a question of balance. So, on the one hand, you’ve got the entrepreneurial activities of the organization that are driving the creation of enterprise value. On the other, you’ve got the risk management and compliance focus on ensuring that we’re preserving that value. So, then, we’re looking at risk and reward in terms of value-creation opportunities. So, I think that what boards and executives in the industry need to focus on is what executives and board members in the financial services and other industries that have given this attention … that the trick is how do you create a balance so that neither the entrepreneurial forces of the organization that are creating value and the control forces of the organization that are preserving value are not disproportionately strong relative to the other. That’s the question of that balance. It’s a mind-set, and it’s incorporating that in the agenda.