Into the breach: managing risk in the era of compliance - Business Works
BW brief

Into the breach: managing risk in the era of compliance

James Keenan, LOC Consulting E nsuring regulatory or contractual compliance can be costly, but the cost of a breach can be far higher, risking an organisation’s reputation, its customers and potentially, its long-term future. Those in breach must not only take corrective action, but ensure a recovery delivers long-term, effective change. James Keenan of LOC Consulting examines how to retain corporate reputation and customer trust when responding to a compliance breach.

The way in which organisations conduct their business is coming under greater scrutiny than ever before. The drive to improve transparency in the financial services sector, the question of media ethics arising from the Leveson enquiry and a number of recent shareholder revolts over executive pay have seen the internal workings of organisations from a broad cross-section of industry fall under the glare of the public spotlight.

Five steps to addressing a compliance breach

As and when a compliance breach occurs, an organisation must:
  • Nurture an open and honest relationship with the regulator
  • Understand the root cause of why the breach happened, with particular focus on the operating culture
  • Ensure agility with clear, flexible and auditable governance structures
  • Develop practical responses, ideally as simple as possible given the historic data available to limit the damage
  • Recognise that recovery can be a significant undertaking that often calls for dedicated teams

Certainly, it is interesting to note that this stems, not only from formal regulation, but also from a social change, where perceived wrong-doing is more closely investigated by, amongst others, an increasing cadre of small, but active shareholders, as well as a growing contingent of so-called 'whistleblowers' ie. workers from inside an organisation 'making a disclosure in the public interest' because they believe there is wrongdoing in their workplace.

Aside from some of the more dubious (and some illegal) practises to have been uncovered as a result of this increased scrutiny, it has become clear that many organisations continue to sail close to the wind in terms of risk, both managed and unmanaged, as they seek to reap greater reward. However, just like the mythical Icarus, a precipitous plunge awaits those that cut it too fine, especially if they are unable to quantify their level of exposure and are subsequently found to have lacked the appropriate controls and board-oversight to prevent the compliance breach.

Worse still is the fact many organisations lack the necessary skills to implement an effective recovery should they fail. Often, they will take the wrong type of remedial action, skirting around the true root cause. This only serves to compound the factors that contributed to the original breach and consequently risks further investigation or additional penalties being imposed by the relevant regulating body and, more critically, exacerbated reputational damage leading to reduced market share.

No longer 'laissez-faire'

With external activists becoming increasingly vocal (and listened to) at a time when regulators themselves are being forced to sharpen their claws or face stinging criticism for being a 'soft touch', organisations can ill afford to be complacent when it comes to addressing compliance issues.

As demonstrated by recent events in the financial services sector, the costs of breaking 'good practice' from a regulatory and legal perspective are increasing significantly. Last year, compensation and remediation costs for the mis-selling of payment protection insurance (PPI) punctured a significant hole in the results of financial institutions. According to analysis by KPMG, the UK’s five biggest banks saw profits slide by £2.9 billion as a direct result of PPI redress, with the total cost of PPI and other compensation standing at £5.7 billion. However, other estimates suggest the final combined bill might be closer to £9 billion.

The cost of ensuring compliance is also rising. The UK’s Financial Services Authority (FSA) estimates that the Retail Distribution Review (RDR) scheduled to come into force at the end of 2012 will see incremental compliance costs running into the Łmulti-millions. RDR and the mis-selling of PPI are just two examples of how the pendulum of public opinion and political will continues to swing away from 'laissez-faire' market-driven forces towards a more regulated business environment.

The increasing number of security breaches hitting the headlines is also driving growing awareness amongst regulators and the public about data security issues and the dangers of breaching compliance. Under the UK’s Data Protection Act (DPA) 1998, organisations handling personal information about individuals have a number of legal obligations to protect that information. Yet a large number continue to fall foul of the Information Commissioner’s Office (ICO) – the watchdog tasked with enforcing DPA.

Recently, an NHS Trust in Brighton was served with the largest ever fine issued by ICO (£325,000), after hospital hard drives containing sensitive patient data were sold on eBay. Meanwhile, Telford and Wrekin Council was issued with a penalty of &pund;90,000 by ICO, following the disclosure of confidential and sensitive personal data relating to four vulnerable children.

A question of trust

A failure to protect personal data serves to underline how a breach in compliance also means a breach in customer trust. Research published recently by the UK’s Institute for Credit Management (ICM) revealed that 76% of the 4000 consumers questioned said they would 'likely' leave a business or service provider if it leaked some of their personal data.

As recent history shows, the fallout from a breach in customer trust can be devastating for the organisation in question; particularly once the regulator gets involved. In November last year, Homeserve’s shares slumped by almost 14% after it announced it was suspending all telephone sales and marketing facilities amid claims of mis-selling by its call centre staff.

More recently, Homeserve was fined £750,000 by Ofcom for making silent and abandoned calls, while the Group remains the subject of an FSA investigation into whether it ignored customer complaints during the winter cold snap of 2010-11. Reports suggest that the Group is now planning to cut back its UK operations and focus on opportunities in the US.

That compliance also encompasses an organisation’s ability to meet implicit contractual arrangements is becoming especially important as privatisation moves into more controversial areas such as healthcare and policing. The collapse of Southern Cross Group prompted many to question whether private equity firms are best placed to prioritise the care of patients over commercial interests, while the outsourcing of policing services in the West Midlands and Surrey has been dubbed 'a dangerous experiment with local safety' by the Unison and Unite Unions.

Root and branch approach

Where an organisation has failed, or is likely to fail, on a significant regulatory undertaking it is critical that a review of organisational culture, processes and technology be undertaken so that a recovery can be initiated in a timely fashion. It is often the case that when an organisation enters a legal or regulatory challenge process, they engage a specialist consultancy in order to retain corporate reputation and customer trust.

To achieve these two goals, the immediate priority is to identify and understand the root cause of why the compliance breach occurred. Although a failure in process or technology is often cited as the main factor, this can be a convenient truth because in many cases a deeper analysis reveals culture to be the underlying issue. For example, the mis-selling of PPI related to a sales process, but it can equally be argued that the sales teams were aware they were not conducting this business in quite the right way.

Similarly, Homeserve’s initial failing related to a problem with its answer machine detection (AMD) technology, but the current investigation by the FSA is focused on allegations by a whistleblower that customer complaints had been ignored and that Homeserve had a culture rewarding staff for 'productivity rather than quality'.

A further case in point is that of Severn Trent, the water company fined £35.8m by the regulator Ofwat for providing false information and poor customer service. The bulk of the Ofwat fine, £34.7m, related to the supply of false data, yet the issue was not that the data was incorrect, but that it was reported inaccurately in order to present it in a more positive light.

Driving demonstrable change

Experience shows that while it is important to address issues with data, processes and technology, it is essential to address the underlying culture of an organisation; otherwise the same issues tend to arise again in another format. In addition, it is critical that the organisation’s management team not only takes positive corrective action, but is seen to be taking that action, given that actions to address the root cause are highly likely to be audited by the regulator.

Furthermore, it is important to document not only the analysis of the root cause, but also the plans to address it – and the success of actions taken. An inability to prove that demonstrable change is being realised risks a breach of trust with the regulator, while further penalties may be applied if an audit reveals an organisation was aware that certain issues had not been addressed, or that the wrong corrective actions had been taken – whether knowingly or unknowingly.

Thus it is essential to be able to prove that the right remedial steps are being implemented. This requires a highly rigorous and auditable approach to the process, such that it can be verified if the right decisions to specific customer cases have been achieved and the regulator can gain assurance that a change has been made.

Data also plays a key role in the recovery process, since an organisation can only take remedial action based on retrospect. The quality of historical data must be assessed, any gaps identified and a decision taken on how best to use the data available to achieve the best possible outcome. An assessment of whether the organisation can handle the responses is also necessary. Clear and simple policies and methodologies are required, especially in the case where high volumes of customers are impacted, such that new recruits bought in to deal with an upsurge in complaints can deal with them, or offshore teams be engaged.

Doing the right thing

Ultimately, compliance is about doing the right thing. Naturally, if people were doing the right thing then regulation would not be required. But given the multiple examples of recent history, the ability of organisations to police themselves will continue to be called into question and there will always be those that push the boundaries as far as good practise is concerned.

The fallout of the credit crunch has been the spectre of double-dip recessions and sovereign debt crises. It is therefore unsurprising that the financial services sector remains a focus for increased regulation (and intense criticism). Yet with public scrutiny of private organisations only intensifying in many sectors, tighter regulation – whether formal or informal – looks inevitable.

James Keenan is a Managing Consultant with LOC Consulting, a specialist management consultancy which partners with its clients to deliver complex business change and IT projects and programmes - for further information, please visit:

Tweet article
BW on TwitterBW RSS feed