Last week, as it often does, the LinkedIn algorithm decided to show me an advertisement for a Compliance Officer vacancy. This one was headlined: “Are you risk-averse?”
Now, if you’ve been following me for a while you’ll know I’m not a fan of the word “Compliance” to describe the function. As a piece of branding, it’s appalling and reminiscent of over-zealous parking attendants and low-level jobsworth bureaucrats. We also know it doesn’t sound great because it’s one of the few job titles that is made even worse by adding the suffix “Officer“. That’s not meant to be a criticism of the role. As a recovering Compliance Officer myself, I think its a critically important one. I just wish it was called something else.
Q: What’s even worse than a Compliance Officer?
A: A risk-averse Compliance Officer
But you know what’s even worse than being called a Compliance Officer? Being a risk-averse Compliance Officer. Taking risks is what companies do. That’s how they make money. A risk-free business won’t be in business for very long.
Of course, those risks need to be understood and managed. I’m not suggesting that Compliance Officers become perennial Yes Men and Women and don’t intervene to prevent bad outcomes. I’m only too well aware that in many industries, regulatory risk is one of the biggest risks that companies face; after Human Risk obviously!
But you don’t manage that risk effectively by simply being averse to it. And, whisper it, there are rules and there are rules. Some you absolutely have to comply with and others where there is a degree of flexibility. A bank that makes an error in its regulatory reporting, will find itself in significantly less trouble than one that breaches sanctions or fails to prevent money-laundering. A utility company that makes an error in customer billing, will be perceived differently to one who has a service outage.
What’s more, the nature of regulation is changing and Compliance Officers will need to change with it. As punitive adversarial heavily-codified approaches to regulation are replaced by Ethical Business Regulation, the skillset which Compliance Officers need to master is evolving.
Above all, they’re going to need to become more risk-minded. Merely being an expert in what the rules say won’t be enough. Being compliant in the 21st century isn’t just about slavishly following the rule book. In part, because the rule books are often complex and, for firms operating in more than one jurisdiction, one rule book can easily contradict another. Put it another way; no organisation is going to be 100% compliant in all areas. What matters is getting the important, “non-negotiable” stuff right.
Being technically compliant isn’t the right answer either. You only have to look at the banking industry to see how managing a business simply by reference to what the rules permit, has got Firms into a lot of trouble. There were no regulations in force to prevent collusion in the setting of benchmarks like LIBOR because no one thought it was necessary. In the UK, a compliant, yet generally useless product called Payment Protection Insurance was widely (mis)sold to unsuspecting consumers.
“Just because you can doesn’t mean you should”
Both ended up costing the Firms involved billions in fines and compensation payments. To quote one of my rules of Human Risk: “just because you can doesn’t mean you should”.
To prevent the LIBORs and the PPIs of the future, Compliance Officers will need to think like Risk Officers. Because, in essence, that’s what they are. Less Business Prevention Unit and more Good Business Support Unit.
If you want to master a discipline you need to embrace it. You won’t be able to safely ride a motorbike, ski down a black slope, perform on stage or cook for a dinner party if you’re paralysed by fear of the activity.
Equally, to be effective as a Compliance Officer, you need to embrace risk not be averse to it. You’re there to support the taking of controlled risk and prevent the taking of uncontrolled risk. A risk-based approach to compliance isn’t an oxymoron; it’s precisely how Firms need to run themselves.
Which brings me back to the job ad. I really hope they don’t appoint someone who genuinely is risk-averse. Because if they do, then they’ll be appointing precisely the wrong kind of person. Compliance Officers need to be risk-smart, not risk-averse.
What the 21st Century fit for purpose Compliance function really doesn’t need is Cautious Caroles or Nervous Nigels.