Tara Giunta is a partner in the Washington, DC, office of Paul Hastings LLP, is a Vice Chair of the Investigations and White Collar Defense Practice and Chair of the firm’s Women’s Initiative. She advises clients and their officers and directors in high risk, regulated industries, on global compliance focusing on anti-corruption, data privacy and national security. Ms. Giunta performs risk assessments for global enterprises, develops comprehensive compliance programs, conducts internal investigations, and represents clients before U.S. enforcement agencies. She was recognized by Global Investigations Review (GIR) in its Women in Investigations list, which recognized 100 women across the globe who are “achieving great things in a competitive and notoriously tough area of law.” She is also Editor of the Breaking the Glass Ceiling: Women in the Boardroom report. Ms. Giunta received her J.D. from Columbus School of Law, Catholic University, and her B.A., cum laude, from Tufts University.
Christopher P. Skroupa: How have we seen enterprise-wide risk evolve over the last ten years? (i.e. the evolution of cyber/data threats).
Tara Giunta: Enterprise risk used to be viewed conventionally as those risks that were essentially well-established for a company operating in a particular industry. The approach to corporate governance, as a result, was relatively parochial with the boards overseeing “governance” at a very high level, while management made sure that there were basic functions overseeing well-known risk areas. For instance, a consumer products company might have focused its attention on labor laws in countries where they manufacture their products. Today, the breadth, depth and pace of evolving risks requires that organizations take a broader perspective, challenge conventional assumptions, anticipate new risk areas and stay light on their feet to pivot when the next risk area or threat hits. That same consumer products company needs to also focus on how their various facilities and operations are licensed globally (for example, Walmart) and the impact a cyber attack could have on their business (for example, Target). The objective must be to move from a passive risk-awareness mode to a proactive risk-intelligent organization.
The single largest threat that companies across industries identify are those that impact reputation which in turn is affected by a number of risk areas, including bribery and corruption and an inadequate data privacy function. With the increasing focus on accountability at all levels of an organization, including the board, assuring that the board is fulfilling its fiduciary duties requires a board with the appropriate skill sets, experience and time commitment to challenge management on whether there are adequate risk detection and management processes.
Skroupa: How has that affected the way we assess risk?
Giunta: Previously, it was assumed that risks were relatively obvious and therefore management was well-aware of the risks facing the organization. That in turn enabled companies to establish limited compliance functions that were both siloed from each other and often either siloed away from the commercial operations where the risks were arising — or co-opted by the commercial function to which they reported. Today, there is an appreciation that organizations must engage in an appropriately scoped risk assessment designed to probe into and evaluate the full range of risks both confronting the business today and anticipated to be confronting the business within the next 3-5 years.
Moreover, those once considered impossible “black swans” now must be viewed as a possibility and accommodated by establishing a risk and compliance function that is interconnected, constantly assessing, monitoring and testing, and proactively adjusting the compliance function as the risks evolve. This will enable the company to pivot when (not if) that black swan hits. Risk and compliance organizations in global enterprises need to be appreciated for the role they play in helping companies achieve their commercial objectives in an efficient, effective and valued manner, minimizing the risks or threats to the organization and enabling the organization to respond effectively when those risks do arise. That requires risk and compliance functions to report independently of the commercial operations while also being embedded sufficiently in the operations to understand the evolving risks facing the company. This is often a delicate, but necessary, balance and requires risk and compliance leaders to engender trust and confidence within the organization.
Skroupa: What challenges does management face when incorporating resilience strategy into risk management?
Giunta: Management and the board must understand that risk and compliance governance is a way of life, a critical aspect of its organizational structure, and key to its continued and future success. The increasing pace of change and accelerating dissemination of information (whether true or not) through social media has put additional pressure on organizations to build resiliency into their risk management. Therefore, an organization’s ability to anticipate and respond to changing risks affects its success and demands an integrated approach in order to be resilient. Further, there can be a tendency to take a retrospective approach to risk identification. The challenge is both to understand your risk profile and to anticipate new risk areas – after all, a company’s strategic plan is forward-looking. In order for the risk function to be a true partner with the business, it needs to understand those commercial objectives and anticipate the risks that may surface as a result. There must be a connection and coordination between the risk and compliance function and the commercial and strategic planning function in order for the risk and compliance framework to be effective.
For many industries, growth markets are found in emerging economies with different legal frameworks, regulatory requirements and cultural realities. An organization entering those markets needs to understand those fundamental differences and realities, in order to ensure that their corporate culture is embedded and effective. While compliance may be a well-understood concept in the US, that is not necessarily the case in other markets with different legal and regulatory histories, contexts and paradigms. Further, a control feature or tool that works in one market may not work in another. The effectiveness of internal controls depends upon how well management has understood and accommodated those challenges, while staying true to its commitment to compliance and resiliency in its risk management framework. This is where a well-scoped risk assessment can be particularly helpful.
Skroupa: How can effective corporate governance mitigate risk?
Giunta: An effective risk management function incorporates all levels, from the board which is responsible for oversight and setting the tone at the top, to the executive management team which is responsible for pushing compliance and risk governance throughout the business, to the supporting functions (finance, internal audit, legal, compliance, procurement/supply chain) that assure an integrated approach to compliance, down to the commercial units where typically the risks occur and which ultimately own the risk.
In order to be effective, the risk and compliance governance function must take a multi-pronged approach: First, there should be a global risk assessment process that is refreshed periodically, typically every 2-3 years. In the intervening time, regional or targeted risk assessments can be conducted. Depending upon the size and resources of the organization, an internal risk assessment function and process can be established to undertake the ongoing oversight of risks. If so, it is advisable to have an external firm conduct a global risk assessment at the 2-3 year mark, to validate the work of the internal function. Second, the policies and procedures must be refreshed periodically to reflect the evolving risk profile of the business. Third, an effective compliance program incorporates testing and monitoring protocols as well as internal audits, to flag issues as they arise, rather than waiting until they create serious exposure for the company. Finally, there should be clear protocols as to how the company responds to red flags or allegations when they arise so that it is able to respond quickly and thoroughly, with documented remedial measures and, when appropriate, disciplinary action. This interdisciplinary approach allows the organization to identify and mitigate risk, and to respond quickly when needed.
Skroupa: How have management and the board needed to adapt to the evolving risk environment?
Giunta: Organizations today face an unprecedented number of risk areas, and those areas are shifting at a rapid pace. How well an organization understands, addresses and mitigates those risks can significantly impact its ability to compete and succeed. Threats to a company’s reputation can come from a broad array of risk areas, some understood and others unanticipated. For instance, an airline’s risk profile probably didn’t focus on removing a passenger from an oversold flight. However, several airlines have been in the limelight recently and taken hits to their reputations. The ability to see that risk is important but there will be risks that even the most diligent management teams will not anticipate. Therefore, management and boards are well-advised to embed risk and compliance into every aspect of the business, build communications and training around, and reinforce its commitment to ethical business practices, as well as establish a “swat teams” and protocols for responding when the threat hits, as it surely will do. This requires that the company dedicate sufficient resources in the people and functions comprising its risk and compliance function.
One department often overlooked when developing internal compliance teams is the Human Resources Department (HR). HR is a key element to ensuring the effectiveness of the risk and compliance function – to assist in hiring and retaining the right people, developing compensation systems that align with both commercial and compliance priorities and objectives, and track disciplinary issues and trends. Further, HR can help ensure that risk and compliance training is built into the fabric of the employees experience and expectations. Annual performance evaluations, including 360 reviews of senior management and the board, should include how well the employee, executive or director has understood the risks and compliance priorities and functions, and his or her role in achieving those objectives.