LOC Consulting’s James Keenan examines how to retain corporate reputation and customer trust when responding to a compliance breach.
The recent Barclays scandal is just one of a number of recent high profile examples that have highlighted how organisations continue to sail close to the wind in terms of risk, as they seek to reap greater rewards. However, as the Barclays case demonstrates, a precipitous plunge awaits those that cut it too fine, especially if they are unable to quantify their level of exposure and are subsequently found to have lacked the appropriate controls and board oversight to prevent a compliance breach.
Many organisations lack the necessary skills to implement an effective recovery should a breach occur – often taking the wrong type of remedial action and skirting around the true cause. This not only serves to compound the factors that contributed to the original breach, but consequently risks further investigation or additional penalties being imposed. More critically, exacerbating reputational damage can lead to reduced market share.
No longer ‘laissez-faire’
With external activists becoming increasingly vocal (and listened to) at a time when regulators themselves are being forced to sharpen their claws or face stinging criticism for being a ‘soft touch’, organisations can ill afford to be complacent when it comes to addressing compliance issues.
As demonstrated by recent events in the financial services sector, the costs of breaking ‘good practice’ from a regulatory and legal perspective are increasing significantly. Last year, compensation and remediation costs for the mis-selling of payment protection insurance (PPI) punctured a significant hole in the results of financial institutions. According to analysis by KPMG, the UK’s five biggest banks saw profits slide by £2.9 billion as a direct result of PPI redress, with the total cost of PPI and other compensation standing at £5.7 billion. However, other estimates suggest the final combined bill might be closer to £9 billion.
The cost of ensuring compliance is also rising. The UK’s Financial Services Authority (FSA) estimates that the Retail Distribution Review (RDR) scheduled to come into force at the end of 2012 will see incremental compliance costs running into the £multi-millions. RDR and the mis-selling of PPI are just two examples of how the pendulum of public opinion and political will continues to swing away from ‘laissez-faire’ market-driven forces towards a more regulated business environment.
A question of trust
A failure to protect personal data serves to underline how a breach in compliance also means a breach in customer trust. Research published recently by the UK’s Institute for Credit Management (ICM) revealed that 76 per cent of the 4,000 consumers questioned said they would ‘likely’ leave a business or service provider if it leaked some of their personal data.
As recent history shows, the fallout from a breach in customer trust can be devastating for the organisation in question; particularly once the regulator gets involved.
Root and branch approach
Where an organisation has failed, or is likely to fail, on a significant regulatory undertaking it is critical that a review of organisational culture, processes and technology be undertaken so that a recovery can be initiated in a timely fashion. It is often the case that when an organisation enters a legal or regulatory challenge process, they engage a specialist consultancy in order to retain corporate reputation and customer trust.
To achieve these two goals, the immediate priority is to identify and understand the root cause of why the compliance breach occurred. Although a failure in process or technology is often cited as the main factor, this can be a convenient truth because in many cases a deeper analysis reveals culture to be the underlying issue. For example, the mis-selling of PPI related to a sales process, but it can equally be argued that the sales teams were aware they were not conducting this business in quite the right way.
Driving demonstrable change
Experience shows that while it is important to address issues with data, processes and technology, it is essential to address the underlying culture of an organisation; otherwise the same issues tend to arise again in another format. In addition, it is critical that the organisation’s management team not only takes positive corrective action, but is seen to be taking that action, given that actions to address the root cause are highly likely to be audited by the regulator.
Furthermore, it is important to document not only the analysis of the root cause, but also the plans to address it – and the success of actions taken. An inability to prove that demonstrable change is being realised risks a breach of trust with the regulator, while further penalties may be applied if an audit reveals an organisation was aware that certain issues had not been addressed, or that the wrong corrective actions had been taken – whether knowingly or unknowingly.
Thus it is essential to be able to prove that the right remedial steps are being implemented. This requires a highly rigorous and auditable approach to the process, such that it can be verified if the right decisions to specific customer cases have been achieved and the regulator can gain assurance that a change has been made.
Doing the right thing
Ultimately, compliance is about doing the right thing. Naturally, if people were doing the right thing then regulation would not be required. But given the multiple examples of recent history, the ability of organisations to police themselves will continue to be called into question and there will always be those that push the boundaries as far as good practise is concerned.
The fallout of the credit crunch has been the spectre of double-dip recessions and sovereign debt crises. It is therefore unsurprising that the financial services sector remains a focus for increased regulation (and intense criticism). Yet with public scrutiny of private organisations intensifying, tighter regulation – whether formal or informal – looks inevitable.
Box-out: Five steps to addressing a compliance breach
As and when a compliance breach occurs, an organisation must:
- Nurture an open and honest relationship with the regulator
- Understand the root cause of why the breach happened, with particular focus on the operating culture
- Ensure agility with clear, flexible and auditable governance structures
- Develop practical responses, ideally as simple as possible given the historic data available to limit the damage
- Recognise that recovery can be a significant undertaking that often calls for dedicated teams
About LOC Consulting
LOC Consulting is a specialist management consultancy which partners with its clients to deliver complex business change and IT projects and programmes. We deploy dynamic and innovative consultants who specialise in programme healthcheck, recovery and delivery, drawing on a wealth of proven experience and leading practice methodologies to enhance clients’ business delivery. We have a proven track record of operating in multiple regulatory environments and successfully delivering recovery situations for a number of major UK organisations. We employ a robust methodology, ensure auditable results and are able to operate in sensitive environments with the subject matter understanding and gravitas to drive resolution and best possible outcomes. www.locconsulting.co.uk