As risk professionals, we talk a lot about building a culture of accountability and promoting our core values of integrity and trust. The programs that we design and nurture exist to keep our organizations safe – whether it be from threats like risk assumed by a third party, the global nature of our jobs, threats to our workforce by COVID-19, labor shortages, or cyberattacks. At Fusion, we ask that our business partners and employees raise risks and issues to us so that we can help them put the necessary guardrails in place to continue to operate – and to do so safely.
Those of us who are deeply passionate about managing risk fundamentally understand that it is our own personal reputation at stake. After all, we are only as good as our word and actions when it comes to building a culture of trust.
Personal Accountability in Risk and Compliance
Chief Compliance Officers have always been aware of the personal responsibility attached to their jobs. In the case of misconduct related to risks of fraud, bribery, or corruption, the U.S. Department of Justice includes provisions in its Guidelines on Corporate Compliance to assess governance in place and determine whether management is responsible. These requirements can apply in third-party risk scenarios but also more broadly across the enterprise where risk for misconduct exists.
In tightly regulated industries like banking, Compliance Alert notes: “Chief Compliance Officers (CCOs) increasingly face personal liability for corporate wrongdoing and regulatory violations as a change of guidelines and a string of federal enforcement actions have transformed the environment in which CCOs operate. Now, regulators are pursuing cases of negligence where the CCO was neither involved in nor aware of the wrongdoing.” Trends like this incentivize us to have better visibility into the programs we run, build out stronger preventative controls, and promote regular control testing.
This concept has cascaded to new regulatory obligations such as operational resilience requirements in the UK which have provisions that require an appointment of a responsible individual in charge of the program who has ultimate accountability. The Digital Operational Resilience Act (DORA) in the EU takes it a step further and opens the door for provisions for criminal prosecution. The Chief Resilience Officer should take note of the lessons learned from their peers in compliance and foster a culture of compliance with these requirements in their organizations.
Adjacent to resilience obligations, many global regulations in the cybersecurity and data protection space contain provisions for cooperation with investigation and breach notification requirements. In the U.S., the Chief Security Officer of Uber was recently found guilty in federal court for not making appropriate disclosures to regulators over a hack. This situation represents the first time where an executive has been held criminally liable for a data breach. Essentially, he was complicit in covering up a breach that occurred during the course of an investigation. The lesson learned here? If he had been transparent during the investigation, he likely would have avoided prosecution, even if it meant he would need to find other employment instead. Per the New York Times, Stephanie M. Hinds, the U.S. Attorney for the Northern District of California, said in a statement: “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users. Where such conduct violates the federal law, it will be prosecuted.” This is a clear signal that it is unacceptable to conceal information to protect organizational or personal interest.
Obligations on reporting and information sharing are only expanding as guidance and legislation contains additional provisions for incident management and breach notification. Risk and compliance professionals can no longer afford to hold this information close to their vest. How you respond to an incident that causes disruption to your business or consumer safety has become more important than ever, and regulators are also signaling that organizational trust is more important than ever.
Other Executives Are Not Immune
The United States Securities & Exchange Commission (SEC) has taken steps to hold executives responsible for misconduct under their watch. Leveraging existing verbiage in the Sarbanes-Oxley Act, the SEC signaled that they will claw back certain compensation bonuses and stock sale profits from Chief Executive Officers and Chief Financial Officers when their companies have to reissue an accounting statement because of misconduct. Of note, the Act is not relevant if the executives were themselves involved in the misconduct that gave rise to the restatement, only that they presided over a firm where misconduct took place.
With the expansion of reporting obligations to the SEC on cybersecurity and ESG (environmental, social, and governance), executives should take note that now more than ever, it is critical to the success of their organization that there are appropriate risk mitigation and preventative monitoring controls in place across those risk domains to ensure that their third parties are providing appropriate information to substantiate statements made in SEC reports.
Can You Afford Not to Invest?
The new requirements that have been put in place are holding executive leadership accountable for outcomes. Some of the requirements even simply state that they do not care if the executive was directly involved or not – it is the not knowing what is going on under their watch that is sufficient enough to trigger penalties that can include hefty fines, legal costs, and possibly even jail time.
It is now common knowledge that your organization must invest in technology in order to build a defensible program that can demonstrate that you have appropriate oversight into your important business services. It can also help you prove your culture of trust and that your organization can withstand scrutiny if there is an incident, helping to preserve your organization’s reputation.
Here are also some stats to help build the business case:
- According to the “Cost of Data Breach Report 2022,” the average cost of a data breach continued to rise in 2022, reaching an average of $4.4 million globally. In the United States, that cost spikes to $9.4 million.
- Defense costs in connection with an SEC investigation can exceed $1 million in order to defend individuals, directors, and officers – and indemnification insurance may not always cover the cost.
- Circling back to third-party risks, fines for violating sanctions can range from $90,000-$1.5 million per violation, depending on the specific provision violated.
Want more information on how to keep your organization safe from disruption caused by ineffective risk management?
Watch the replay of our most recent webinar titled Enabling Resilience Through Proactive Risk Mitigation.
You can also request a demo or reach out to your Account Manager to learn how our unique service-led approach can help you demonstrate that your executive team and board are maintaining oversight of your risk profile.