Mitigating Conduct Risks in Strategic Objectives & Performance Metrics

Corporations depend on strategic objectives and performance metrics. Senior executives declare the objectives and the metrics they’ll use to measure employees’ progress toward those goals, and employees get to work achieving them. Compliance professionals already know all that. 

What we need to appreciate more is how those two things — strategic objectives and performance metrics — can sometimes warp your corporate culture, to the point of corporate misconduct and regulatory enforcement actions. Because when strategy and performance metrics don’t align with corporate values, that’s exactly what happens.

This has been on my mind because several times recently we’ve seen examples of this dynamic at work:

  1. A large retail bank with its scandal of employees opening false accounts without customer permission so the employees could hit sales metrics.
  2. A consumer food business recently fined $62 million for accounting fraud in which employees broke accounting rules to hit cost-cutting targets.
  3. A global advertising company which just paid $19 million to settle FCPA charges. They had acquired smaller advertising firms in high-risk markets, and gave the founders earn-out bonuses if they hit certain financial targets post-acquisition. In several countries, those founders then bribed their way to hitting those targets.

The details of those cases and the nature of their misconduct are very different. Fundamentally, however, all three cases sprang from the same basic cause: strategic objectives and performance incentives that existed in a weak ethical culture — and from that poor control environment, misconduct flowed. 

Compliance officers need to approach that threat methodically, and include such issues in your risk assessment. Then you can deduce what sorts of misconduct might happen, given the control environment; and reverse-engineer the policies, procedures, and controls you could put into place to keep those risks at bay.

Begin with a simple assessment of strategy and incentives

An assessment of strategic objectives and performance metrics doesn’t need to be hard. I sketched out one possible flowchart, below, that a compliance officer could use to walk your way through the questions that would need to be answered. 

For example, the strategic goal might be, “Drive revenue by selling a wider range of products to the customer.” The company might then measure success toward that goal by tracking how many types of products each employee sells to a customer. 

Then the compliance officer could ask: “So how could an employee game that metric? How could he or she over-state the range of products sold to a customer?” Maybe the employee does that by falsifying sales agreements with the customer, or doing some round-trip revenue scheme where the product is “sold” two days before the end of one quarter and then returned two days after the start of the next.

Once you get a sense of the ways that misconduct might happen, that understanding can guide the policies, procedures, and controls you might implement in response. For example, require more documentation of a customer’s consent to sale; or perform more rigorous transaction analysis to catch chicanery like a round-trip revenue scam. 

Corporate culture and incentives are still paramount

Despite the analysis that tells you how misconduct might happen, compliance officers still need to understand the odds of whether that misconduct will happen. That is, they still need to understand how the control environment pressures those strategic goals and performance metrics. 

First, look to the HR department, employee satisfaction surveys, and your own internal hotline to get a sense of how much pressure employees feel to hit performance metrics. Do they mention high pressure in exit interviews? Do they complain about it in employee surveys? Do they complain about it to you, in hotline reports? How much of their total compensation is tied up in incentive compensation, to hit those targets?

Equally important: who is complaining about pressure? Are they the same people who could commit misconduct, based on the analysis we did above? 

Clearly you’ll need a considerable amount of data to answer these questions, most likely from the HR team and your own compliance function. You’ll also need to perform (as best you can) an analysis of what senior leadership says about ethical business practices, performance, and the intersection thereof. As always, that tone at the top matters most.

From there, move forward with remediation

Whatever problems or risks you might find as a result of this work, remediation can happen at two levels. At the tactical level, a compliance officer could implement new policies, procedures, or internal controls to thwart the specific types of misconduct you believe could happen — more requirements for documentation, more approvals before granting an exception to policy, automatic triggers for investigation when a policy violation happens, and so forth.

At the strategic level, compliance officers could brief the board or the C-suite about the state of corporate culture — and whether that culture is driven too much by pressure and fear, which could result in misconduct as employees scramble to hit performance goals. 

By performing that first analysis, of how misconduct might happen, given the company’s strategic goals and performance metrics; you’ll be in a better position to talk about whether misconduct will happen, given the corporate culture. 

Then you’ll just need a corporate board and management team committed to an ethical culture, even if that means tempering strategic objectives and performance metrics. But that’s a post for another day.

Register for the 2021 NAVEX Next Virtual Conference

Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.

3 Components of an Effective Risk Statement

Privacy by Design: Why Compliance Should Lead the Data Privacy Charge

The concept of privacy by design has evolved far beyond its engineering origins. Learn how a people-focused and technology-enabled approach to data privacy is critical to protecting your organization's revenue, risk and reputation.

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

Is Technology Risk Bigger Than “Cyber" Risk?

There’s no doubt that hacks are serious. But sensationalist headlines (and opportunistic consultants) can often lead companies to place too much emphasis on cybersecurity alone. Truly understanding and managing technology risk effectively requires a holistic approach focused on the business.

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.

Subscribe Now!
Most Recent
ESG is a Risk Issue
ESG is a Risk Issue
NAVEX Next European Virtual Conference – ESG Round Up
A History of Whistleblowing in America
A History of Whistleblowing in America
NNVC Europe Compliance Round Up
NAVEX Next European Virtual Conference – Compliance Round Up
Compliance Considerations in a Post-Roe World
Definitive Guide to Compliance Program Assessment
Download Guide