By Joe Murphy, JD, CCEP, CCEP-I
In the December Compliance & Ethics Professional magazine, Roy makes many important points in his feature interview, but there are a couple I would like to emphasize here relating to “risk,” and its connection to compliance & ethics.
First, it is clear these are not synonyms. Risk deals with everything that could affect the business. The emphasis is on avoiding harm to the company. Compliance and ethics deals with the risk the company will hurt others. Risks to the company, like investments, insurance, etc., “have nothing to do with the compliance and ethics program.” People constantly try to transform compliance and ethics into something else. It is not risk and it is not governance. As Roy has described it well, “Compliance and ethics programs focus only on risks the company causes to others.” Someone, somewhere, has to do this, and that is the job of our profession.
In this same context, he also addresses one of the common buzzwords, “risk appetite.” Roy hits this head-on: “The concept of risk appetite does not – and should not – exist in compliance and ethics programs.” A company can have a risk appetite for business risks. But it is obscene to have an appetite for crime or unethical behavior.
Roy also explains that we do not simply analyze risk or assess its probability. In Roy’s words “We need people to fix the problems we find.” That is what our profession is about.
Just because Roy has retired does not mean we can afford to forget his words. I hope, even in his absence, his wisdom continues to guide us. Cheers, Joe