15 February, 2018

Why 'Risk and Compliance' isn't just for the Financial Services Industry

When I saw the headlines surrounding the Oxfam scandal over the weekend – claims of sexual exploitation and abuse by staff members in Haiti and within its volunteering circuit – it made me question if the Third Sector had the same structures around Risk and Compliance that Banking & Finance do, might this have helped prevent, manage or at least put in place controls to prevent or adequately manage these situations?

It has been reported that in 2017, there were 125 cases of sexual abuse across the Third Sector with 87 from within Oxfam, 31 from Save the Children and a small number from British Red Cross.

Since the unprecedented exposure, Oxfam have now stated they will be putting in better governance controls and whistleblowing procedures. I’m sure it isn’t just me that recognises these as the typical responsibilities of Risk and Compliance professionals? It also raises the question what processes and contingencies do the Top 100 charities currently have in place to mitigate, control and manage risk?

Save the Children have recently appointed a new Chief Risk Officer and currently, they appear to be the only large charity who have an individual at Director level, responsible for risk and compliance. Sometimes it is easy to overlook the size of charitable organisations, a number of whom, if they were commercial businesses, would sit in the FTSE 250 with responsibility for managing and distributing huge sums of cash whilst ensuring the money is being spent responsibly in line with their charters or commitments to transparency.

It is useful to start by looking at what the role of the Chief Risk Officer (CRO) is as this goes some way to aiding in the understanding of what benefits they can bring. The CRO and his or her team are responsible for identifying, analysing and mitigating internal and external events that could threaten a company, establishing policies, governance, reporting structures, owning business continuity, IT security, Cyber, and in 2018, being an active business partner. Protecting a company is much more complex and demanding than it was twenty years ago with a broader range of threats, in particular surrounding technology or data privacy. Charities have a history of poor customer data management which in 2017 resulted in 13 fines to large charities from the Information Commissioners office (ICO).

In the case of large charities with substantial cash donations, government funding, international operations, high volumes of customer data, regulation (GDPR), global threats from Cyber Crime, invaluable brand and customer reputations, and in the case of Oxfam, existing abuse of the system, what is stopping these organisations taking control? The Oxfam case outlines the need for improved governance and controls, better processes around employment checks for new and current staff, complaints and whistleblowing policies and procedures. This isn’t to say that charities don’t take this seriously, I’m just not sure if they take the potential threats to their organisations seriously enough.

It wasn’t that long ago that the banks had a much lighter version of Risk and Compliance. Significant events over the last ten years were cause for change – the Mexican drug cartel money laundering, LIBOR, PPI, TCF, KYC, Sanctions, AML. The rogue traders, The London Whale, Bruno Iksil, Kweku Adoboli and Jerome Kerviel who collectively lost $15.6 bn – In the past Kweku, Jerome and Bruno wouldn’t have been called rogue traders, they would have just ‘disappeared’ off the scene and suddenly stopped coming to work. It’s here where the best parallels with Oxfam. Mistakes have been made, you can’t turn back the clock, sometimes it’s the shock that creates the calls to action. The learnings will hopefully be to be bold and brave; take action, beef up your Risk and Compliance functions, don’t be afraid and try and get in front of it. It takes time, but it creates better and more stable organisations in the long term. A lesson that all sectors can learn from.

 

To follow Kirsten’s articles on LinkedIn, click here.

Green Park Interim & Executive Limited. Registered in England and Wales. Registered office: 4th Floor, Partnership House, Carlisle Place, London SW1P 1BX.
Company registration no: 05672094. VAT registration no: 888 2432 84 © Copyright 2019. Green Park. All Rights Reserved.