Categories
Innovation in Compliance

The Agile Audit with Toby DeRoche

Tom Fox’s guest on this week’s show is Toby DeRoche, a professional auditor and Senior Manager of Risk Management at Verizon. He and Tom talk about the importance of risk assessment and how it has changed in recent years. 

Agile Audit

Agile Audit is simply auditing the things that matter at the current moment. It’s an iterative approach, going through the entire audit lifecycle and compressing it down to the essentials. “We’re saying, so here’s everything that I could audit, but here’s what’s most important to the organization today,” Toby tells Tom. “It’s this continual cycle… giving you the answers to what’s the most burning question you have related to risk and control in your organization today.” 

 

Focus on The Highest Risk

If an audit plan isn’t focused on relevant issues, or the highest risk, no one is going to care how well the auditing plan was executed. Focusing on low-risk issues wastes everyone’s time. “We should be focusing on the things that are the highest risk and only those things,” Toby says. If internal auditors aren’t focused on management support, strategic objectives, and challenges, then they aren’t doing their jobs. 

 

Communicating Vs Reporting

Tom asks Toby to differentiate between communicating and reporting results as an internal auditor. Giving reports is not communication, he responds; it’s just regurgitating facts. “A much more effective way of getting the information across is to make it more digestible,” Toby remarks, because it’s much more impactful, and people can more easily grasp what you’re trying to say. 

 

Looking Ahead

Companies in the future will have no choice but to use the concepts of risk assessment, continuous improvement, and continuous risk assessment. Auditing must be part of the company’s objectives. “Anything that we’re doing that’s not focused on what matters to management and the highest risk to them achieving their goals right now, then we’re completely missing the picture,” Toby stresses. 

 

Resources

Toby DeRoche | LinkedIn  

Only Audit What Matters 

Categories
Blog

Using Agile for Compliance Innovation

Driving innovation in your compliance program is still seen as one of the most difficult challenges for every Chief Compliance Officer (CCO) or compliance professional. I was therefore intrigued by a recent article in the Harvard Business Review (HBR), entitled Purposeful Business the Agile Way by Darrell Rigby, Sarah Elk and Steve Berez, which discussed how business leaders can “transform a profit-maximizing system into a purpose-driven one without jeopardizing the future of their businesses and their own careers.”
Interestingly, the authors came to their approach due to the post pandemic great resignation, which they posit business leaders have no clue as to why there is such employee action and equally importantly how to adapt to it, stating, “For decades managers trusted influential economists who promised that if businesses maximized profits, an invisible hand would generate greater benefits for all society. That isn’t happening the way they said it would.” Yet business executives went overboard on creating value for shareholders as their only focus. The authors believe that such a myopic approach robs other “stakeholders of value.” That has certainly been the case for businesses treatment of employees. The authors conclude, “One recent manifestation: Record numbers of people are quitting their jobs, and others are hitting picket lines to demonstrate a growing conviction that life is too short to waste on demoralizing work. Concern about social inequities and environmental damage is escalating. The system is out of balance, and the situation is getting worse.”
Business executives stand at the turning point. They can continue down a destructive path or adapt. However, the problem is that most business leaders are afraid to change, afraid to create multiple stakeholders, as opposed to focusing solely on shareholders and do not want to listen to their employees. The authors believe, “agile ways of working can help, turning squishy debates about corporate purpose into real actions and results.” It provided to me numerous tangible ideas about how to drive innovation in the compliance arena. I have adapted the authors ideas for a corporate compliance program. The authors posit several concrete steps you can take, which every CCO and compliance professional should consider for their compliance regime.
Create a Microcosm
The authors suggest an approach not unlike Design Thinking. Here are some of their suggestions.

  • Assemble a multidisciplinary team, including experts outside your silo.
  • Develop deep empathy for users, exploring their goals and frustrations.
  • Examine the current system to identify the causes of those frustrations.
  • Envision a more purposeful system.
  • Describe changes that might improve the system.
  • Prioritize and sequence them.
  • Test potential improvements.
  • Adapt to unexpected effects and side effects.
  • Scale up solutions that enrich the lives of stakeholders affordably.

Every CCO should be comfortable with these suggestions and steps.
Continuous Monitoring Leading to Continuous Improvement
Compliance, like business purpose, should not be viewed as a mechanical watch. In 2008, I heard then Deputy Attorney General (DAG) Lanny Breuer say that a best practices compliance program needed to be nimble and agile. Obviously, continuous monitoring and continuous improvement are mandated parts of a best practices compliance program in 2022. Where the authors expand on this basic component for any compliance program is around five questions you should ask about your compliance innovation.
These include: Does your compliance initiative support your strategic objectives and create important benefits for the stakeholders who have the most impact on the success of your business? Will multiple stakeholders actively support your compliance initiative? Will your investment in this compliance initiative create greater value for a wide variety of stakeholders, more “than would simply writing a check to a more economical innovator?” Finally, your compliance initiative should “test specific hypotheses and mitigate adverse side effects before scaling up the project.”
Do the Right Thing
Setting financial targets is one way of goal setting. However, as the authors note, “Agile helps flip that approach, focusing first on creating value for stakeholders and then on earning adequate profits in the process. Instead of asking, How can we improve profitability without damaging customer and employee satisfaction? they ask, How can we enrich the lives” of various stakeholder’s and employees?
In the 2020 Update to the Evaluation of Corporate Compliance Programs, the Department of Justice (DOJ) made clear that CCOs and the corporate compliance functions were the holders of institutional justice and institutional fairness in a company. In other words, you already have the obligation. Therefore, doing the right thing for both employees and other stakeholders is not something new for compliance professionals.
Prioritize Collaboration
If there is one thing compliance must do it is collaborate. Compliance generally does not have a hammer it can bring down but must lead through influence and working with others. Moreover, engagement with a wide variety of stakeholders in your company is a much better way to get something down as those stakeholders involved will be invested in the outcome if the are involved in its creation.
In the world of agile, the authors report, “A central reason for the success of agile ways of working is that they prioritize teamwork over individual performance. Research by the Standish Group, which has studied the success of IT projects since 1994, shows that agile teams improve software innovation by more than 60%, on average, and by 100% when the innovation is large and complex. Two-thirds of agile teams across a wide range of business functions report better cross-functional alignment, and 60% register higher team morale, according to the State of Agile Report by Digital.ai, a company focused on digital transformations.”
The bottom line is that by embracing these agile concepts, a CCO has a much better chance of implementing innovative change in their compliance program.