I just read an excellent piece on Bloomberg BusinessWeek. It discusses the board's responsibility related to oversight of corporate compliance, culture, and the performance of executives.
1. What do you think are the lessons we should all draw, whether board members, corporate counsel, internal auditors, or executives?
2. Has your board reviewed the BP situation to see what lessons can be learned and applied at your company? If not, should you do something about that?
3. Have you and your senior leadership team learned from the BP lesson, regarding the need for:
- An emphasis on safety?
- Effective risk management, not only as a periodic exercise of risk assessment, but in daily decision-making?
- Independent, competent audits of high risk areas?
- Follow-up to ensure that any prior incidents relating to compliance or safety (or other high reputation risk areas) will not happen again?
- A risk response plan, with training for all who may be in contact with the media — including bloggers?
- An adequately staffed internal audit function that is focused on risks to the enterprise, rather than risks to individual locations or processes?
4. What changes have you and your company made? Are they sufficient? Could something like this happen to you? Consider that the risk is not only the event but the potential for mishandling it.
5. When was the last time you audited the risk management process? Not having one is not an excuse.