Governance, Risk and Compliance

Recently I gave a presentation to a group of risk management professionals. I began my preparation by compiling a slide full of logos of various serious or catastrophic corporate failures. Some of these companies survived. Others are no longer around. It was depressingly easy to put the slide together. In fact I, or anyone else, could probably compile a dozen different versions of slide illustrating infamous logos of companies who had experienced catastrophic failure in an hour or less. I nwon’t bore you with my version. Send me yours if you wish

The question I asked myself was this: Is catastrophic failure, governance, financial or other, inevitable? Is it just part of the human condition we should learn to accept? Is it present in other complex systems? Are other management systems and regulators more or less effective in preventing catastrophic events?

One startling example was easy to find and document. In spite of dramatic increases in air travel, the size of aircraft, distances flown and vast increases in air traffic and system complexity, air accidents are down. Not just down, but down dramatically. The curve has not been smooth, but where catastrophic governance failure has been persistent pervasive in growing corporations, airline safety incidents have been consistently declining over time.

I acknowledge the comparison is unfair. Airline safety statistics are readily available on the web.

Year Major US Accidents Millions of Hours Flown Accidents per million hours

1989 8 11.275 0.355
2008 3 19.351 0.052

I then said to myself, what is different about the regulatory environment between corporations and airlines in the US and elsewhere for that matter.

I am not an expert on airline regulation, but I have a close relationship with someone who has some significant experience in the area. I have a little more background with financial reporting and audit standards. Just to keep things on a higher plane, forgive the pun, I thought it would be interesting to predict what would happen if the SEC and FAA traded places. What would happen if the the SEC took over airline and air safety regulation and the SEC applied its regulatory philosophy to air safety.

Here is a summary of what I came up with.

First the FAA: I predict if they took over corporate financial reporting and PCAOB audit standards, here is a brief summary of what they would immediately require.

• FAA would:
Demand incident reporting
Near misses, actual accidents etc
Demand frequent QA reviews
Pilots must pass “check flights” annually
Demand specific knowledge and skills of auditors
Test the knowledge and skills of audit and financial annually
Demand root cause analysis for incidents
Understand cause of failure and demand process improvements
Demand testing before implementing recommendations
New systems, policies etc must get certified before implementation
Demand the use of Key Performance Indicators
E.g. refurbished aircraft expected to fly additional 120,000 cycles

I then began to consider what the SEC would do if they had responsibility for regulating airlines. What tried and true regulatory principles would improve air safety.

I predict the following would be their initial priorities.

SEC would mandate:
Aircraft must be COSO certified
Smaller aircraft would get exemption. Safety is too expensive.
SAS 70 certificates would be required from aircraft manufacturers
Certificates would be required reading in seat back pockets. Passengers will feel safe.
Safety defects would be publicly disclosed if they were “material”
“Materiality” would be decided by the airline
No real sanctions levied for not reporting
No requirement for performance standards or incident reporting
Root cause analysis not necessary – better controls are the solution
No flight crew certification – on the job training is OK.
Automated controls are far more reliable anyway
SEC would take over the largest aircraft
Some planes are just too big to fall.

I will confess to some frustration. But I would not fly if the SEC regulated the air. I believe there is far more that can be done to make our corporations as safe as the airline industry. I believe catastrophic corporateb failures are predictable and can be vastly reduced. I believe the tools, frameworks, technologies are all in available right now. It is not the entirely the responsibility of regulators. It is the primarily the responsibility of practitioners.

I recently read a short paper titled “The Germ Theory of Management” by Myron Tribus. It provides succinct examples of scenarios where managers and professionals in other disciplines resist change. I think it should be required reading for GRC professionals and their regulators. Please let me know what you think. I’d be happy to hear your comments.