I began work on this piece while awaiting a flight from New York to Chicago en route to the CRO Conference on Sept. 11. A number of topics that would be discussed at the conference were possible themes for this post. But, on this particular day, I felt compelled to address the reflections and mix of feelings going through my mind about how our collective view of the world has changed so radically in the six years since the terrible events of that unforgettable day. As you will recall, it was only a few months after the terrorist attacks in 2001 that we learned of Enron’s problems, which were followed in rapid succession by the scandals at WorldCom and Tyco.
While no direct comparison can be drawn between the crimes against humanity of 9/11 and the corporate scandals, I would suggest that there are some interesting parallels to be made in terms of their effect and our response. Ultimately, both 9/11 and the corporate abuses impacted and undermined the public confidence and trust, which are the fundamental underpinnings of our capital markets and more critical than ever to our intangibly driven global economy. In both instances, the government took swift, dramatic legislative action to stabilize our systems and reassure our citizens, including passage of such far-reaching legislation such as the Homeland Security Bill and the Sarbanes-Oxley Act of 2002. These actions, among others, prompted establishment of new government agencies, such as the Department of Homeland Security and the Public Company Accounting Oversight Board. These new groups were granted significant new authority to oversee both the public, and in some cases, the private sector.
The environment of low confidence and low trust, combined with the new legal requirements, policies, and procedures that ensued, clearly carried with them significant new costs for businesses. As noted in Stephen M. R. Covey’s recent book, "The Speed of Trust – The One Thing That Changes Everything," trust directly impacts both the speed and cost of all associated activities. Two familiar business examples: Consider how much longer it takes today to enter a building as a "visitor" or the concerns voiced by the business community regarding the burden of complying with Section 404 of the Sarbanes-Oxley Act (SOX).
In the face of new regulatory requirements, it is not unusual for organizations to implement new or enhanced policies and procedures from the "bottom up" as a safe harbor. It is often only after some time passes that organizations may become more comfortable with applying judgment and taking more of a "risk-based" approach. This is a particularly sore point as I enter debate with an airport TSA agent as to whether I have used the right size Zip-Lock bag for my toiletries and whether my deodorant is actually liquid or solid. However, for an alternative example, consider the rules-based approaches that were a root cause of some of the inefficiencies noted by companies complying with SOX for the first time.
There is no question that an enormous amount of investment has been made to enhance the confidence of the public and the efforts have been very visible. However, I do wonder whether we have truly done enough to address some of the larger issues that are not as visible. In the case of Homeland Security, this might include, for example, better control over our ports and borders, while in the instances of corporate disgrace, this would include improved corporate governance and anti-fraud programs.
When a crisis occurs, there is a natural tendency to respond aggressively and focus actions that are the most visible. However, this focus on short-term, highly visible action can sometimes come at the expense of actions that are less visible or on risks that could become future crises (think back to air travel safety before 9/11).
At a time when it seems like so many of our hallowed institutions have been tainted by scandal of some sort, it is fair to say that public trust is at its nadir. .As Ralph Waldo Emerson said, "Our distrust is very expensive." However, I personally believe we are approaching something of a tipping point where our leaders in both the public and private sectors are beginning to recognize that one of their chief responsibilities is to build trust. And one of the keys to building trust is focusing on not just short-term, highly visible actions but, perhaps more importantly, on longer-term, less-visible actions that can truly address the root causes of risk.
Tom Connors is a partner in the Assurance and Enterprise Risk Service (AERS) practice of Deloitte & Touche LLP, where he is one of the national leaders of its Sarbanes-Oxley and Governance, Risk and Compliance (GRC) initiatives.