• First Reference
  • About us
  • Contact us
  • 23rd Ontario Employment Law Conference 📅
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Conference
  • Resources
  • Buy Policies
You are here: Home / Business / The root compliance problem: Shadow process

By Ethics &Compliance Matters ™, Navex Global ® | 3 Minutes Read October 23, 2017

The root compliance problem: Shadow process

The shadow process is a huge threat that ethics and compliance officers face today.
Shadow processSometimes I revisit my compliance roots in the world of Sarbanes-Oxley – a place much more concerned with financial reporting than corporate ethics and culture, I know. Yet lessons from one group that can help the other still abound.
For example, corporate accounting and finance teams are lately starting to focus on a new accounting standard for leasing revenue, which will come into effect in 2019. The short version is that companies will need to start reporting the costs of operating leases (leases to rent real estate, data storage service, an airport gate, office equipment, and so forth) on the balance sheet. Right now, those costs are off-balance sheet, only reported in the footnotes.
The financial implications of that accounting change aren’t important to us today. But I recently attended a panel discussion of CFOs talking about the lease standard, and heard one say: “We have leasing software for the stuff we know about … we do worry about those places where leases are hiding.” Another: “We need to have a process to connect down to other departments.”
For anyone worried about anti-bribery, workplace harassment, or third-party due diligence, those sentences should feel familiar. They drive to a huge threat ethics and compliance officers face today: shadow processes.
Your chief information security officer worries about shadow IT, where someone connects the company to an unauthorized network, computer, thumb drive or application. Where did that item come from? Is it secure? Does it pose a threat? The CISO doesn’t know, because the employee didn’t follow proper procedure and didn’t tell anyone.
Shadow processes are the compliance officer’s version of the same problem.
As a concept, shadow processes aren’t anything new; employees (and third parties) have been circumventing compliance requirements forever. What’s new is their ability to create shadow processes. Globalized businesses have become enormously complex. At the same time, the rise of cloud-based services means employees can create their own processes with little more than a credit card and a Google search.

How to handle shadow process

Compliance officers can’t avoid the reality that shadow processes, and the easy ability to them, are here to stay. So what are you supposed to do about them?
First, remember what shadow processes do, and don’t, tell you. For example, an overseas division might create its own process to generate and approve purchase orders outside your normal controls for third-party due diligence. That doesn’t automatically mean the division managers are trying to bribe their way to more business; it may simply mean your due diligence process is too onerous.
All a shadow process tells the chief compliance officer is that something is amiss. It may be a problem with the process you’ve established, or the policy goals that process is meant to achieve. You need to investigate further.
Second, look for who approves what in the shadow process; that’s the choke point. Processes are meant to get something done, after all. Somebody, somewhere, needs to approve that purchase order they’re hiding from headquarters; or to pass long those projections maintained on a spreadsheet rather than the central database.
When you do find a shadow process and investigate further (see our first point, above), that person in charge of approvals is going to be the most useful conversation you have.
Third, consider conflicts among policy, process and local requirements. That can often be the impetus for some business unit to create a shadow process. Perhaps local law prevents the business unit from following your process, so it creates its own. For example, local law might allows citizens more control over personal information, so the local unit creates its own processes to let citizens see data collected about them.
That’s a very different reason for shadow process than a desire to engage in corruption. Compliance officers need to consider that context. It might well be that you could create a global policy (for, say, due diligence of third parties), while delegating control of the process to local units.

Remember the fundamental question

When a compliance officer discovers a shadow process, you need to ask: Is the real problem that you have too few controls, allowing employees to build this shadow process? Or do your own processes have too much rigidity, that you drive employees to circumvent them so they can do their jobs?
That’s a complex question. The answer, however, helps you understand the follow-up questions to ask about corporate culture, core values and risk tolerance.
By Matt Kelly

  • About
  • Latest Posts
Ethics &Compliance Matters ™, Navex Global ®
NAVEX Global is the recognized worldwide leader in integrated risk and compliance management software and services that help organizations manage risk, address complex regulatory compliance requirements and foster an ethical, highly productive workplace culture.
Latest posts by Ethics &Compliance Matters ™, Navex Global ® (see all)
  • Impact of digitized environments & modern workplaces on internal investigations - April 15, 2020
  • Whistleblower hotlines decrease the cost & duration of corporate fraud schemes - March 18, 2020
  • Entering the era of operational resilience - February 27, 2020

Article by Ethics &Compliance Matters ™, Navex Global ® / Business, Finance and Accounting, Privacy / anti-bribery, compliance officer, Due diligence, Sarbanes-Oxley, shadow process, third-party due diligence, workplace harassment

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

About Ethics &Compliance Matters ™, Navex Global ®

NAVEX Global is the recognized worldwide leader in integrated risk and compliance management software and services that help organizations manage risk, address complex regulatory compliance requirements and foster an ethical, highly productive workplace culture.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Conference
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2022 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy