Lessons from Distracted Driving Awareness Month

June is Distracted Driving Awareness Month, and while it is quickly drawing to a close, the message remains: Distracted driving is escalating, with 25% more vehicle accidents resulting from drivers talking or texting on cellphones. More cars on the road, especially during summer months, also translates to more accidents.

Organizations with fleets should take note as motor vehicle crashes are the number-one cause of work-related deaths, accounting for 24% of all fatal occupational injuries, according to the National Safety Council (NSC). On-the-job crashes are also costly, with employers sustaining costs of more than $24,500 per property damage crash and $150,000 per injury crash.

Zurich sums up NSC statistics:
Employers can and are being held liable for damages resulting from employee accidents. “We might expect an employer to be held liable for a crash involving a commercial driver’s license holder who was talking on a cell phone with dispatch about a work-related run at the time of an incident—especially if the employer had processes or a workplace culture that made drivers feel compelled to use cell phones while driving,” the NSC said.

The lines believed to exist between employment-related and personal or private life get blurred in some cases involving:

  • Cell phones owned by employees as well as employer-provided equipment
  • Vehicles that were employee-owned as well as employer-owned or leased
  • Situations where employees were driving during non-working hours or were engaged in personal phone calls

To protect themselves and their employees, the NSC recommended that organizations implement and enforce a total ban policy.

“The best practice is to prohibit all employees from using any cell phone device while driving in any vehicle during work hours or for work-related purposes. Regarding off-the-job hours, precedent has been set by lawsuits. Thus employers may want to extend their policies to cover off-the-job use of company-provided wireless devices, use of personally-owned devices that are reimbursed by the company, and use of devices in company-provided vehicles. All work-related cell phone use while driving should be banned 24/7,” the NSA advised.

Companies should also pay attention to other common distractions that can lead to accidents, Zurich adds:

Implementing a Safety Culture for Company Drivers

Organizations with a safety policy in place for drivers of company vehicles may believe they are protected from liability in case of an accident. What they may not realize, however, is their defense could hinge on documentation of steps they have taken to ensure that the policy is being followed by employees, according to the study, Creating a Safety Culture: Moving from politics to habits, by SambaSafety.

The study found that, regardless of the policy in place, “simply saying that you didn’t know about poor driving behavior will no longer cut it – not when people’s lives and companies’ well-being are at stake. With the data readily available today, the courts are sure to ask how you didn’t know.”

To implement a successful program, it is important for employees to understand that the company’s policies must be followed by employees at all levels. “If someone in senior management breaks the rules and suffers no aftereffect, what’s the motivation for others to keep things in line?” the study asks.

Additionally, safety policies are not limited to employees whose primary responsibility is driving, or to those who drive company-owned or leased vehicles. According to the study:

Employee-owned or rented vehicles that are used for work-related journeys also must be part of the equation. To decrease liability (in addition to improving safety), policies should clearly state this fact and affirm that the same safe behavior is expected of every driver in the organization – on and off the job. That behavior might include non-distracted driving, for example, or even properly maintaining a personal vehicle used for company business to ensure safety and a positive refection of the organization.

Employees need to know that their employer can be held responsible for anything that happens while employees are conducting company business. Organizations also need to see that reimbursed drivers have adequate insurance, as well as administering signed driver agreements, providing uniform driver training – and ensuring that all drivers’ behavior and records are continuously monitored.

To move into a safety culture, SambaSafety advises organizations to keep their program in line with company principles, values and brand. Also important is working with the company’s existing culture:

Employees in a high-energy, competitive environment, for example, may enjoy contests between regions vying for the safest driving records. In a top-down culture, on the other hand, employees might respond best to regular tips and reminders from respected senior leaders.

In any case, clear communication can keep drivers from feeling micromanaged or worrying about their privacy and personal information. It can also mean fewer accidents and a higher level of safety for employees.

Fewer Sleepless Nights for Compliance Executives

Improved compliance programs, sufficient resources and board access have meant fewer concerns about personal liability for compliance executives, according to a study by DLA Piper.

In its 2017 Global Compliance & Risk Report, DLA Piper found that 67% of chief compliance officers surveyed said they were at least somewhat concerned about their personal liability and that of their CEOs, which was down from 81% in 2016. And 71% said they made changes to their compliance programs based on recent regulatory events, up from just 21% a year earlier. The study found that globally the compliance function is becoming more independent and prominent in large organizations.

There still remains room for improvement, however, most notably in compliance’s relationship with boards of directors. Directors, surveyed for the first time, were more uneasy, with 82% expressing at least some concern about personal liability. “This is likely related to other findings that show lingering kinks in communications channels and a persistent lack of training for directors. Together, these findings indicate that the relationship between the compliance function and boards needs work—despite efforts taken by organizations to upgrade their compliance program,” DLA Piper said.

In 2016, 77% of compliance executives said they had sufficient resources, clout and board access to support their ability to effectively perform their jobs. This year the number rose to 84% who said they felt that way. The improvement is possibly a reflection of the increased percentage of respondents who had the resources to make changes to their compliance program, compared to 2016, according to the survey.

While more respondents said they are increasingly able to affect change, obtain the resources they need and access senior leadership, however, a larger number said their budget was not high enough to accomplish their goals, from 28% in 2016 to 38%.

Boards had a different view, with 53% of directors agreeing strongly that their compliance group had sufficient resources, clout and board access. This was compared to just 29% of CCOs, which could indicate that CCOs are not effectively communicating their needs, the company said.

Of concern was that many directors appear to be receiving inadequate reporting and training on compliance matters. About a quarter of both CCOs and board members said the compliance function at their organization reports to the board less than once per quarter.

Of training, the report said that in light of a perceived heightened liability exposure for directors, it is puzzling that 44% of director respondents said they hadn’t received any training on compliance issues. Given evolving compliance standards and regulations—such as new Securities and Exchange Commission guidance on conflict minerals and updated DOJ guidance on corporate fraud—it’s arguable that training is more important than ever. Failure to engage in training could amount to a breach of fiduciary duty.

Almost half of respondents, 46%, identified monitoring as the weakest part of their compliance program. Monitoring, however, is particularly important in managing third-party risk, as regulators remain focused on violations related to third parties and as companies struggle to manage sprawling global organizations, DLA Piper said.

Top tools companies use to rate their compliance program:

In a Changing World, Questions For the CRO

Before the financial crisis in 2008-2009, many businesses didn’t think of risk as something to be proactively managed. After the crisis, however, that paradigm shifted. Companies began perceiving risk management as a way to protect both their reputations and their stakeholders.

Today, risk management is not just recommended, it is considered crucial to successful operations and is required by federal and state law. The SEC’s Proxy Disclosure Enhancements, enacted in 2010, mandate that organizations provide information regarding board leadership structure and the company’s risk management practices. Company leadership is required to have a direct role in risk oversight, and any risk management ineffectiveness must be disclosed.

The CRO’s role

Volatility in the current business environment—a confluence of factors including transfers of power, the world economy and individual markets—is nothing new. Political transitions have always been accompanied by new agendas and shifting regulations, economies have always experienced bull and bear markets, and the evolution of technology constantly changes our processes.

Even so, recent events like Brexit, the uncertainty of a new administration’s regulatory initiatives, and thousands of annual data breaches have contributed to an unprecedented atmosphere of fear and doubt. To navigate this environment, the chief risk officer needs to adopt a proactive risk management approach. Enterprise-wide risk assessments grant the visibility and insight needed to present an accurate picture of the company’s greatest risks. This visibility is what the board needs to safely recognize opportunity for innovation and expansion into new markets.

To grow a business safely—by innovating and adding to products/services and expanding into new markets—risk professionals should not focus on identifying risk by individual country. This approach naturally leads to a prioritization of “large-dollar” countries, which aren’t necessarily correlated with greater risk. Countries that contribute a small percentage of overall revenue can still cause major, systemic risk management failures and scandals.

A better approach is to look at risk across certain regions; how might expanding the business into Europe, for example, create new challenges for senior management? Are there sufficient controls in place to mitigate the risks that have been identified?

When regional risks are aggregated to create a holistic picture, it becomes possible for the board to make sure expansion efforts are aligned with strategic goals.

Three processes that require ERM

Risk management is an objective process, and best practices, such as pushing risk assessments down to front-line process owners who are closest to operational risk, should be adhered to regardless of the current state of the international business arena.

While today’s political climate has generated a significant amount of media strife, it’s important not to let emotion influence decision-making. By providing the host organization with a standardized framework and centralized data location, enterprise risk management enables managers to apply the same basic approach across departments and levels.

This is particularly important when an organization expands internationally, which involves compliance with new sets of regulations and staying competitive. Performing due diligence on an ad hoc basis is neither effective nor sustainable. Instead, the process should follow the same best-practice process as domestic risk management efforts:

  1. Identify and assess. Make risk assessments a standard part of every budget, project or initiative. This involves front-line risk assessments from subject matter experts, revealing key risks and processes/departments likely to be affected by those risks. For example, financial scrutiny is no longer a concern just for banks. Increased attempts to fight terrorism mean transactions of all kinds are becoming subject to more review. Anti-bribery and anti-corruption processes estimate and quantify both vulnerability and liability.
  2. Mitigate key risks. Connect mitigation activities to the resources they depend on and the processes they’re associated with. ERM creates transparency into this information, eliminating inefficiency associated with updating/tracking risks managed by another department. Control evaluation is the most expensive part of operations. Use risk management to prioritize this work and reduce expenses and liability.
  3. Monitor the effectiveness of controls with tests, metrics, and incident collection for risks and controls alike. This ensures performance standards are maintained as operations and the business environment evolve. Evidence of an effective control environment prevents penalties and lawsuits for negligence. The bar for negligence is getting lower; technology is pulling the curtain back not only internally but (through social media and news) to the public as well.

Lastly, the CRO role is increasingly accountable for failures in managing risk along with other senior leaders and boards—look no further than Wells Fargo.