Compliance Chameleons: Adapting Risk Strategies Across Landscapes

Journeys & Avatars

In some organisations, risk is a journey; in others, it’s constant. There is no “best practice” risk (or compliance) framework in this context.

Last week, I spoke to a Norwegian firm specialising in constructing and managing renewable energy facilities. Their work is a journey. In this case, across LatAm. The risks differ as the project evolves, for example (very abridged):

🏞️ Land acquisition and clearance: environmental, social, and corruption issues predominate.

👷🏽‍♀️ Construction: HSE (access, safety, welfare) issues meet, EPC contractors, supply chain transparency (panels, turbines, etc.), human rights, and licensing & permitting challenges.

🔌 Connection to the grid: competition, fraud, corruption, political interference (tariffs, etc.) rise to the top when the project comes on-stream.

🚧 Maintenance: an array of everything above, but a strong emphasis on keeping everyone happy as the workforce downsizes (social risks, fraud, scrap write-off, etc.) and rent-seeking officials (e.g., environmental inspectors) circle.

In this context, the risk framework needs to follow the project. There’s little point in training people to spot misappropriation fraud issues when nothing of value is on-site (pre-land acquisition). Equally, it would be weird to leave your social performance (free, informed, prior consent, etc.) planning for the end of the project.

So far, so intuitive. Well, in theory. In well-run project-led or cyclical firms (construction, energy, agribusiness, etc.), the project leaders live in a world of Gantt charts. Our job is to map our work (both methodologically – prevent, detect, respond) and tactically (see above) to the project. Additionally, there’s (often) an intuitive recognition that not everyone needs to know about every possible risk. This realisation reflects the realities of a highly stratified workforce (engineers to low-literacy labourers).

But what about other industries, where life is more constant?

Enter the avatar. I worked with a marketing and branding team about three years ago to define “customer avatars.” Initially, I hated the concept. Sticking people into clumsy boxes is antithetical to everything I have seen and learned (primarily investigative). It’s the same issue I have with certain HR doctrines, especially the guff that groups humanity into four colours.

However, the thought experiment of “what are we trying to solve/achieve for this person” is valid. For instance, the business integrity teams within investors are trying to prevent the same things that an in-house counsel at a manufacturing mid-cap might. However, the resources, pressures, stakeholders, remits, workforce composition, workflows, approvals, politics, and more differ.

So, who are the employee avatars? It depends. So, let’s use an example following the “prevent, detect, respond” framework; we might break down internal avatars as follows:

💡 Prevent: anyone involved in targeting, vetting and selection (customers, strategy, employees, third-parties).

💡 Detect: those onboarding, monitoring, measuring (quality, metrics, targets), or operationalising the strategy.

💡 Respond: support functions (often brought problems), managers, and those executing (sales, transactions, etc.).

If we started assigning names (procurement, operations, business development, etc.) to those categories, we could map relevant risks to their roles. For instance, supply chain transparency requirements might be a high-level “need to know” for staff with sign-off authority but a deep-dive area for procurement. Similarly, anti-competitive practices, gifts, and hospitality don’t apply to those far removed from frontline interactions; they would be highly relevant to strategy setters, executors, and business developers.

I appreciate that much of this is intuitive. However, visually mapping it out (using whiteboards, Venn diagrams, mindmaps, etc.) can help save time (and, therefore, money). Our work (risk management) is facing increased hostility and resentment. We must match project journeys and avatars to maintain relevance and retain allies.

Three years ago, during that marketing work, I was asked to develop Ethics Insight’s “core statement.” It was: “We misunderstand risk and overestimate the effort required to manage it.”

I stand by that. Risk management must shrink to allow us the capacity to manage the ever-expanding list of things it now covers. There’s only one way: make it right-sized and relevant.

Need more?

Book a (free) strategy session, get new articles, and other content designed to be useful and fun.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Journeys & Avatars

Need more?

Services

Ethics Insight

Your Quick Guide To Managing Ethics & Compliance