John Bell Hood and the Measurement of Conduct Risk

by Thomas Fox

John Bell HoodReaders of this blog know I am huge Civil War buff. Growing up in Texas, I only focused on the Southern side as a youngster and while this led to a sometime myopic view of events, in my mid-20s when I did begin to study the Northern side of the war, because I had never seriously studied from that perspective an entire panorama opened up for me.

One thing that never changed however, was the disaster that befell the South from the appointment of John Bell Hood to commander of the Army of Tennessee, which opposed General Sherman’s advance into Georgia since his stunning defeat of the Confederate forces at Chattanooga and later Lookout Mountain in Tennessee in late 1863. On this day 150 years, Confederate President Jefferson Davis replaced General Joseph Johnston with John Bell Hood as commander of the Army of Tennessee. Davis, impatient with Johnston’s defensive strategy in the Atlanta campaign, felt that Hood stood a better chance of saving Atlanta from the forces of Union General William T. Sherman. President Davis selected Hood for his reputation as a fighting general, in contrast to Johnston’s cautious nature. Hood did what Davis wanted and quickly attacked Sherman at Peachtree Creek on July 20 but with disastrous results. Hood attacked two more times, losing both and destroying his army’s offensive capabilities. Over the next two weeks in 1864, Hood’s actions not only led to President Abraham Lincoln’s reelection but spelled, once and for all, the doom of the Confederacy.

I thought about the risks of appointing Hood to command when I read a recent article in the Compliance Week Magazine by Carol Switzer, co-founder and President of the Open Compliance and Ethics Group (OCEG), entitled “A Strategic Approach to Conduct Risk”. Her article was accompanied by an entry in the OCEG Illustrated Series, entitled “Managing Conduct Risk in the GRC Context”, and she also presented thoughts from a Roundtable which included John Brown, Managing Principal, Risk Segment, Financial and Risk Division at Thompson Reuters; Tom Harper, Executive Vice President-General Auditor Federal Home Loan of Chicago and Dr. Roger Miles, Behavioral Risk Lead, Thompson Reuters.

In her article, Switzer pointed to the “Ill-advised risk taking” which led to the near-collapse of the financial sector as the genesis for the creation of the UK’s new Financial Conduct Authority (FCA). But she also noted that conduct risk is something that exists in industries far afield from the financial sector where “sales schemes driven by inappropriate incentive plans and outlandish short-term objectives” can cause severe financial consequences to an organization. As an example of the need for change in the financial section, Switzer quoted Clive Adamson, FCA director of supervision, on the need to address conduct risk, “Achieving an effective conduct- or customer-focused culture is challenging for firms, particularly for those whose focus has been primarily on profitability and shareholder returns. … From what we see, there are key drivers that set and re-enforce this conduct-focused culture, with the most important being clear and ongoing leadership from the top of the organization, constant re-enforcement, hiring practices, incentive structures, effective performance management, and penalties for not doing the right thing, all of which should set the tone for a framework for decision making on a day-by-day basis.”

Switzer continued that “Throughout his speech and other materials published by the FCA, there is a theme that returns over and over again to integrity, leadership, culture, the concept of controls over conduct, and strong risk management—all tied to an outcome of business success. What is this? It is a vision of principled performance—a point of view and approach to business that enables organizations to reliably achieve objectives while addressing uncertainty and acting with integrity. And it is refreshing to see leaders (and in some cases past wrongdoers) in the financial sector rising to the occasion and establishing a principled performance approach to conduct risk, even though they may not yet call it that.”

Harper described conduct risk as follows, “Conduct risk embodies elements of the risks that we have been discussing over the past few years, including not only operational and compliance risk, but also reputational risk and tone-at-the-top. The idea that organizations need to ‘do the right thing’ and balance the immediate pressure of short-term growth and revenue along with meeting the aspirations of equity holders and managers is not new. In the past, conduct risk was primarily mitigated by the long-term focus on the goals of the organization of the board and management.”

In the Illustrated Series piece included with the article, Switzer set out four principles for managing conduct risk. These principles are an excellent starting point for the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-corruption compliance practitioner in that it can be used to evaluate, assess and manage conduct risk in such a context.

Assess Conduct Risks

Miles stated that, “The idea of benchmarking “conduct” as a basis for business, or life in general, is actually of course a very old one. Constraints on behavior are exactly the right direction to go in, though it’s not yet clear how these will be framed, let alone policed. Now with the FCA’s new Risk Outlook 2014, there’s a big step forward. They have a deep commitment to sharing understanding about how various elements of behavior feed through into good and bad product design, into selling or mis-selling.” Based on this Switzer believes that you should first identify potential conduct risks in your business. After such identification, you should conduct a risk and control assessment. From this measure, you can best determine the level of inherent and residual risk. Finally, you should carry out an emerging risk workshop to develop a more complete risk profile.

Establish Risk Appetite

Brown pointed towards the increased complexity in financial institutions as a key problem. As part of the solution, Switzer writes that the first step is to connect the risks, controls and other framework elements to your company’s organization chart. From there, you should determine risk capacity, your company’s current risk profile and its risk appetite. Next you should measure your risk appetite adherence. Finally, you will need to align your risk appetite with your company’s risk governance framework.

Measure and Monitor 

Here Switzer suggests that there be a detailed information collection on any issues associated with risk events. It is important from that point, you begin to track key risk indicators. Miles noted that “Managing risks due to behaviors and cultures requires a deep understanding of psychological drivers and developing programs to modify those drivers”; as such measurements would allow your company to begin to move from simple detection and prevention to predictive controls through the use of behavioral and analytical modeling. Finally, you could use the above information to perform scenario analysis on emerging risks.

Communicate and Manage

Switzer advocates that you communicate and train your company’s employees on your organization’s risk culture. You should also work to ensure that employees have accepted their risk conduct appetite metrics. Brown said, “Behavioral drivers will vary around the world based on societal culture. I’ll focus on what might be appropriate for U.S.-based organizations. Most people operate to maximize their personal return, so compensation structures are an obvious avenue to modify conduct. If my bonus or equity compensation is based on specific targets, such as new accounts, loans written, or customer satisfaction index, I will try to maximize those targets.” This is why you should continue to collect all key data about conduct risk in one data repository. Finally, you should also continue to provide reports and analyses on conduct risk to key stakeholders and regulators, if required.

Switzer ended her article with the following quote from Gary Kasparov, “Think about it: After just three opening moves by a chess player, more than 9 million positions are possible. And that’s when only two players are involved in the game. Now imagine all the possibilities faced by companies with a whole host of corporations responding to their new strategies, pricing, and products. The unpredictability is almost unimaginable.” From this she added, “This couldn’t be truer than when facing the myriad challenges presented under the umbrella concern of conduct risk. Masterful strategic planning and execution is essential to stay in the game and win.”

The risks that General Hood was willing to engage in were catastrophic for his army and the Confederacy. If Jefferson Davis had used a risk conduct analysis to think through the effects of elevating Hood to command of the Army of Tennessee the results might have been very different for all involved. Switzer’s article provides a valuable tool for the compliance practitioner to bring to bear on specific conduct which could put a company at risk.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Thomas Fox, Compliance Evangelist | Attorney Advertising

Written by:

Thomas Fox

Compliance Evangelist on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.