Numerous recent cases arising in Africa, Asia, Europe and the Americas in industries as disparate as oil and gas, construction, medical products, telecommunications and insurance, to name a few, reflect the heightened concern over payments to and transactions by corrupt government officials. Governments in Germany, Australia, the United States and the United Kingdom, for example, increasingly are prosecuting individual and corporate wrongdoers. As well, regulators are enforcing stricter compliance with regulations for companies charged with detecting money laundering and terrorist financing activities. Additionally, the loss or theft of consumer information by global companies has become a symbol of corporate negligence and disregard for citizen privacy rights. Finally, companies are finding their products and services implicated in an illegal transfer in violation of export control regulations or economic and trade sanctions regimes, whether carried out directly or indirectly.
The current financial stresses have intensified global sensitivity to misconduct. With corporate compliance resources limited and regulators dealing with issues of fiscal solvency, criminal organizations see these conditions as an invitation to exploit corporate involved in global commerce. Nonetheless, some corporations have devised effective responses to enhance the effectiveness of their compliance efforts; efforts that make them less vulnerable not only to misconduct but to the perception that they are vulnerable to abuse.
Here are some of the key initiatives that have been employed.
Know Your Risks, Explicitly. Whether it is identifying the particular regulations that apply to the business, keeping track of the lessons learned from bad events experienced by the company or its peers, or keeping in touch with potential risks that come to light in the day to day experience of employees and customers, companies have a great deal of information available to proactively assess risk. These should be brought together in a formal risk assessment designed to capture the sources of the company’s vulnerability. Once the risk assessment crystallizes the company’s risks, senior management and the Board must attend to the risks comprehensively and explicitly. After all, analysis is not worthwhile if it does not result in actionable mitigation strategies.
Take Your Risks Seriously. Risk prevention needs to be carried out as seriously and deliberately as any other business plan. Take an operational approach to the detection and prevention of risk events. Select personnel who are qualified and effectively trained. Evaluate them annually against established goals that reflect their role and responsibility in detecting and mitigating risk. Periodically test the way that the company is carrying out the risk mitigation processes it has tailored to the risks it has identified. Deloitte LLP carried out a survey of corporate executives in 2009 regarding independent testing for regulatory issues and found that senior management had ongoing concerns as to the adequacy of their testing budgets, the effectiveness of their training programs, and the lack of clarity with respect to regulatory obligations and expectations. While these issues are difficult to resolve, they are largely in the control of the company, and the company will be seen as able and therefore responsible to deal with them. And taking risks seriously means that the company has to determine how to do so promptly, on a risk based basis. If consumer fraud is a key issue, for example, the company needs the systems and personnel to quickly identify paradigms as they are occurring, lest fraud losses mount. The risk of compliance failure has become more and more of a franchise risk, and deserves the same level of commitment and attention from management and the Board as any other franchise risk, as well as the same thorough planning and responsive funding.
Dig Into Bad Events. No one wants to have data stolen, money embezzled, or their services used by criminal organization or terrorist financiers. But no business with a global reach can protect against every possibility. Sooner or later, bad things happen. When they do, however, the company can determine how quickly and decisively the bad event is investigated. It can control what kinds of consequences or rewards are visited upon employees who were either careless, courageous, or just doing what they were supposed to do (which didn’t work well enough). Swift and responsive action can send a credible message about the company’s priorities to other employees, customers, law enforcement officials, and stakeholders. The most forward thinking companies have found ways to turn a bad event into an effective strategy to prevent future or related problems, rather than responding to the event only by solving the problem immediately at hand. Most importantly, because bad events inevitably recur in some form, companies that take the time to determine the right lessons and the right attitude needed to move forward are more successful at avoiding risk. Corporate culture should be a defense, not another weakness.
Manage Incentives for the Right Behavior. Distinguish the short term and long term interests, and react accordingly. In the short term, employees, customers and unrelated bad actors often calculate risk and reward differently from the company. Human behavior is slow to change, but a company can, as part of its risk approach, identify these vectors and improve them, such as by making a big splash when rewarding employees and management who have acted in the long term interests of the company in avoiding risk. Or, a company can create a strong relationship with law enforcement officials and stay apprised of what they need when an outsider is doing harm. The arrests and prosecution that result can make a similar kind of big splash, reaffirming the company’s values and determination and showing potential bad actors that the company is able to protect itself. These kinds of measures also help a company’s management and staff keep a sense of power about protecting the company, a confidence that is critical to an effective compliance function.
The current environment has compliance challenges, but corporations have many options available to meet them. How effectively corporations meet compliance challenges can be as important a differentiator from other companies as price and product quality. The more a company understands its compliance risks and prepares to meet them, the better it becomes at understanding the true costs of doing business on a global scale. A company that is smarter in compliance can become less vulnerable and, as a result, stronger in the marketplace.