The latest International Business Attitudes to Compliance survey released by Control Risks, a global risk and strategic consulting firm, has found that companies large and small are spending little on compliance, indicating that boards still consider the function as a cost rather than a benefit. This is despite a greater determination by European governments to introduce legislation aimed at holding companies and their directors more keenly to account for non-compliance, as well as a greater willingness to enforce those rules already in existence.
Based on the responses of 1,000 legal and compliance professionals globally, the survey shows that one in four (26 percent) companies with more than 10,000 employees are devoting less than U.S.$25 per person, per year, to compliance. Similarly, 28 percent of large companies have compliance teams of just one to five people. “While there is no standard benchmark to show that a specific size or budget is ‘enough,’ these compliance teams lack the resources they need to perform effectively,” says the report.
Almost exactly 50 percent of the companies in the global sample have compliance teams of between one and five people, while one in five have teams of between six and ten staff. Perhaps surprisingly, 28 percent of companies with more than 10,000 employees fall into the same category. Nearly half of the companies surveyed (46 percent) have compliance budgets of less than U.S.$250,000 a year, and another 23 percent have budgets of U.S.$250,000 to U.S.$1m. Only 10 percent have budgets of more than U.S.$10m. “These figures seem particularly low, given that the cost of a major investigation can easily run into the hundreds of thousands, or even millions of dollars,” says the report.
Indeed, the need for greater assurance that companies are acting within the law has never been stronger. Regulators are taking a keen interest in enforcing the rules more rigorously than ever before—and not just for a company’s direct operations, but also for the actions of those acting on its behalf, including subsidiaries and suppliers.
Extra-territorial legislation has fast become a powerful weapon in terms of punishing corporate wrongdoing. The U.S. Foreign Corrupt Practices Act (FCPA), with its cross-border reach, was used to fine some 30 companies a total of U.S.$2.4bn for non-compliance in 2016. And in the past year Europe has ramped up an impressive track record of enforcement against companies too, handing out some eye-watering penalties in the process.
For example, during 2016, the European Commission racked up penalties of some U.S.$4.1bn against companies involved in cartel-like activities—its largest-ever fine total levied against anti-competitive practices. Law firm Allen & Overy has suggested that there is “no reason” to suppose that the Commission will be any less aggressive in 2017. Furthermore, EU member states have also continued to pursue an aggressive approach in the past year in their pursuit of domestic cartel activity.
Meanwhile, other national regulators have been more willing to hand out strong punishments. The United Kingdom’s Serious Fraud Office has made deferred prosecution agreements (DPAs) with Tesco and Rolls-Royce, (worth £235m and £497m, respectively), and in January the Financial Conduct Authority fined Deutsche Bank over £163m for persistent money laundering failings (discounted from £229m).
Across the European Union too, member states are looking at ways of holding companies and their boards more easily to account. Last November France, which has historically had a poor record with regard to stamping out corruption in corporate life—up until 2015 it had only prosecuted four foreign bribery cases, three of which resulted in minor fines of less than €10,000—adopted the “Law on Transparency, the Fight against Corruption and Modernisation of Economic Life” (more widely known as “Sapin II” after Michel Sapin, the current minister of finance who championed the legislation) which enables prosecutions for corrupt practices committed abroad. At the end of March, France also passed its multinational “duty of care” law, which compels the country’s biggest companies to publish “vigilance plans” detailing how they are monitoring for potential abuses and illegal activities in their operations, those of their subsidiaries, and those of their suppliers.
“Compliance policies must be globally consistent but also locally translated and relevant, with guidance for example on specific circumstances such as dealing with tax inspectors in countries where demands for bribes are commonplace.”
Richard Fenning, CEO, Control Risks
Other European countries are considering adopting similar measures. For example, legislation is currently being considered in Switzerland, where the necessary signatures have been collected for a referendum on mandatory human rights due diligence. Belgium and Spain are debating whether to also have similar legislation in place. This February, the Dutch Parliament adopted the Child Labour Due Diligence Bill, which—if approved by the Dutch Senate—would require companies to identify whether child labour is present in their supply chains and, if detected, develop a plan to combat it.
Put simply: Such developments should spell out to those companies that are under-spending on compliance that they may need to rethink their approach.
Outside of budgets, the report also makes a series of assertions about the state of the profession generally—namely, that compliance professionals need to improve their profile and standing within the boardroom specifically (and organisation generally) and that they need to be more proactive when investigating areas of possible non-compliance. The report also makes the case for compliance officers to make better use of technology to increase the function’s effectiveness and efficiency.
The survey says that just one in four (27 percent) chief compliance officers attend all board meetings, despite having good access to the CEO: Control Risks’ research found that compliance is more likely to report to the CEO above all other senior managers, including the general counsel, the chair of the board or audit committee, or the CFO. As a result, compliance officers should leverage that standing to gain greater boardroom influence.
The report also suggests that compliance officers need to take the initiative and be more proactive, rather than simply “responding reactively to unfortunate events.” For example, whistleblowing lines are the most popular means of detecting misconduct in nearly two-thirds (64 percent) of organisations surveyed, which means that compliance functions are waiting for complaints to act upon. Proactive measures, such as compliance audits and surprise fraud audits, are much less popular (used in 41 percent and 18 percent of organisations, respectively) with budgetary constraints being an important factor into why they are used sparingly.
TAKEAWAYS FOR COMPLIANCE PROFESSIONALS
Below are some insights from the International Business Attitudes to Compliance survey.
It is important for compliance officers to make the case that the function is a business “enabler” and that it doesn’t just save the company from heavy fines, legal fees and reputational damage. If all goes well, skilful risk assessment and risk management, along with measured compliance advice, can help companies seize opportunities they would otherwise miss in high-risk markets.
Better use of technology is essential when budgets are limited.
Partnering with other assurance functions can be a smart way of improving compliance. One example might be co-operation between compliance and internal auditing to identify the most pressing concerns (such as the role of third parties), and then ensuring that specific processes occur throughout the company to address those concerns.
Monitoring technology can be an effective deterrent for non-compliance, as employees understand that their actions could be flagged by the company’s automated processes, thereby resulting in additional scrutiny by compliance personnel.
Compliance officers should be proactive and should undertake anti-fraud or anti-corruption audits. The constant threat of detection through such reviews should help deter potential breaches and help foster a culture of compliance.
Compliance officers need to draw on a range of quantitative and qualitative indicators to assess their performance/contribution. The function’s focus should be aligned to the organisation’s risks, and any review of its performance should be based on proactive—rather than just purely reactive—indicators. As breaches and weaknesses are identified, the programme should be adjusted and improved accordingly.
Ask if the company has conducted a local risk assessment to see if there are exceptions to the global compliance policy, or if there needs to be. Find out how problems with potential bribe payments are reported. Implement controls to ensure that all facilitation payments are logged and have appropriate approvals, including accurate accounting in the company’s books and records. In Control Risks’ 2015/2016 International Business Attitudes to Corruption Survey, 30 percent of respondents said they had failed to win contracts where there was strong circumstantial evidence of bribery by the successful competitor, thus increasing the temptation to pay bribes themselves.
Source: Control Risks
According to Robert Boyd, senior partner at Control Risks, compliance teams are missing a trick. “Companies are failing to use the threat of detection as a deterrent. By conducting more proactive monitoring, compliance functions will help create a better internal culture because employees will know that they could be investigated, their actions and behaviour could be questioned, and they will have a greater awareness of what the organisation is prepared to tolerate and find unacceptable.”
Control Risks also queries the way in which compliance functions typically assess their effectiveness. Most commonly (in 56 percent of cases), respondents said that they look at the number of findings of non-compliance during testing, and/or look at the number of allegations that they respond to or investigate (as said by 47 percent of respondents). But both of these popular options raises the question whether a high figure can be regarded a “success” or a “failure.”
As compliance functions may be struggling with limited resources, Control Risks says that a better, more targeted use of technology will help maximise their impact. Currently, IT is mainly used for performing risk assessments and to conduct proactive monitoring, but according to Control Risks, the greatest opportunities lie in risk-based third-party management and fraud prevention. However, these are the areas where technology is usually under-used: Some 36 percent of respondents say that they use IT tools for fraud prevention purposes, and just 31 percent use technology to help provide better oversight of third parties. The adoption of data analytics to monitor transactions on a real-time basis has also been slow, as only one in three companies in the survey uses the technology (though usage is slightly higher—at 41 percent—in companies with more than 10,000 employees).
Given that some of the biggest financial penalties that a company can be exposed to come from acts of bribery and corruption committed overseas, it is worrying to find that respondents say that their global compliance policies regarding anti-bribery and corruption measures can be tinkered with—at the board’s suggestion—even in some of the highest risk regions where such policies need to be most stringently communicated and enforced.
While a slim majority (55 percent) of respondents said their global compliance policy applies worldwide (without any local exceptions), some two-fifths (40 percent) of companies have local policy exceptions (however tightly defined such exceptions may be) for gift giving and 30 percent have local exceptions to the policy for “permitted interactions with government employees.” One in five respondents have exceptions regarding “facilitation payments,” despite the fact that the U.K. Bribery Act considers the practice illegal (although the FCPA permits them).
In terms of industry sector, life science companies are the least likely to insist on the same policy globally (just 48 percent of respondents do so), while infrastructure and construction are the most likely to do so. According to Control Risks, the most straightforward approach “is to have a unified global policy, but one that translates locally.”
Where local policy exceptions are made, however, it is most often at the behest of the CEO, says the report, so any tolerance of non-compliance (if the exceptions are to relax the rules rather than tighten them) comes from the top. In fact, the CEO is responsible in one out of three cases (35 percent) for deciding whether exceptions should be made to the company’s compliance policy in foreign countries.
“Compliance policies must be globally consistent but also locally translated and relevant, with guidance for example on specific circumstances such as dealing with tax inspectors in countries where demands for bribes are commonplace,” says Richard Fenning, CEO at Control Risks. “Local variations in most cases should be tighter than the global standard,” he adds.