Often the ‘new sheriff’ is already in town
October 2024 | SPOTLIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
October 2024 Issue
Regulators in the UK, US and elsewhere have long demanded that companies conduct periodic audits and enhancements of their compliance programmes. For example, in 2011, the Ministry of Justice published statutory guidance (including six guiding principles) under the UK Bribery Act to help businesses implement procedures to prevent corporate bribery.
The US Department of Justice likewise issued guidelines on the ‘Evaluation of Corporate Compliance Programs’ focusing on the design, implementation and efficacy of corporate compliance controls. Central to these and similar initiatives is the governmental direction and expectation that all companies undertake with reasonable frequency and in responsible scope periodic reviews and analyses of their compliance programmes and implement any necessary enhancements or modifications identified through those evaluations.
In addition to this general guidance, statutes and directives seem to issue with dizzying regularity calling for additional compliance appraisals and controls. The UK’s 2024 Economic Crime and Corporate Transparency Act includes an essentially strict liability offence (paralleling a similar provision in the Bribery Act) for failure to implement procedures to prevent fraud.
In the US, the 2021 Uyghur Forced Labor Prevention Act not only requires companies to conduct heightened due diligence to prevent exposure to relevant supply chain issues, but also mandates that importers undertake effective supply chain tracing and management to ensure compliance with the act.
The European Union’s (EU’s) May 2024 Corporate Sustainability Due Diligence Directive requires in-scope companies (including certain companies without an EU presence) to identify, assess, prevent and mitigate adverse human rights and environmental impacts on their operations, subsidiaries and value chains. The directive requires companies to conduct appropriate due diligence and remediation and to describe those measures in annual statements published on their websites.
These are but illustrations of the myriad compliance efforts required of businesses, on top of which is the burgeoning collection of obligations relating to cyber security.
These ever-expanding requirements impose on all types of companies not only heavy substantive burdens, but also significant financial, managerial and organisational costs and challenges that stretch company resources and threaten to overload businesses and undermine their abilities to provide for effective compliance.
The 2023 instalment of Thomson Reuters’ annual ‘Cost of Compliance’ survey found that many financial services companies are already finding it difficult to manage compliance costs and pressures and to balance competing competitive and compliance demands – and businesses expect regulatory requirements and associated burdens to increase while compliance budgets do not keep pace.
Increasingly, companies are turning to outside resources to assist with compliance efforts, but that injects other challenges and risks of oversight, disruption, costs and control loss. Significantly, the Thomson Reuters survey found that 45 percent of survey respondents said they did not monitor the cost of compliance with regulations across their organisations. As the compliance burdens increase, so do the obligations on, and risks for, senior management to provide for and oversee effective programmes and controls, all while running competitive businesses and utilising scarce corporate resources in prudent and effective ways.
Compliance audits regularly focus, appropriately, on the degrees to which the company is delivering effective compliance. Often overlooked, however, is a rigorous assessment of whether the company is providing for compliance in the most efficient and practical way, consistently with the company’s legitimate business objectives, competitive position and available resources.
As a result, companies frequently rely on outsiders at significant cost but fail to consider carefully when and how to involve internal resources both to reduce costs and maximise effectiveness.
Companies should regularly assess not only whether they are achieving appropriate compliance, but whether they are doing so through optimal allocation and management of internal and external compliance resources.
That inquiry includes assessments of whether the company is setting clear goals and expectations, most efficiently allocating resources, relying on the right personnel and advisers, providing for effective communication, fostering employee support of relevant initiatives and prudently overseeing the use and delivery of compliance resources.
In this era of proliferating regulatory requirements and compliance demands, it is not only fair, but necessary, for companies to consider both whether they are providing for responsible compliance and whether they can streamline the ways in which they do so without reducing effectiveness. Indeed, the two aspects fit hand in glove: inefficient compliance efforts likely heighten risks of breaches, with attendant legal and regulatory exposure, loss of business and goodwill, and diminution of corporate culture and reputation.
These considerations are especially relevant for companies undergoing a compliance-related challenge or crisis, which routinely are bidden to institute or re-establish a ‘culture of compliance’. The thinking is that, if the company had had a more robust commitment to compliance and more ingrained controls, the breach would not have occurred and that, to avoid future problems, a new compliance regime should be imposed on the organisation.
Often, teams of lawyers and other advisers are brought in to dictate new policies and procedures, conduct inspections, and recommend discipline for disobedience with the new programme. Whether by design or in implementation (or both), the effort can appear to company personnel as the imposition from outside, or at least on high, of a new set of rules, requirements and sanctions on a workforce that cannot be trusted to do the right thing. A ‘new sheriff’ has come to town to lay down the law and restore order.
The impact of this approach on employee morale and the workplace can be debilitating and, even when significant change is necessary, can be counterproductive. Imposition of a new, externally imposed, compliance regimen might get across the message that change is necessary but might fail to cure underlying causes or foster deep-seated commitment to a better company culture.
It is more likely to create a ‘gulag’ type environment that provides insufficient practical understanding of, or support for, compliance requirements in specific situations and, instead, increases personnel disaffection and turnover, undermining both compliance efforts and productivity.
Indeed, this outside-in approach conflicts with prevailing wisdom concerning effective development of stakeholder buy-in for corporate change. It is now commonly accepted that the key to successful organisational engagement with risk management programmes is workforce involvement in the programme development and implementation, even when the bulk of the programme is designed by external advisers.
This is a continuous process of communication and commitment to identify, understand, prioritise and manage risks and to build a relationship of mutual trust and confidence between management and company personnel. Through this process, the workforce becomes – and will both see itself and be seen by others as – an extension rather than a target of the compliance team. After all, the company’s workforce is best placed to understand relevant risks and challenges and the organisational needs for addressing them effectively.
Because middle management and their reports have direct responsibility for implementing compliance initiatives and for overseeing adherence to company policies, actively involving them in the programme’s development and operation invests them with a stake in the programme’s success and converts them into ambassadors for ‘clean’ commercial behaviour.
The ‘skin in the game’ created through active workforce involvement in the development and implementation of compliance systems and controls thus heightens the prospects for an informed, properly balanced programme and for shared responsibility for the programme’s success.
Conversely, employees confronted with dictates and requirements imposed entirely by external advisers are more likely to suspect or resist them (if they even properly understand them) and are less likely to feel a connection with, or responsibility for, their effective implementation. Moreover, policies and procedures developed and foisted by outsiders without workforce involvement are less likely to address the specific risks and threats the company faces or to provide the guidance employees require in managing those challenges.
Changing or emphasising ‘tone at the top’ does not necessitate creating an environment of antagonism or suspicion. Rather, it should foster a culture of collaboration and mutual responsibility for effective compliance.
These considerations suggest that a company confronting or seeking to avoid a compliance-related crisis should eschew imposing on the workforce a fully developed package of changes and remedies and opt to involve the workforce in developing and implementing enhanced policies and procedures.
This process includes identifying the complement of employees to involve in the effort, active inclusion of those (and other) employees in all phases of the exercise, maintaining open and transparent communication between management and their advisers and the workforce, and giving employees a meaningful voice in the design and operation of the company’s compliance programme.
And it remains incumbent on senior management to actively manage and oversee the compliance process. None of this implies that a company should compromise the efficacy of its compliance efforts to achieve workplace harmony. On the contrary, this approach is predicated on the view that workforce involvement in, and engagement with, compliance initiatives and improvements not only enhances corporate culture, but heightens the prospects for programme success.
Theodore Edelman is a founding partner of Gold Collins Edelman Advisors. He can be contacted on +1 (646) 270 0811 or by email: ted@gceadvisors.com.
© Financier Worldwide
BY
Theodore Edelman
Gold Collins Edelman Advisors