Adhering to compliance putting industry under significant stress
Increased regulation is putting compliance professionals under immense strain, making them feel more exposed to risk than they did two years ago. Perhaps even more concerning, compliance professionals say that compliance has become so elaborate that it represents a risk in itself. If indeed compliance has become so complicated that it is getting in the way of compliance professionals doing their job and safeguarding their company’s reputation, then the industry really does have a problem and one that needs urgent attention.
In August 2015, The Risk Advisory Group chaired a roundtable discussion of leading compliance professionals drawn from our global client base. Our purpose was to understand from them what they considered to be their key challenges, what resources were required for them to be effective, and what issues they thought they would have to face in the medium term.
Based on those conversations we created a survey to which more than 200 of our worldwide clients responded. The respondents were drawn from a wide range of sectors and geographies. Thirty-two per cent of respondents worked in corporations that employed 10,000 or more employees, and 54 per cent in corporations that employed more than 1,000. We therefore regard the results as both informative and comprehensive.
The results paint a picture of a business function under significant pressure. Sixty-nine per cent of all respondents said they felt that their business was more exposed than it was two years ago and 78 per cent agreed that the sheer complexity of compliance represented a risk in itself.
The drivers? Fear of scandal, increased regulation, and increased scrutiny were all highlighted as material concerns. Indeed, protecting the company’s reputation was identified by 59 per cent of respondents as compliance’s primary role.
What lies behind these drivers is a fundamental shift in Government policy, which started in the US approximately 15 years ago.
The US, and now other governments, recognised that whilst they had the desire, they had neither the competence nor the resource to effectively regulate financial markets or to impose policy goals directly on those that may offend. In order to effect change they transferred the obligation to corporations to implement policy for them.
Anti-money laundering and terrorist financing, anti-bribery and corruption, prohibitions on transfer of technology and, most recently in the UK, the Modern Slavery Act are examples of this trend.
However, unlike when a state function fails to discharge its mandate, significant financial and reputational penalties are imposed on corporations that fail. CEOs and in some instances boards are terminated and, in the last 10 years, financial sanctions have increased massively.
BP, Pfizer, GlaxoSmithKline, Eli Lilly, Hoffman-La Roche, Siemens, and Halliburton have been subject to penalties of between $400 million and$1.2 billion in the last seven years for bribery, antitrust, cartel, and environmental related issues. These huge sums are matched by equally huge sums spent on legal defence and remedial action.
In 2012, HSBC was fined $1.9 billion for money laundering and two years later BNP Paribas a staggering $8.8 billion for similar offences.
It is not clear yet what the financial consequences of the VW emissions scandal will be, but it would be prudent for its new board to reflect on whether seven billion dollars provision is enough.
In addition to long-term policy objectives, sanction regimes are also used to achieve short-term policy goals. The sanctions on Russia in respect of the Ukraine and the upcoming sanctions by Russia on Turkey following the destruction of a Russian bomber present immediate examples.
It is perhaps for these reasons that our respondents were concerned about increased regulation (55 per cent) and geopolitical events (41 per cent).
The use of regulatory sanction is unlikely to change. For, even if regulation fails to achieve the behavioural change governments seek, it has become a very significant source of income.
As regulatory regimes expand and sanctions increase, other dynamics have evolved that inevitably complicate compliance’s role.
In the US, shareholders have made many attempts to use common law fraud, securities violations, and the Racketeer Influenced and Corrupt Organizations Act (RICO) statutes to sue corporations that have been subject to regulatory scrutiny. Thus far, they have been unsuccessful, but it is unlikely that the plaintiff bar will give in.
In England, the high court admitted a claim for the tort of unlawful act conspiracy against Innospec Limited, Innospec Inc, and David Turner. The claim failed on the facts, but the admission of the claim means further actions will inevitably follow.
Mergers and acquisitions
In mergers and acquisitions the prospect of successor liability has driven potential acquirers to focus not just on revenue origination and integrity of financials but also on operational risks relating to businesses that they seek to acquire.
Both the US Securities and Exchange Commission (SEC) and the Department of Justice (DOJ) have made it plain that ‘when a company merges with or acquires another company, the successor assumes the predecessor company’s liabilities’.
In addition, whilst the concept of successor liability is not established in other legal systems, it is plain that if you buy a business and it continues to breach criminal law or regulation, regulators will sanction in respect of post-acquisition conduct. It is therefore essential for that conduct to be identified and stopped and arguably, regulators notified.
Civil litigation against advisors
In 2012, Sidley and Austin, a US law firm, was sued by Watts Water Technologies. Sidleys had been retained by Watts to undertake due diligence on an acquisition in China. During the process, Sidley was handed the acquisition target’s written policy on paying bribes to Chinese Government officials to obtain contracts. It failed to draw this document to the attention of Watts Water, who were required to pay $3.8 million in penalties to the SEC due to the acquisition’s conduct.
Drive for growth
In 2014, £3.5 trillion of merger and acquisition deals were completed (Thomson Reuters 2014 financial review). AT Kearney reported that this was a 47 per cent increase on 2013 and the largest increase since the 2007 economic crisis. Deals of more than $5 billion doubled in volume, with media, healthcare, and energy the most active sectors. Two of these feature highly in government enforcement actions.
As the global economy recovers some semblance of normality it is highly likely that M&A will increase and the challenges for compliance will become more profound.
These then are some of the challenges that were clearly in the minds of the survey respondents.
Change in optic
Against this background, it is not surprising that 38 per cent of respondents said more people with the right knowledge of the business would make the biggest difference to the compliance team’s ability to protect the business.
As compliance touches on every aspect of business, from deal or transaction origination, to operational risk through to disposal, it is perhaps time to recognise that compliance is the wrong name. Executed in the right way, effective and rigorous risk management is a value creator and not simply a control mechanism.
Ensuring consistency of approach across the globe is a huge challenge for any multinational organisation. However, a coherent and consistent approach is precisely what a regulator looks for.
The requirement to be able to demonstrate adequate procedures under the Bribery Act or to fall the right side of the Federal Sentencing Guidelines is understood by those that have the mandate to protect their organisations. This is perhaps why 16 per cent of respondents said more efficient processes would make a difference to a compliance team’s ability to protect their business.
Consider the need to be able to demonstrate that the same review processes on third party relationships are undertaken on a global basis, that the same contracts are used, that appropriate training has been provided and executed, that all reports are centralised, and that KPI and escalation procedures are in place. Then, add to that the need for information security and privilege and you get some idea of the challenge.
Indeed, without technology organisations are bound to fail.
By Bill Waite
Group Chief Executive Officer