Compliance is Riskier Than Ever

By Gerry Zack, CEO, Society of Corporate Compliance and Ethics

Over the years, there has been a steady growth of compliance-related risks that bring untimely death to any business unfortunate enough to cross paths with them. Companies invest all their money and time into their products only to be hindered by unexpected legal drawbacks. In particular, four of these factors have the most domino-like effect on business, namely: outsourcing and supply chain, prosecutions, privacy laws, and social media.

The last thing any business wants is to develop and deliver a great product or service that customers love, only to be hit with a massive fine by regulators who discover that the company violated an important law along the way. But the risk of this happening is greater than ever, and this risk is not limited to the huge publicly-traded companies. Organizations of all sizes need to take a proactive stance in guarding against compliance violations.

The need for an organization-wide framework aimed at complying with laws and regulations has never been greater. “Compliance program” is the term used to describe such a framework. It involves several inter-related components functioning under a centralized structure, and it requires cooperation across virtually every department within an organization.

Several factors have contributed to the increased level of compliance-related risk for organizations.   However, four have had the most dramatic effect.

Outsourcing and Supply Chain are Increasing Compliance Risks

The tentacles of compliance risk extend far beyond the hallways and factories of your company. One of the most notable trends in compliance risk in recent years is the increased number of cases in which companies are held accountable for compliance violations engaged in by key third parties – such as suppliers, partners, and sales agents.

For many years, regulators held companies accountable only for actions directly committed by employees, with few exceptions. That has changed, and in dramatic fashion. Suppliers, intermediaries and sales agents are the most commonly cited third parties whose violations may be attributed to an organization. This has significantly increased the importance of vetting third parties and actively monitoring higher-risk activities for which a company utilizes third parties.

Prosecutions Don’t Stop at the Border Anymore

Adding to the complexity of managing compliance risk is an increasing trend towards cross-jurisdictional cooperation among regulators and the enforcement community. For many years, multi-national organizations were shielded from some risks because investigators in one country rarely shared any of their information or cooperated in the investigation with investigators from another country.

That has changed. Now, it has become very common for investigators from a regulator in one country to cooperate with those from other countries in their pursuit of compliance violations. A company located in Country “A” that violates a law in Country “B” in connection with a product shipped to a customer in Country “C” now may find itself being investigated concurrently by all three countries. And as the three countries share details of their investigations with each other, it enables all three to build bigger and stronger cases against a company.

Privacy Regimes are Creating Double the Complexity

The implementation of GDPR and several other privacy laws globally have had a two-pronged effect on compliance. First, there is the issue of complying with the privacy laws themselves. These laws are often complicated or worded vaguely, leaving much interpretation to the individual organization.

But a second issue is the effect that compliance with privacy laws has on other aspects of compliance, particularly in performing due diligence, monitoring, and investigations. Some of this effect is imagined, as people read more into GDPR and other laws than they should. But a part of it is real. Complying with stricter privacy laws can have an impact on an organization’s ability to engage in other elements of its compliance program.

Take a compliance investigation for example. While most privacy regimes have exceptions for investigations, there is an added layer of documentation and complexity that results when some of the documents or records needed for an investigation are subject to new privacy laws.

Social Media is Unforgiving

Word of compliance issues spreads more quickly than ever, and much of it is inaccurate or filled with opinion rather than fact. Worse, the harsher the judgement rendered, the more traction it gets online.  So, defenders and more moderate views are quickly overwhelmed by the more extreme comments.

Sometimes it begins with an employee posting something as word of a compliance problem gains traction in an office, other times it’s from the press, a competitor, or some other source. Regardless, early information is almost always inaccurate, and often makes a problem out to be worse than it is. But it’s late once others join into the conversation.

The stakes are higher than ever, and the damages aren’t limited to the penalties assessed by regulators. The financial harm resulting from reputational damage can escalate faster than ever when information spreads so quickly.

The Positive Trend

The good news is that the heightened risk climate is tempered by government actions that are providing greater incentives for organizations that demonstrate efforts to comply through their compliance programs.

The OECD has long encouraged its member countries to adopt anti- corruption legislation and encourage compliance programs. Governments are listening, and now not only can you find laws encouraging compliance programs in many states, you can also find a striking consistency in them.  While the exact words may vary, they echo the same common elements for compliance programs:

1. A series of policies and procedures aimed at conduct and compliance, both high-level policies like codes of conduct, as well as detached procedures that establish strong internal controls designed to prevent and detect noncompliance
2. High-level (senior management and the board of directors) oversight of a compliance function
3. Due diligence in hiring and promoting employees, as well as third parties, aimed at screening out individuals or companies considered beingv of high risk
4. Education and training of employees and certain third parties to improve awareness of compliance requirements.
5. Monitoring and auditing on an ongoing basis, in order to detect signs of procedural violations or noncompliance
6. Investigation of possible noncompliance, resulting in consistent enforcement and discipline when employees or third parties are found to have violated laws
7. Remediation of internal controls, policies and procedures whenever noncompliance has been discovered, in order to minimize the risk of recurrence
8. Periodically performing compliance risk assessments, so that the organization takes a proactive approach to anticipating where compliance risks are emerging or changing and to better prioritize risk mitigation efforts

Second, the US Department of Justice, still probably the world’s most aggressive prosecutor of corporate wrongdoing, has been emphasizing the value of compliance programs even more in recent years. Its pilot program for Foreign Corrupt Practices Act violators – encouraging them to come forward on their own and demonstrate an effective compliance program – is no longer considered a pilot program but a matter of practice. A similar approach has now been adopted for anti-competition law violations as well. In addition, DOJ guidance for prosecutors take compliance programs very seriously and focus on them when determining factors that can reduce settlement amounts. 

In sum, while the risks have never been more significant, compliance programs now provide even greater opportunities for companies to mitigate those same risks.

Executive Profile

Gerry Zack, CFE, CCEP, CIA, CPA, is the CEO of Society of Corporate Compliance and Ethics & Health Care Compliance Association (SCCE & HCCA).

Gerry has more than 30 years of experience providing preventive, detective, and investigative services involving fraud, corruption, and compliance matters. He has worked globally with businesses of all sizes and in many industries, nonprofit organizations, and government agencies.