Everything you need to know about compliance management, risk assessments and tips for implementation
Where did compliance originate and why is it becoming more important for companies?
The seeds of compliance were sown in the 1970s and 1980s when scandals in the USA (Watergate, Lockheed) highlighted the widespread practice of companies bribing politicians and government officials. These events led to the US passing the Foreign Corrupt Practices Act (FCPA) in 1977 which outlawed corporate bribery of foreign government officials for the first time. More corporate scandals and breakdowns such as the Enron case in 2001 have increased calls for stronger compliance and regulations, particularly for publicly traded corporations. The most significant statutory change in this context was the Sarbanes–Oxley Act 2002 which defined significantly tighter personal responsibility of corporate top management for the accuracy of reported financial statements. Since then increased regulation in both USA and Europe (UK Bribery Act, SAPIN II in France, EU Whistleblowing Directive) has caused top management to place greater emphasis on compliance and ethical conduct, reinforce their compliance departments and implement widespread compliance management systems.
Why is risk assessment an essential part of compliance management?
Common compliance frameworks (ISO 19600, IDW PS 980) and the relevant international regulations (such as DoJ guidelines and the UK Bribery Act) all state that a comprehensive compliance risk assessment should form the foundation of any compliance programme. A risk assessment ensures that companies set the correct priorities and implement effective measures to counteract relevant compliance risks. The compliance risk assessment would ideally be carried out before the compliance department put any specific compliance measures in place so that resources can be correctly allocated from the start.
If a compliance violation does occur, the risk assessment also serves as important evidence to law enforcement and auditors that the company has thoroughly considered the risks and has taken appropriate countermeasures.
How do I implement compliance management in my company?
It is a general rule that compliance management will not succeed unless there is a general culture of integrity in the company. This is the foundation to any successful compliance management programme. Without this, organisations are likely to view their ethics and compliance programmes as a set of tick-box activities, or even worse, as a roadblock to achieving their business objectives.
If your company is new to compliance management, the following six tips will help you to get started:
- Make sure everyone is on board – from the leadership to subject matter experts, all relevant stakeholders should understand why a compliance programme is important and what it aims to achieve. This sets the tone from the top.
- Conduct a risk assessment – This focuses the board and senior management on those risks that are most significant within the organisation, and provides the basis for determining the actions necessary to avoid, mitigate, or remediate those risks.
- Conduct a policy audit – to take inventory of what is already out there. This will expose any gaps in your existing policy library, and any necessary updates that need to be made.
- Provide training – it’s not enough to simply update the policies. Employees need to both understand the policies and how they apply to their day-to-day work. That’s where training comes into play.
- Establish a monitor and review process – this will future-proof your programme and ensure your programme stays relevant.
- Build in accountability – there needs to be procedures in place for when an employee fails to comply. These should include clear disciplinary guidelines and protocols that are actively and consistently enforced.
Find out more about the upcoming ISO 37301 standard for compliance management systems.
What can compliance violations cost companies?
In addition to major reputational damage, there have been several cases around the world in recent years which demonstrate the massive penalties companies face if they fail in their compliance duties. Three examples:
The Cum-Ex Scandal
Martin Shields and Nicholas Diable, two British investment bankers, went on trial in Germany in 2020 for helping to structure a massive tax evasion scheme known as Cum-Ex trading. This scheme siphoned up to €55bn in European public funds. Cum-Ex transactions took advantage of a now-abandoned method of taxing dividends which made it possible to get multiple refunds through a combination of short sales and other transactions. Seen as a landmark case, both investment bankers received suspended prison sentences and Martin Shields received a fine of €14 million. Hamburg bank M.M. Warburg, which is also involved in the lawsuit, was ordered to repay almost €177million to the state. Criminal prosecutors in Cologne continue their investigation into more than 50 other Cum-Ex trades with more than 400 suspects.
VW was making a major push to sell diesel cars in the US, backed by a huge marketing campaign trumpeting its cars’ low emissions. In 2015 the Environmental Protection Agency (EPA) found that many VW cars being sold in America had a “defeat device” – or software – in diesel engines that could detect when they were being tested, changing the performance accordingly to improve results. The German car giant has since admitted cheating emissions tests in the US. Getting caught in the United States kicked off a chain reaction that cost the automaker a fortune globally. The DoJ has charged six executives with conspiracy to defraud the United States and violate the Clean Air Act. The Dieselgate scandal is estimated to have cost Volkswagen more than €30bn in fines, penalties and buyback costs worldwide.
Siemens Bribery Scandal
In 2006 a colossal corruption scandal involving Siemens, one of the world’s largest electrical engineering companies, shocked the world. The scale of it marked it out as the biggest corruption case of the time. For years the company had pretended to do business according to the highest ethical and legal standards but, since at least the 1990s, Siemens had organised a global system of $1.4bn in bribes to government officials to enable them to win bids across the world. US and Germany launched investigations and ultimately secured a historic sanction of US$1.6 billion.