Compliance functions leaving firms open to risks from aggressive enforcement agencies
Written by staff reporter
Companies are paying lip-service to compliance and putting themselves at risk by failing to appropriately prioritise and resource it. This is according to a report carried out by risk consultancy Control Risks. A quarter of the companies surveyed reported that they invest less than US$25 per person a year on compliance. Around the same number of large companies have compliance teams of just five people or less.
The extent to which compliance functions are stretched contrasts with the increasingly aggressive and joined-up activity of enforcement agencies across the world and the punitive fines imposed on companies for non-compliance. In 2016, 30 companies were fined a total of US$2.4bn for non-compliance under the US Foreign Corrupt Practices Act (FCPA), for example, and in the UK the Serious Fraud Office (SFO) is stepping up its efforts to enforce the UK Bribery Act. In January 2017, Rolls-Royce paid (US$616m to settle a longstanding SFO anti-bribery investigation, as well as a further US$170m to the US authorities on related charges.
The annual report of international business attitudes to legal and compliance risk, published this week, is based on a survey of senior executives responsible for compliance at 1,000 companies worldwide. The research reviewed a broad range of global compliance issues, from anti-corruption, to anti-money-laundering, anti-trust, privacy and data protection.
Richard Fenning, CEO, Control Risks, said: “Companies are in danger of putting themselves at risk by failing to prioritise and integrate compliance within their businesses. Whilst the necessary investment will vary widely between organisations, many companies are woefully under-resourced to deal with the increasingly complex, constantly evolving and often contradictory regulatory environment.
“Those companies that get it right recognise that, as well as mitigating against heavy fines, legal fees and reputational damage, well planned and executed compliance risk management can help capitalise on opportunities that they would otherwise miss, especially in high-risk markets.”
Control Risks’ research highlights that senior management need to be more receptive to compliance issues. There is no single compliance model - nor should there be - however, only 27% of respondents reported that their companies’ Chief Compliance Officers attend all board meetings. Furthermore, only just over half (56%) of large companies said they have an ethics and compliance committee.
Compliance officers must also be more pro-active in managing compliance risks and trying to mitigate issues before they arise. There is a tendency to rely on whistleblowing to detect misconduct (64% of companies); in contrast only 41% of the organisations surveyed use compliance audits and just 18% use surprise fraud audits.
Although resources for compliance teams may be stretched, the research showed the significant opportunity for companies of all sizes to make better use of technology across multiple areas of compliance, including risk assessment, real-time monitoring and mitigating cyber breaches. However, the greatest opportunities lie in risk-based third party management, anti-money laundering and fraud prevention.
Global consistency in compliance is essential and the survey showed that a majority (55%) of companies reported that their compliance policy applies worldwide, without any local exceptions. The UK is one of the best performers, with nearly two thirds of companies (63%) having a single global policy, compared, for example, with the USA (just 51%).
However, 40% of companies have local policy exceptions for gift-giving (33% of UK companies, compared to 44% of USA companies), 30% allow “permitted interactions with government employees’, and 20% permit the use of “facilitation payments” to expedite services to which they are entitled (inevitably leaving them in breach of local laws as well as the UK Bribery Act).
“Compliance policies must be globally consistent but also locally translated and relevant, with guidance for example on specific circumstances such as dealing with tax inspectors in countries where demands for bribes are commonplace. Local variations in most cases should be tighter than the global standard,” Fenning added. “A key message for many compliance departments is that they could work smarter. One of the most effective ways they can do this is by making better use of technology to manage risks pro-actively and cost effectively rather than rely on whistle-blowers to inform on potentially damaging issues after they have occurred.”
Report findings: Compliance risk (Source: Control Risks)
-Large companies’ compliance functions are under-resourced: A quarter of large companies invest less than US$25 per staff member on compliance, annually; 28% of large companies have compliance teams of five people or less
-Compliance needs senior management buy-in: Only 27% of executives responsible for compliance attend all board meetings
-There is an untapped opportunity for compliance officers to leverage technology to increase efficiency
-Compliance officers need to be more proactive: two thirds rely on whistleblowing rather than taking the initiative to conduct anti-fraud and anti-corruption audits
-Compliance policies are inconsistent across companies’ global operations, with local exceptions made.