Monitoring and compliance: You can’t self-report what you don’t know
- Ethics, Compliance and Governance
You can’t self-report what you don’t know
Both the Serious Fraud Office (SFO) and the Department of Justice (DoJ) have recently re-emphasized then position that self-reporting is key to reaching resolution through deferred prosecution.
DPAs in the US have shown leniency in cases where corporates have brought matters to the US Department of Justice rather than the other way round. This provides companies with food for thought for how they choose to respond when identifying issues of serious misconduct.
However, the challenge remains: you cannot report what you do not know.
However, the challenge remains: you cannot report what you do not know. The reality is that many companies simply aren’t aware of issues until it’s too late: a whistle-blower, a leak, a letter from the regulator.
Compliance requirements attached to recent DPAs, show that regulators continue to re-assert the compliance hallmarks which we’ve come to know so well, including the importance of periodic review. This is in addition to the abundance of case precedent and recent regulatory guidance. So then why do we continue to see such large scale examples of companies missing the mark?
Effective compliance programmes are meant to provide not only preventative measures but robust monitoring and review mechanisms designed to detect acts of non-compliance. However, companies often baulk at the thought of undertaking the in-depth risk assessment and bespoke monitoring activities necessary to fully understand and vet potential acts of non-compliance.
All too often, organisations opt for the ‘high level’ or ‘light touch’ and rely on corporate culture and on-line policy portals to steady the ship, rather than investing the time and effort required to proactively identify misconduct. This is supported by Control Risks’ International Business Attitudes to Compliance survey 2016/17 (“IBAC survey”) which found that large organisations are still not harnessing proactive measures such as compliance audits (41% of companies).
While tone and policy are extremely important, over-reliance on their ability to thwart employee misconduct or by subscribing to the ‘high level’ mantra can create blind spots. For companies to truly stay ‘in the know’ about what’s happening across their geographical footprint, there must be real rigour behind their periodic review and monitoring.
Monitoring needs to feed into a wider compliance programme which not only reads well on paper but has been implemented and is operating effectively. Monitoring provides an important window of opportunity to identify where those compliance programmes are falling down across a global footprint – including within third party networks.
And there are a number of reasons why they could fail at the local level:
- Policies, processes and controls do not address the on-the-ground risks and business realities. A thorough risk-assessment which not only tests existence of risk, but also effectiveness of procedures as they operate – not just how they read on paper – is key to understanding potential exposure at a local level. Without understanding how policy and procedure are implemented operationally in the face of local risks, management cannot confirm if controls are fit for purpose within local contexts.
- The absence of compliance involvement in strategic business decisions (or not early enough). With many business decisions being increasingly devolved to local operations, it’s common for local business leaders to set and/or execute strategy without consultation with or regard for compliance.
For example, consider businesses which are expanding their brand into near-by territories through acquiring local players who have no prior awareness or regard for regulation set by US or UK regulators. Integrating such an organisation can have major hiccups, not least of which could be successor liability over previous misbehaviour – behaviour which could have been identified and mitigated upfront with the advice of compliance.
- Lack of experienced resources in responding to a compliance crisis. Too often compliance teams are too under-staffed and under-resourced to deal with the growing demands and expectations amongst boards, investors and regulators.
This is a particular challenge in certain high-risk jurisdictions, where it can be difficult to find seasoned compliance professionals capable of identifying and addressing issues as they arise. This is due to any number of reasons, but most likely because the country itself has a poor track record of enforcement, a lower regard for/awareness of international standards and therefore a limited track record of understanding and responding to compliance issues.
Not being able to source local talent is not an excuse that a regulator is likely to accept, which serves, once more, to enforce the need for proactive monitoring, including local country visits. However, it is difficult to do that on a shoestring – and Control Risks’ IBAC Survey indicates that 25% of companies with over 10,000 employees are devoting less than $25 per employee on compliance each year and 28% have a compliance team of just 1-5 people (IBAC Survey).
- Lack of internal investigations. The impression that management investigates and takes action is a key deterrent for non-compliant behaviour. Again, one can only investigate what they know, so it’s imperative that investigations follow from findings identified through internal audit, monitoring and whistle-blowing hotlines.
This takes us to the next point:
- Whistle-blowers are key. A fully implemented and communicated internal whistle-blower hotline in which people trust that they can raise issues anonymously is imperative. Some regulators have even made this mandatory for their sectors.
However, there is a difference between having a hotline and it being effective. Understanding cultural nuances towards whistle-blowing, making sure they are properly translated and readily available in a practical format for the local environment are just some of the factors which need to be considered in assessing how effective your whistle-blower hotline will be.
It is vital that employees understand the process and, crucially, that they trust it. Markets with little to no whistle-blower reports should be monitored – no reporting can be a red-flag in itself.
So what can be done?
In the current climate of over-stretched and under-resourced compliance teams, robust monitoring and review across mass geographical footprints seems costly and disruptive. But it needn’t be – new technologies in data analytics overlaid with a forensic mind-set, can be implemented throughout the compliance lifecycle: enriching risk assessment, strengthening management information and focussing monitoring activities.
Efficient and targeted data collation can especially support under-resourced compliance teams in achieving more for their money, both in the risk assessment and monitoring elements of their programmes. Forensic data analytics can identify patterns and irregularities and pinpoint third parties, client relationships and business practices warranting review.
Further, current visualisation tools can also translate data into powerful management information regarding key risk metrics and local business activity to support management in staying on-top of risk factors. Take this one step further in supplementing the analytics with a forensic approach to monitoring and an even more dynamic programme is created; one that is not only risk-based, but addresses the need to detect non-compliance.
Best in class compliance teams, often forged in the wake of some form of enforcement, understand that one of the most effective ways to monitor is to move beyond ‘tick the box’ audits and employ a more forensic approach to their reviews. Rather than simply understanding if an activity follows compliance procedure, a forensic approach seeks to understand if the nature and intent of the business activities align with the spirit of the policy. As a by-product, the forensic approach is more likely to identify problematic loopholes and challenge whether existing procedures are sufficient enough to detect collusion or deception within the local context.
As highlighted earlier, there could be any number of weaknesses in a programme leading to potential problems down the line and regulators expect organisations to have the right mechanisms and tools in place to identify, validate and report such problems. If an organisation is to take full advantage of self-disclosure and DPAs, they need to know what’s gone wrong – and integrating data analytics and a forensic approach may just be the missing element to keeping you ‘in the know’ and out of the headlines.
- Lorynn Demetriades, Associate Director