Creating compliant organizations
- Due Diligence
- Ethics and Compliance Consulting
- Strategic and Business Intelligence
- Transaction and M&A Support
Creating compliant organizations: Common pitfalls and blind spots
Helping companies create secure, compliant and resilient organizations that enable them to take risks—and reap the benefits of doing so—has been at the core of Control Risks’ mission for decades. In that time, we have come across a vast array of compliance frameworks and cultures and helped our clients through numerous compliance-driven critical situations and crises. For companies that are serious about being proactive, and that see compliance as a competitive advantage rather than a box-ticking exercise, we believe several lessons can be drawn from our background and honed expertise in helping clients see around unexpected corners—whether those be geopolitical in nature, compliance related or high-stakes security and risk. Below we have summarized six common pitfalls and blind spots related to building and maintaining a compliant organization.
1. Failing to look at the external operating environment in your compliance risk assessment
Situation- or market-driven factors, including political developments such as elections and rising geo-political tensions, are just as likely to lead to elevated compliance risks as weaknesses in companies’ compliance programs. Sometimes, even organizations with highly sophisticated programs find themselves in the wrong place at the wrong time or are simply unprepared for major market occurrences from a compliance perspective. Incorporating assessments on external developments into programs can reduce the likelihood of this happening.
This is naturally more practiced in the environment, social and governance (ESG) space, and less so with regard to anti-bribery and corruption (ABAC), fraud and even—to an extent—sanctions risk. By extending this practice to risk assessments, disciplined companies can better focus on situation- or market-driven compliance risks, and therefore draw from those risk assessments to model locally- or situationally-appropriate solutions (e.g., for local engagement strategies). Companies can also use this to enhance controls in high enforcement or highly politicized environments.
2. Considering impact only in terms of compliance enforcement
Compliance breaches or failures have consequences far beyond regulatory sanctions, they can create significant challenges or obstacles to business, locally and in other parts of the world. Indeed, compliance-related crises are on the rise globally, involving loss of licenses, civil society action against companies, disruption to operations and businesses and regulatory pressure. These issues can have significant reputational, operational and financial impacts. Considering broad-based impact is an excellent starting point to create linkages between compliance risk managers and other parts of the business.
This approach has two immediate benefits: first, it enables compliance teams to secure buy-in from the business and to draw on business resources to identify realistic options to remediate significant compliance challenges. Second, it raises awareness within compliance and other business teams to spot when a compliance breach might trigger other risks—a step which is critical to avert risk contagion and to contain and properly manage these risks.
3. Over-focus on list-based, reactive sanctions management
Taking an overly legalistic or black-and-white approach to sanctions management that relies on checking individuals and entities against specially designated nationals (SDNs) and other lists is no longer optimal or appropriate. The new order of sanctions is fast-moving and not necessarily tied to a widespread sanctions regime. Some sanctions regimes (e.g., Europe vs. US on Iran sanctions) compete and are mutually exclusive, and others are not even labeled as “sanctions” (e.g., those against Qatar). Factoring country or industry risk into your sanctions assessment means that you can flag up potential or high-risk parts of your business that may come under or be associated with sanctions because of changes in the political environment.
4. Failing to achieve a sustainable use of resources
Most if not all compliance teams would be significantly more successful in their missions if they had limitless resources at their disposal. In truth, resources are often scarce and teams need to weigh carefully where they will deploy them with the greatest impact. Using a comprehensive, risk-based approach and being creative in considering both internal and external factors when benchmarking and prioritizing where best to place resources and conduct proactive testing (see point 5 below) can go a long way to help compliance managers make the most of what they’re given to work with. The first step in achieving this objective is typically for companies to look back at their baseline risk assessment and align annual strategy plans to the areas flagged as “highest” risk. That is easier said than done when teams also need to cope with daily, transactional support to the business.
With that in mind, the second step is to think about optimizing resources. If you have a small team, it could be a suboptimal use of its time to be conducting due diligence research. There may be more efficient ways to outsource and manage output from specialist providers. Considerations such as seniority and levels of experience are relevant to make this decision. Compliance management technology tools have significantly evolved over the past few years: there are more options for compliance teams to use economical, centralized management platforms. Many companies find this lightens the burden on their in-house team, allowing it to engage with business units to build capacity or tackle specific or more systemic compliance issues.
5. Not testing, monitoring or doing on-the-ground checks
Even programs that look fantastic on paper need to be assessed for their suitability in practice. Companies that fail to conduct regular audits and proactive testing and monitoring are less likely to identify shortcomings in the practical application of their program. In turn, companies that prioritize such work correctly through the focused application of the right tools can efficiently use testing with the greatest possible impact, even if those companies are working with limited funds. Data analytics and transaction testing tools, which are highly resource-efficient, are an excellent starting point for testing and monitoring. Their application allows companies to tie together different data points or data sets as well to map flashpoints in their organization where they need to dedicate more resources.
6. Generic ABAC training
Training that is general and not tailored to specific job functions by definition has limited applicability for different parts of the business where risks are the highest. Companies that go the extra mile and develop training programs aimed at specific job functions like accounting will have a greater impact. Where real-life case studies are used during trainings, they should be adjusted for different trainings to speak to the specific audience at hand and focus on applicable remedial measures or management strategies and lessons learned from the company itself. The focus should be on questions like “What did we do wrong to get into this situation?”, “What can we be better at?” and “What challenges would you and your job function face dealing with applying these management strategies, and where would you look for internal or external support?”.
Smart risk managers know that risks are interconnected and the tools used to manage them should reflect that. The range of possibilities for using data to spot risk and malfeasance can be daunting. At the same time, regional nuance and geopolitical dynamics that have a direct impact on overall compliance have never been so fast-moving. Control Risks’ experts are experienced at combining the latest technology tools with our unparalleled analysis to implement made-to-measure compliance solutions that correspond to your risk tolerance and relate to your operating environment. The result is a compliance framework that is practical and allows companies to manage risks with greater confidence.