RiskMap 2023: The legal and compliance perspective
RiskMap23 | Hannah Lilley | Director
The conflict in Ukraine, which began in February 2022, has dominated this year’s legal and compliance agenda within many organisations. Conflict and geopolitical risk has clearly evolved; it is no longer the remit only of the global security and government affairs teams. The secondary consequences that arise from conflict are now integrated into planning and strategy across departments, including the legal and compliance world. The conflict has uprooted supply chains, compounded geopolitical turbulence, and seen the introduction of a multitude of new sanctions against Russia, with second order consequences beyond Russia’s borders.
Geopolitics firmly embedded in compliance
Ukraine is a clear example of the role sanctions play in geopolitical conflict. Sanctions are an instinctive policy response to foreign policy and geopolitical crises, and a tool to help governments maintain their supremacy in certain areas. The consequence of this in a commercial setting is that sanctions disrupted – and will continue to disrupt – both markets and internal company decision making, including in legal and compliance teams. Organisations have been under pressure from governments, stakeholders and civil society to react quickly and decisively, not only in connection to their sanctions compliance position but also to their stance on business with Russia more broadly. A rapid reaction to sanctions is not straightforward when that response is complex and nuanced. Unwanted reputational and regulatory scrutiny has faced those slower off the mark.
The fallout on companies from the conflict has not been limited to those with a clear and rooted presence in Ukraine and Russia. The interconnectivity of the global system means even those without direct physical exposure have been forced to unravel their networks of suppliers and clients. Points of vulnerability in supply chains had already been exposed by Covid, but have been laid even more bare by the geopolitical turmoil. Legal and compliance teams have had to adapt quickly, considering new suppliers and clients that carry different risks, and getting their heads around regulatory requirements across borders that are not always aligned.
And it’s not just Ukraine that has dominated the geopolitical landscape this past year. Organisations caught out by the rapidity of the escalation in the Ukraine-Russia conflict are scenario planning ahead of any potential deterioration in US-China relations. While armed conflict in East Asia seems unlikely in 2023, trade wars are highly disruptive, and boards are reimagining their supply chains to secure future resilience. This all trickles down to the inboxes of legal and compliance professionals. Increasingly, legal and compliance teams have a voice outside the remit of what are traditionally considered their core responsibilities. Their perspective on complex geopolitical and regulatory issues is key to longer-term scenario planning and corporate strategy, including where the rethinking of supply chains is concerned. The process of revising supply chains has been underway for some time – the disruptive forces of the pandemic, economic volatility, energy risk and a rise in state-level protectionism have driven a rethink of the value chain over a period of years. Events of 2022 have brought home the importance of accelerating this process. With deteriorating relations with China, many Western countries are pushing for greater scrutiny of Chinese companies’ roles in their supply chains. Organisations – especially those that operate in sensitive or strategic industries – are ensuring they can decouple critical supply chains if they need to, and legal and compliance teams are reconsidering which factors are integral to their risk register.
Regulatory challenges driven by fiscal fragility
The past year has seen some changes on the corporate transparency front, with authorities and society seeking greater disclosure on the identity of company beneficiaries. The impetus for this is principally to combat financial crime – tax evasion, corruption, money laundering, and terrorist financing. However, the drive to tackle kleptocracy has seen some of this regulation accelerated, such as the UK’s Economic Crime (Transparency and Enforcement) Act in March this year following Russia’s invasion of Ukraine. Corporate transparency programmes have had to be adapted, and compliance teams have considered how to integrate new regulation and information available to them into their due diligence processes.
Regulation in the next year will also be driven by some additional factors. The escalation in sanctions has hit at a time of wider turbulence across many economies. Fiscal fragility, inflation, social unrest and populism may lead to greater state intervention in some countries on a multitude of issues, which legal and compliance teams should prepare for. In a bid to steady state coffers, some governments will need to find sources of revenue that may hit in the form of corporate taxation, export controls or supply chain mandates. Their ability to raise funds when many enforcement bodies face limitations in their own budgets remains to be seen. In countries where voter discontent against both leaders and the private sector is strong, interventionist policies may be pushed forward, with technology and energy companies particularly likely to face scrutiny due to their high profiles and perception of their high profits. Voter expectation will likely also see ESG become increasingly prominent, with organisations having to demonstrate visibility of their full value chain, which will fall on legal and compliance teams to unravel. Compliance teams will need to be on the front foot as always. They will need to map reporting obligations beyond the strictly legal requirements (such as Germany’s upcoming Supply Chain Act) and look ahead to emerging expectations.
As the economic situation potentially deteriorates alongside public tolerance, enforcement agencies may find themselves under pressure by society and the authorities to take action against corporate conduct seen as damaging. Regulatory uncertainty and complexity will find its way to the desks of legal and compliance teams. These teams will also be dealing with the impact of recession in some countries on corporate culture and behaviour, with economic fragility driving negative human behaviours in the workplace. This all comes at a time when legal and compliance teams are being pulled in multiple directions, with compliance budgets under pressure and expectations are higher.
When technology submits to geopolitics
Technology has driven rapid change for legal and compliance teams; they are operating in an environment of significant transition. It has impacted – or will soon impact – almost all elements of their roles. Technology has facilitated new ways of communicating via apps or social media, it has impacted both the volume and accessibility of data in internal investigations, it has driven the growth of new transactions to scrutinise (think crypto), and it has created new considerations around data privacy. Technology politics is also reshaping the legal and compliance landscape, requiring companies to assess the risks of technology adoption based on increasingly localised rules and regulations. Many companies are responding to this challenge by adapting digital plans built on the premise that connectivity would always transcend national boundaries. That assumption is now collapsing. The fragmentation of the regulatory landscape into a patchwork of sometimes intersecting but very often diverging data privacy and systems-based rules is making life complex. The growth of techno-nationalism means that once esoteric technical concerns related to internet standards, network protocols, routing and competing principles of internet governance are fast becoming geopolitical and, in turn, compliance issues in their own right. Most notably, the clash of national interests, coupled with the wider weaponisation of cyberspace, is leading to the decentralisation of networks themselves with organisations responding to a growing state focus on national-level cyber architecture by starting to build at best regional, at worst national networks within their companies. The very infrastructure upon which cyberspace is based is being thrown into question, meaning legal and compliance teams increasingly need to plan for future-state scenarios that once would have been unthinkable, but which could now lead to a radical overhaul in the way their companies do business. Although digital innovation continues to spur conversations in boardrooms - from cryptocurrency to the metaverse – most will have to contend with the realities of a fragmented technological architecture, which might inhibit or at times sanction fast-paced implementation.
A series of external shocks in 2022, converging with economic fragility across many parts of the world, has brought home the need for nimbleness not only within legal and compliance teams but at an organisational level, too. The drive to a values-based compliance culture – which many organisations sought to foster in the post-pandemic bounce-back-better haze – remains crucial, but faces being undermined by conflict, both physical and cyber, and fiscal weakness. Once again, we’re seeing compliance being redefined to keep pace with a turbulent world.
For more in-depth analysis of key risks and issues, explore our RiskMap 2023 content.