Tuesday, March 10, 2009

Rethinking Compliance: get it right!

Compliance is about SOX right? Wrong - it is about a wide range of issues from cartels, through corruption, data protection, heath & safety. And they can each and every one cost money, time and reputations. In these dark economic times, it is worth revisiting your compliance programmes. Three headlines struck me as being somewhat out of the ordinary recently:

  • Aon fined for suspicious payments[1]: according to the BBC “The UK arm of the insurance broking group Aon has been fined £5.25m for making ‘suspicious payments’ worth $7m (£4.6m) to people and firms overseas. The fine was levied by the Financial Service Authority (FSA) and is its largest fine yet for ‘financial crime’.”
  • Lloyds pays $350m to end US case[2]: again, according to the BBC they have paid a $350m penalty to settle a case with the DoJ. I don’t propose to go into the rights and wrongs, because I simply do not know them.
  • Primark 'is probing law breaches'[3]: and yet another story from the BBC: “Fashion chain Primark has launched an investigation into allegations one of its suppliers has breached employment and immigration laws. The Observer newspaper reports an investigation found Manchester-based firm TNS Knitwear was paying illegal workers less than the minimum wage.” And the consequence of this: “On Saturday, Primark agreed to remove references to the Ethical Trade Initiative, the trade body which monitors Britain's top retailers, from its 140 shop fronts.”

And that is without even breaking into a sweat. I have not referenced the Satyam scandal or the Madoff Ponzi scheme. And I have not even headed in the direction of the banking failures. Apparent risk management failures are everywhere. And what is worrying is that these penalties are under what I might describe as the old regime.

The new regulatory mood music
What is for certain is that the mood music around regulation has changed from “light touch at all costs” to “meaningful” regulation. The argument for “light touch” regulation went something like this:

“Across the board we are seeing regulators adopt a more aggressive attitude. Over-enforcement of regulation can seriously damage the overall fitness of the economy. The critical point at which this starts to take effect is hard to identify, but there is a risk that we are getting close to it.”

Source: Paul Ormerod, Author of Butterfly Economics and Death of Economics in Rethinking Regulatory Risk by Baldwin and Anderson, published by DLA Piper, 2002

The counter argument was put as follows:

“Regulation is necessary to control corporate excess. Workers, shareholders and customers need protection from directors breaking the law and punitive liabilities send a clear message. Directors should act honestly or be jailed.”

Source: John Monks, General Secretary, Trades Union Congress in Rethinking Regulatory Risk by Baldwin and Anderson, published by DLA Piper, 2002

For a long time the former view held sway, as shown by Lord Turner’s evidence to the Treasury Committee recently in which he effectively said that even if the FSA had wanted a more interventionist approach in looking at the business models of banks, politicians of all political hues would have called them off. As far back as October Lord Turner was indicating a new approach:

“Financial regulators should be prepared to ‘wipe the slate clean’ as they search for a more effective global regime in the wake of the credit crisis, the chairman of Britain’s financial watchdog has said.

“Lord Turner also warned banks and insurance companies regulated by the FSA they would have to pay higher fees so the regulator could strengthen its supervision of institutions that pose a potential risk to the stability of the financial system.”

Source: Source: Financial Times interview with Lord Turner, Chairman of the FSA, published 17 October 2008

And this is not just a UK phenomenon: summarising Charlie McCreevy’s speech to the ICSA Corporate Conference, he effectively said:

Risk management

  • Has been poor/disastrous
  • Needs to be embraced
  • Role of senior management
  • Requires transparency
  • Needs oversight by shareholders

Source: Charlie McCreevy, European Commissioner for Internal Market and Services at the Institute of Chartered Secretaries and Administrators (ICSA) EU Corporate Governance Summit Brussels, 8 October 2008

Compliance revisited
One of the consequences of this is that there is a renewed interest in compliance programmes. Some, like Siemens, who suffered spectacular compliance failings, have developed a top-down, heavy bureaucracy compliance programme based on Prevent, Detect, Respond, with the response to problems being Dismiss, Warning, Reduce Remuneration[4]. Their quarterly report shows 621 compliance staff worldwide in 2008, compared to just 86 in 2006. The compliance helpdesk had 3,836 calls during 2008 alone.

Others, who are not subject to the same level of intense regulatory scrutiny, have the luxury of doing this at their own time and pace. They are more likely to be able to justify the development of risk based compliance programmes. Best practice is pointing towards a programme that has three facets:

  • A process to manage “compliance” risks: in other words one that identifies, assesses, monitors and responds to risks in a pro-active way;
  • An ethical and supportive culture such that attitudes, skills and knowledge all support an ethical stance with regard to compliance; and
  • A view to supporting the organisational objectives: in other words this is not just compliance for the sake of compliance, it will help the organisation to achieve its ultimate goals.

But to make this style of compliance programme work the organisation has to balance two sets of pressures. In the first instance, CEOs are always under intense pressures from institutional investors who, needless to say, are always looking for ever increasing share values (or in the current environment – at least a containment of the fall). In the second instance, CEOs are placing ever greater pressures on the staff with a demanding performance culture shaped through rewards, incentives and disciplinary actions. If the staff fail, the CEO will fail. So there is something of an incentive to cut corners, chat to competitors who are in a similar situation or to incentivise customers to award you the contract. In other words, the slippery and dangerous route to unethical, or even worse, illegal actions.

The consequences can be horrendous. Ask the people at Siemens, or look at the volumes of time taken up at BAe, where accusations remain unproven. From the fines, through the time spent dealing with regulators to the sheer loss of personal and corporate reputations, the costs can be crippling. Above all regulatory penalties destroy shareholder value and consume enormous amounts of management time, and even worse you run the risk of having a solution imposed on you which will be expensive – because you will be on the back foot, and it will not necessarily fir your preferred business model, especially if there is any risk that the extra-territorial ambitions of the US agencies can finger you.

So, the argument goes, in this time of recession, when the pressures are really on everyone in the organisation to perform, it is time to make sure that your compliance house is in order. Make sure that there is total commitment from the Board right down through the organisation. All managers have to be able to walk the talk, as well as just talk it! This needs to be right up near the top of both the board’s and the CEO’s agenda or it will not work. You have to have the right resources available in the group to make this work, to make sure that the programme is aligned with your other risk management activities. Think through the involvement of Internal Audit and whether there are any other “assurance” programmes that this can link to. Be clear about the likely scope in terms of areas and geography, and appropriate timescales. Think about the need for, or use of existing risk management software. And in case you were in any doubt: compliance is not just about Sarbanes-Oxley – it covers a much broader spectrum of issues, from corruption, through competition, data privacy, health & safety, environmental and many other potential pitfalls.

The first steps
The first step is to understand what will influence the shape of your compliance programme. No doubt a history of past regulatory problems can encourage greater focus on the nature of the programme: escalating cartel fines for repeat offenders under EU rules can be horribly costly. Equally, current economic conditions and the associated investor pressures are forcing people to put the ethical dimension back in to their businesses so that they are not forced down inappropriate avenues. And all of this is backed up by the changing tide of regulation, let alone the extra-territorial ambitions of US law-makers. Boards have to consider all of these influences on themselves and their organisations as they consider their (and shareholders’) risk appetite as compared to their propensity to exercise control. Where there is a mismatch, something needs to be done.

But above all, remember that effective compliance programmes require full time leadership to work.

[1] For further details see: http://news.bbc.co.uk/1/hi/business/7817651.stm
[2] For more details see: http://news.bbc.co.uk/1/hi/world/americas/7821600.stm
[3] For more details see, amongst others: http://news.bbc.co.uk/1/hi/uk/7822902.stm
[4] In fact the third category in the quarterly reports is “Other”, one element of which is reduced remuneration. For more details see http://w1.siemens.com/responsibility/en/compliance/index.htm, and their quarterly compliance report at http://w1.siemens.com/press/pool/de/events/2009-q1/2009-q1-compliance-progress-report-e.pdf.

No comments: