Managing Compliance Risk – Six Myths

Ep Hannema and Recep Altun explore some of the myths they encounter when advising companies that try to limit their liability exposure resulting from compliance issues (more specifically from fraud and corruption). Do these myths also exist in your organisation?

If a company is in a position where it is trying to get comfortable with the compliance risk of a transaction or agreement solely on the basis of contractual clauses, it should question whether the transaction itself is sound. While lawyers have traditionally been paid to document transactions rather than question them, this is no longer sufficient; internal and external lawyers have to look at the substance of arrangements being entered into rather than their form, both to protect their company and to avoid a risk of their being complicit in any wrongdoing.

While there are certain attractions to e-training – it is cheap to roll out once it has been designed, provides an instant record of completion, and can train a lot of people quickly – it will not adequately equip employees to deal with difficult situations or judgment calls. Training on such difficult situations, which are the nub of ethical and compliance issues, needs to be done in-person for senior or higher-risk groups, using real-world case studies.

Compliance software handles certain tasks brilliantly, for example spotting unusual expense or payment patterns, organising information, and providing high level statistics on a compliance programme. Automated systems are, however, no replacement for human judgment or common sense and depend entirely on the quality of inputs. Further, because automated systems by their nature deal with the form, rather than substance of a matter, they can nearly always be gamed.

Rules and systems are important in certain areas, especially for the first line of defence, but ultimately compliance is about adjusting attitudes and equipping, informing and supporting judgments. Systems and controls, however sophisticated, are open to manipulation. Sophisticated compliance is about developing employees’ attitudes to deal with potential compliance issues head-on. Ethical leadership is crucial here; so is building a sense of fair play, and corporate and individual responsibility to do the right thing in borderline situations.

The application of the FCPA, UK Bribery Act and other jurisdictions’ analogous legislation to the actions of a company’s third parties is well-documented. The Dutch Penal Code also provides sufficient points of reference in this respect. What is easily forgotten is that even if primary offences under anticorruption legislation are not made out, serious offences can also be committed under predicate offences such as accounting offences and money laundering legislation.

If your company’s compliance programme is highlighting potential issues, this is in one sense good news: raising issues is one of its key functions. There is no embarrassment in having compliance issues; the test is how they are dealt with and how your compliance programme adapts to any weaknesses exposed by those issues.

If you operate in higher-risk jurisdictions and/or in higher-risk sectors and you have not dealt with compliance issues, you must ask yourself: is your company lucky, good, or has it not seriously looked? What has arisen from risk assessments, ongoing third party due diligence and whistleblower reports? Companies stating they have had no or few known compliance breaches tend to be those with the most issues – lurking behind the scenes.

The items addressed above are only a few examples of myths we still encounter often in our daily practice.