Global enforcement outlook
Culture and governance in a fast-changing environment
As senior management steers their organizations towards a recovery via the continuing challenges of the pandemic and its economic fallout, successful businesses will be the ones agile enough to respond quickly to threats or take advantage of opportunities.
The challenge for legal and compliance professionals is to ensure this agility is supported, while ensuring governance and compliance structures remain robust and fit for purpose.
In the coming months and years, companies can expect more scrutiny, from more stakeholders, into more areas of their business, creating the conditions for a more complex set of enforcement risks. This may add a new perspective on an old risk or present new risks altogether. Being able to adapt will be key. Here we look at three overarching principles to support that effort.
The events of 2020 abruptly exposed the need for businesses to be agile and adaptable. These will be key characteristics of resilient organizations as we move towards a recovery. Business agility, however, must be accompanied by sound risk management, especially when it comes to serious regulatory and criminal risks. Governance and compliance structures and practices will need to adapt to manage the risk of misconduct – intentional or negligent – during what will remain a challenging business environment for many.
Adopting a holistic approach to the risks
Many of the enforcement risks facing businesses are interconnected. For example, bound up within a bribery issue could be an antitrust breach, or vice versa. The common thread across many risks is that they stem, in large part, from the conduct of individuals.
Some risks derive from bad actors – rogue employees or agents who do the wrong thing, often for personal gain. Companies need controls to prevent these individuals from seeking to do harm. But companies often get in trouble when someone or a group has veered off course and made poor decisions or gone along with the poor decisions of others. To prevent this, a focus on culture and conduct is just as important as controls, in some respects more so.
Given so many enforcement risks arise from poor practice, it makes sense to view them together through the lens of conduct risk. A compliance program that is overly focused on process and rules, without enough emphasis on values and behaviors, may not be sufficiently flexible to protect against unknown or blind risks that can arise in a volatile environment.
An approach to compliance that places too much emphasis on detailed rules can be hard to communicate. It risks poor engagement within the ranks of an organization and may – if people can’t see the forest for the trees – lead to bigger issues being missed.
By contrast, a decision-making framework centered around a set of principles, backed up by tone from the top and training that emphasizes what behaviors are expected, can be much more valuable, especially in a fast-changing climate.
Rules remain important – but so is the need to strike the right balance when looking at where to focus efforts and resources.
Ensuring decision-making processes are robust
Over the coming months, there will likely be a premium on speedy decision-making within many organizations. But this should be balanced with accountability and ensuring input from the right cross-section of functions. Efforts by legal and compliance teams to break down silos and promote engagement with the front-line business and other functions will be time well spent.
Companies expecting to be more agile in the future may wish to consider reviewing their decision and approval matrices to ensure potential legal, regulatory or reputational risks continue to be addressed in the right fashion and at the right time.
Companies may want to build conduct-risk considerations into their decision-making. For example, when deploying a new service or product, adopting a new business model or integrating an acquired business, it’s helpful to look at what behaviors the proposals could drive and if any conduct risk is likely to arise as a result. This doesn’t have to slow things down if there is engagement on this question from the outset. And it could save time and potential headaches further down the line.
Ensuring the approach evolves
A number of enforcement agencies across jurisdictions have issued guidance on how they will evaluate corporate compliance programs.
In 2020, the UK Serious Fraud Office and the US Commodity Futures Trading Commission added to the growing volume of material when they issued compliance guidance for the first time. The same year, the criminal division of the US DOJ updated its guidance – barely a year since the previous update.
It is perhaps telling that the June 2020 edits to the DOJ’s compliance guidance emphasize that the DOJ will be looking at how compliance policies and procedures have changed over time. Overall, it appears the DOJ will view a company whose policies evolve to accommodate changed circumstances and experience in a more favorable light. For example, the revised guidance specifically notes that the DOJ will assess whether a company has a process for incorporating lessons learned from periodic risk assessments.
It is important that a company’s approach to managing misconduct risk is not static and instead evolves to remain fit for purpose, despite any new or unforeseen circumstances that may arise. The DOJ and other agencies have made clear that companies must revisit their risk assessments periodically, folding lessons learned from past issues into that analysis, and then tailoring their approach accordingly.
2020 was a challenging year, stress-testing a number of business processes. Regulators and prosecutors will expect companies to have learned lessons from that experience and make any appropriate adjustments. Where misconduct or an evasion of controls has been detected in one business area, companies may want to consider if these ‘risk signalers’ have wider relevance.
Where misconduct or an evasion of controls has been detected in one business area, companies may want to consider if these ‘risk signalers’ have wider relevance. Compliance functions should, for example, be asking whether adjustments are needed in controls in other business units, or new messaging or training is required. Or it may be that there has been an accumulation of smaller incidents or ‘near misses’ indicating a wider issue with culture that needs to be addressed.
But whatever the nature of the risk signalers, dealing with all those smaller lessons learned and making those subtle adjustments can yield significant benefits in the long term.