Tomorrow sees yet another compliance regime, the UK Bribery Act, comes into force. A much debated legislation which remains unclear in parts but reflects and puts even more teeth into the key tenets of the FCPA reglation from the US. Both these regulations have broad arms and don’t limit their interest to UK and US companies. Even China is on the anti-corruption bandwagon with their own legislation recently announced.
Most organisations have a plethora of compliance topics to concern themselves with, and often multiple compliance teams. The challenge is to focus on ASSURANCE rather than just CONTROL. There is often a tendency to focus on implementing additional control mechanisms that allow management to feel that their ‘compliance’ obligations are despatched. While some of these are important, whatever controls we implement do not always leave us with the assurance we would like to have over business operations. And as they say, ignorance is not an excuse in these matters.
There is little doubt that best practice is now to focus on the set of key risks that the organisation faces and certainly map them to the compliance areas, but focus on risk management as a business tool, and don’t fall into a checkbox ‘compliance regime’.
We have a choice, see this as another cost of legislation and bureaucracy or use it as an opportunity to enhance risk management in the business to drive enhanced performance.To paraphrase a great observation (was it Henry Ford?) ‘whether you think of this as cost or value, you are probably right!’. To maximise the value to the organisation, think of risk identification, assessment and monitoring as well as control testing with a model of ‘TEST ONCE, COMPLY MANY’. As well as reducing the burden of compliance, it helps focus on key risks. Of course, you will have done your risk assessment already on UK Bribery Act and FCPA, right?
You will have identified the risks as they relate to your business operations and geographic spread, your markets and channels and your product groups. You also want to think about how performance measures and reward systems may cause some unanticipated consequences in this area. Where are the conflicts of interest?
You will be developing enhanced policies and standards of operation that focus on the sales and marketing end of your business and the whistle-blowing channels you provide. You will be communicating and reinforcing this at every level on regular basis, even for new hires and your channels to market. You may even have a self certification program that every employee undertakes that they comply to policy and have been trained.
These programs and supporting systems can be expensive and time consuming to implement. The key balance to draw is for an appropriate mix of control and alert processes with assurance processes. If you can be confident that relevant management will be alerted to any potentially inappropriate payments or gifts making their way through your sales channel, then you reduce the dependence on relying on individuals ‘blowing the whistle’ on colleagues.
The ability to combine the well publicised education, self certification and reporting processes with the automated monitoring of potentially inappropriate or suspicious activities in sales, accounting, purchasing and payments systems is now well proven. The reality is that we need to have a healthy scepticism of the claims of controls and systems to PREVENT inappropriate activities. They can help, but only so far. We need to combine a healthy balance of prevention and DETECTION.
The processes exist, the tools exist and the expertise exists.
This balanced approach reduces the cost of compliance and, even more importantly, drives greater assurance and visibility for management. But remember! Anti-bribery, corruption is just one stream of compliance – ‘Test Once – Comply Many’ is an effective mantra for driving down the cost of control and compliance AND enhancing risk assurance.
Tomorrow is a new day!
Good luck on your journey . . . .