Home – 2 Reasons why companies need to conduct risk assessments of their own compliance programs

2 Reasons why companies need to conduct risk assessments of their own compliance programs

Posted on 10-08-2018 by Lisa Thompson

 As the aftermath of corporate corruption and ethics scandals continue to play out in news headlines and courtrooms, spurring a continued search for expert advice and best practices on mitigating compliance risk. So, when a former compliance expert at the U.S. Department of Justice (DOJ) and a Harvard Business School professor focused on corporate misconduct join forces in a Harvard Business Review article on addressing compliance program failures, we were curious. Here’s what we found.

Costs climb sharply for corporate fraud, bribery and corruption failures

When a corporate scandal is covered in the media, a price tag is inevitably mentioned. But the figures that make headlines don’t tell the whole story—especially when the corruption or compliance failures play out over years. ‘Dieselgate’, which VW first admitted to in 2015, has resulted in nearly $30 billion in costs from recalls, legal penalties and civil settlements in the U.S. In June, German prosecutors announced a $1.2 billion penalty, and earlier in September, Compliance Week reported a $10.6 billion claim on behalf of investors, calling it “… one of the most significant German investor actions against a company in more than a decade.” Add in the loss of trust that sent sales and stock values plummeting and it’s clear that the company will be feeling the pain for some time to come.

Likewise, when a money laundering investigation in Brazil began in 2013, few anticipated that “Operation Car Wash” would turn into the mega-sized bribery and corruption scandal it is today. Dozens of companies, executives—and even politicians—have been tainted by Operation Car Wash, with financial penalties in the billions and a continuing threat of additional settlements related to investor class actions. This far-reaching scandal will likely have long-term consequences—not only for the companies involved, but also for the government and citizens of Brazil.

And these are just the media sensations for corruption prosecutions. The HBR article cites data from the Association of Certified Fraud Examiners, noting that “… almost half of all fraud cases are never reported publicly, and a typical organization loses close to $3 million in annual revenue to fraud.” More worrying, perhaps, is another survey referenced by authors Hui Chen and Professor Eugene Soltes indicating that 42 percent of 3,000 surveyed executives said that unethical behavior could be justified to reach financial goals. “Clearly, malfeasance remains deeply entrenched in private enterprises today,” Chen and Soltes writes.

Throwing money at compliance isn’t what mitigates regulatory risk

Compliance programs do not come cheap. According to Chen and Soltes, “The average multinational spends several million dollars a year on compliance, while in highly regulated industries—like financial services and defense—the costs can be in the tens or even hundreds of millions.” In addition, they say, these figures don’t reflect the human resources value of training and compliance-related activities undertaken annually.

Of course, if money spent paid dividends in the form of lower regulatory risk and no scandals, few companies would balk at the expense. Unfortunately, companies encounter an increasingly complex regulatory environment—from PEPs, sanctions and watchlists to different laws around the globe to address bribery and corruption, money laundering and terrorist financing, forced labor and more. As a result, companies should consider conducting a risk assessment of their own compliance strategies to evaluate their effectiveness. “For many firms,” Chen and Soltes write, “appropriate measurement can spur the creation of leaner and ultimately more-effective compliance programs. Put simply, better compliance measurement leads to better compliance management.”

Unfortunately, the article points out that “… only 70% of firms even try to measure the effectiveness of their compliance programs. And of those that do, only a third are either confident or very confident that they are using the right metrics.” Rather than checking the box for components of a risk mitigation process, companies need to gather metrics that show the value of each component. What are regulators looking for? While at the DOJ, Chen was tasked with creating the “Evaluation of Corporate Compliance Programs” that was published in 2017 to give companies guidelines—not a checklist—for evaluating the effectiveness of their compliance program. Since companies have different risk considerations, a one-size-fits-all approach to mitigating regulatory, reputational, financial or strategic risk will almost certainly fall short. Instead, companies must tailor their processes— from employee and third-party training to compliance due diligence and monitoring for regulatory risk—and validate each component’s effectiveness using meaningful metrics. How does your own risk mitigation process measure up?

Next Steps

  1. See how the ISO 37001 anti-bribery and corruption standard—developed with input from 37 countries—enables risk-appropriate, efficient risk mitigation. Get the eBook now.
  2. Learn more about LexisNexis® Entity Insight, our proactive, PESTLE-based risk monitoring solution.
  3. Share this blog with your colleagues on LinkedIn to keep the conversation going.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close