Ken Chamberlain (ken.chamberlain@csi-group.org) is Managing Director at CSI Group in Moscow, Russia.
Today we face incredible changes in the global business environment and a revolution in digital technologies. It has never been more critical to deliver robust compliance infrastructures, to ensure that your organization’s most precious assets and information are protected against theft or misuse, and to make sure the integrity of the people you do business with is legitimate. The threats are also not limited to external parties, but equally from within, as the volume, frequency, and potency of such incidents gain momentum.
Effective risk and compliance management requires going beyond the letter of the law. In today’s business world and an ever-demanding commercial environment, we face a countless number of dynamic regulations, which often results in the “business world” having uncertainty about how to apply the necessary regulatory conditions in their specific business environment. The uncertainty of when to choose between the letter of the law versus the spirit of the law can create an untold number of headaches to achieve “absolute” compliance. This could ultimately lead businesses and regulators to differing conclusions on how to implement these laws.
Leaders face unparalleled challenges
Since the turn of the millennium, we have witnessed a series of events that had global impacts: formerly stable economies (e.g., Italy, Greece, Spain) requiring international bailouts; the 2008–2009 global financial recession; and the ever-increasing number of terrorist attacks, which resulted in the introduction of new laws and regulations, heightened enforcements, and ever-increasing financial penalties. Unprecedented cases of reputational damage and loss of shareholder value now appear with high regularity in the media: WorldCom, Enron, Lehman Brothers, and Bernard L. Madoff Investment Securities, to name but a few. Additionally, when the trusted custodians of endorsing business performance (e.g., Arthur Andersen) become embroiled in scandal, it does beg the question, “Who audits the auditors?” Although trust must never be considered a control, in the words of the late Ronald Reagan, “Trust…but verify.”
Consequently, business leaders now face unparalleled challenges in ensuring their organizations can implement the necessary compliance controls that these new times present and expect.
Business leaders must confirm that their organizations:
-
Have a clear understanding of their risk tolerance;
-
Perform systematic risk assessments on all their operational activities, both internal and external;
-
Liaise transparently and honestly with all regulators;
-
Regularly communicate and provide training to all employees to reinforce their accountability for ensuring compliant practices;
-
Develop and maintain a culture of integrity;
-
Ensure ethics and compliance are embedded components of their business strategies and operational management;
-
Have the appropriate financial and operational control mechanisms in place to ensure actual or attempted wrongdoing can be rapidly identified;
-
Really know who their business is actually doing business with;
-
Make sure employees’ remuneration packages are aligned to compliant behavior;
-
Meet with, and communicate with, the chief compliance officer; and
-
Identify the points of compromise speedily and effectively mitigate the risk of recurrence.
Organizations will find themselves exposed from a regulatory and enforcement point of view if they cannot show processes and procedures around these metrics.
In parallel, we have also seen extraordinary demands on businesses for increased revenues. This scenario — especially when aligned and supported by improper bookkeeping — results in the pressure to declare and falsely report exponential bottom-line income, with numerous organizations stating assets strongly exceeding their intrinsic value. Collapse was perhaps inevitable, bringing down companies and individuals, and shattering reputations. Some successes were too great to actually believe. Widespread redundancies; corporate insolvencies; collapsing property values following commonly witnessed mortgage frauds; stock price crashes; and banks folding, leaving customer financially exposed, led to rampant acrimony, ultimately resulting in regulators having to take enforceable countermeasures.
So many far-reaching laws, to highlight but a few, have been introduced: from capital adequacy to anti-money laundering, to counterterrorism financing, to data protection, to anti-bribery and corruption, to consumer protection. Each significantly impacts the immediate and future regulatory landscape. Add into the mix cultural differences, differing regional business values, and respective interpretations on how to implement policies in practical ways, and we’re right back to the confusion between applying the letter of the law versus the spirit of the law. All this brought a determined focus by regulators to build compliance programs and increase the culpability of executives and employees to prevent misconduct.
One may even legitimately ask, “Can I ever be totally globally compliant?” The truth is, probably not!
Achieving the three lines of defense (i.e., operational management, effective risk management and Compliance functions, and independent Internal Audit) requires effort, resources, and commitment supported by not just the tone at the top (as words and actions can sometimes be polar opposites) but by proving necessary financial investment and a zero tolerance policy toward offenders and violations.
Organizations must never adopt a “too proud to ask” culture. Where any uncertainty exists, external experts should be considered and employed to independently assess the existing frameworks and infrastructure and provide objective guidance to achieving necessary success.
