Enterprise-wide Compliance Management Programs
It takes less time to do a thing right than it does to explain why you did it wrong.
HENRY WADSWORTH LONGFELLOW
The death of Enron and Arthur Anderson
The infamous dissolution of Enron in 2001, the American Corporation which ran into serious compliance violations, acted as a catalyst in getting the business world thinking about the ‘what if’ of compliance. The scandal drove Enron to its death. Arthur Anderson, one of the famous ‘Big 5’ accounting firms in the world, died with Enron, leaving the world with the ‘Big 4’. Enron’s demise taught the world several lessons in Compliance. The key one being – it’s better to prevent a fire than let it destroy you.
SOX and the emergence of Compliance Programs
Enron led to the enactment of the Sarbanes Oxley Act (SOX), 2002 in the U.S. which demanded greater accountability by boards and top executives. In 2004, the amended U.S. Federal Sentencing Guidelines introduced powerful incentives for corporations for promoting a compliance culture. In 2010, the ‘Good Practice Guidance on Internal Control, Ethics and Compliance’ adopted by the OECD Council urged companies to promote a comprehensive system of ethics and a culture of integrity. In 2016, France came up with Sapin II a legislation which mandates Corporates of a particular size to implement an effective compliance program to prevent and detect corruption. India amended its Corporate Governance norms in 2004 broadly derived from SOX which require the top management to certify to the board that a robust compliance management program has been established which has led to several top Corporates implementing enterprise-wide systems, both in automated and non-automated environments.
Challenges in building an effective global Compliance program
Firstly, the sheer numbers. Businesses in every country, need to comply with numerous obligations under hundreds of applicable laws, rules and regulations, for default of which the Company and/or its officers are liable to varying degrees of punishments and fines or both. The sheer number of compliances a Company is obligated to honor, boggles the mind. Where do you focus?
Secondly, the differences in the legal and regulatory environment in various countries, apart from differences in cultural expectations and practices, make it impossible to design a one-size-fits-all program. In the U.S., most authors cite the guidance provided by the U.S. Sentencing Commission in Chapter 8 of the Federal Sentencing Guidelines as the guiding principles. However, globally, the definition of what constitutes an effective compliance program remains elusive.
Thirdly, in the profit-focused, capitalistic business world, compliance is viewed as a Cost vs. Return proposition. It isn’t. In 2018, Harvard Business Review ran an article ‘Why Compliance programs fail and how to fix them.’ Caught up entirely in the economics of the thing, the article completely ignores the fact that compliance is not a choice. A business must comply with its legal obligations, regardless of the costs. Ignorance of law is neither an excuse nor an admissible defense.
Things to remember while building a global compliance program
What many global compliance programs seem to lack is an enterprise-wide systemic approach and an equal focus on local country-level compliance.
1. At an organizational level, Compliance can be achieved through an end-to-end system containing management processes which identify the applicable requirements (defined in laws, regulations and policies), assess the existing state of compliance through audit, assess the risks and costs of non-compliance and finally prioritize, fund and put in place a pro-active compliance management system suitable to the needs of that particular business which should be regularly audited. A number of Indian firms offer cost-effective automated (and non-automated) end-to-end compliance management systems that can be adopted as a best practice.
2. Global businesses must make sure the compliance management program has a dual focus -both at global and local level. Most global Compliance programs focus on laws viewed as critical by the parent. These are usually laws with extra-territorial reach and/or those that may lead to cross-border co-operation and multi-country government investigations (e.g., anti-trust and anti-corruption) bringing the focus of compliance programs on some laws more than on others. However, every country is sovereign and is ruled by its unique laws, rules and regulations. For the most part, other than laws which have extra-territorial jurisdiction such as the FCPA, most compliance risks arise at a local level and are best mitigated locally. Thus, a global compliance program must be localized and equal focus must be laid on local compliance programs.
3. Ideally, a compliance program should be designed end-to-end and implemented enterprise-wide both at global and local levels. However, this might be impossible to achieve due to the sheer number of compliances. Much can be achieved by prioritizing high-risk areas and taking one step at a time.
Key to a successful compliance program is to identify best practices, learn from each other and continuously improve.
With the emergence of compliance, the General Counsels role has shifted from a ‘barrier’ to an ‘enabler.’ From a person who explained to you why what you did was wrong and how to mitigate the damage, to someone who told you how to do it right in the first place.