Companies across the world are not backing up their rhetoric on compliance with the appropriate level of resources and prioritisation, says a research report from Control Risks, the specialist risk consultancy.
The annual report of international business attitudes to legal and compliance risk, published today, is based on a survey of senior executives responsible for compliance at 1,000 companies worldwide. The research reviewed a broad range of global compliance issues, from anti-corruption, to anti-money-laundering, anti-trust, privacy and data protection.
Control Risks’ research has shown that large companies (those with more than 10,000 staff) are still not putting enough resources into compliance. A quarter of these companies surveyed (26%) reported that they invest less than $25 per person a year on compliance. Similarly, 28% of large companies have compliance teams of just five people or less.
The extent to which compliance functions are stretched contrasts with the increasingly aggressive and joined-up activity of enforcement agencies across the world and the punitive fines imposed on companies for non-compliance.
In 2016, 30 companies were fined a total of US$2.4 billion for non-compliance under the US Foreign Corrupt Practices Act (FCPA), for example, and in the UK the Serious Fraud Office (SFO) is stepping up its efforts to enforce the UK Bribery Act.
In January 2017, Rolls Royce paid £497 million ($616 million) to settle a longstanding SFO anti-bribery investigation, as well as a further $170 million to the US authorities on related charges.
Richard Fenning, CEO, Control Risks, said: “Companies are in danger of putting themselves at risk by failing to prioritise and integrate compliance within their businesses. Whilst the necessary investment will vary widely between organisations, many companies are woefully under-resourced to deal with the increasingly complex, constantly evolving and often contradictory regulatory environment.”
“Those companies that get it right recognise that, as well as mitigating against heavy fines, legal fees and reputational damage, well planned and executed compliance risk management can help capitalise on opportunities that they would otherwise miss, especially in high-risk markets.”
>See also: What Brexit and Trump mean for compliance
The research further highlighted that senior management need to be more receptive to compliance issues. There is no single compliance model – nor should there be – however, only 27% of respondents reported that their companies’ chief compliance officers attend all board meetings. Furthermore, only just over half (56%) of large companies said they have an ethics and compliance committee.
Compliance officers must also be more pro-active in managing compliance risks and trying to mitigate issues before they arise. There is a tendency to rely on whistleblowing to detect misconduct (64% of companies); in contrast only 41% of the organisations surveyed use compliance audits and just 18% use surprise fraud audits.
Although resources for compliance teams may be stretched, the research showed the significant opportunity for companies of all sizes to make better use of technology across multiple areas of compliance, including risk assessment, real-time monitoring and mitigating cyber breaches. However, the greatest opportunities lie in risk-based third party management, anti-money laundering and fraud prevention.
Global consistency in compliance is essential and the survey showed that a majority (55%) of companies reported that their compliance policy applies worldwide, without any local exceptions. The UK is one of the best performers, with nearly two thirds of companies (63%) having a single global policy, compared, for example, with the USA (just 51%).
However, 40% of companies have local policy exceptions for gift-giving (33% of UK companies, compared to 44% of USA companies), 30% allow “permitted interactions with government employees’, and 20% permit the use of “facilitation payments” to expedite services to which they are entitled (inevitably leaving them in breach of local laws as well as the UK Bribery Act).
Fenning continued: “Compliance policies must be globally consistent but also locally translated and relevant, with guidance for example on specific circumstances such as dealing with tax inspectors in countries where demands for bribes are commonplace. Local variations in most cases should be tighter than the global standard.”
“A key message for many compliance departments is that they could work smarter. One of the most effective ways they can do this is by making better use of technology to manage risks pro-actively and cost effectively rather than rely on whistle-blowers to inform on potentially damaging issues after they have occurred.”