Compliance – not Complacence

How proactive compliance beats reactive every time

I read an article recently in Kroll’s blog entitled “Serious Fraud Office’s second DPA highlights lessons for global organisations and their subsidiaries.” As Convercent’s London-based director, I wanted to provide my response to this approval.

UK Serious Fraud Office (SFO) secures its second DPA

Unremarkably, perhaps, the SFO secured its second Deferred Prosecution Agreement (DPA) in July 2016 – but what is remarkable about the judgement is its direct relevance to every compliance officer, regardless of location and industry.

The judge said that he placed ‘very considerable weight’ on the co-operation demonstrated by the as-yet-unnamed company concerned and commented that self-reporting and implementing effective compliance structures ‘must be rewarded …’

He also described the company as having pursued a ‘genuinely proactive approach to the (bribery) wrongdoing it uncovered’. Concerns had only come to light in August 2012 and a law firm was retained to undertake an investigation by early September. An initial oral report was made to the SFO within a month and the subsequent report, providing ‘comprehensive information’, was based on the results of what was an extensive internal investigation. These actions were directly in line with the DPA Code of Practice, which provides that co-operation includes identifying witnesses, disclosing their accounts and making them available for interview.

As a further factor in favour of the DPA being in the interests of justice, the judge noted that the company is now culturally different to the one which committed the offences and, in particular, it had dismissed two senior employees implicated in the conduct, cancelled contracts with suspect agents (investigations revealed the systemic use of bribes) and withdrawn from suspicious potential contracts.

Crucially, the judge noted the position of the U.S. parent company – which had been ‘entirely ignorant’ of the conduct issues, but once those issues were discovered was ‘beyond reproach’; indeed, it was only the implementation of an enhanced global compliance programme by the parent that originally identified the issues.

Additionally, as a result of the ‘level and nature of (exemplary) co-operation’, the SFO did not seek the maximum financial orders and costs available to it and also did not ask for the costs of the investigation to be recovered – something which, legally, it could have done.

 Compliance – not Complacence

Whilst the ultimate outcome of this case has much to applaud, what is intriguing for anyone involved in compliance is the fact that use of any intermediary or agent in a transaction should always be subject to additional scrutiny – even more so when they are helping to win business in a country that is not their home location. There is plenty of high-quality, well-documented evidence that shows a large proportion of business won using intermediaries or agents involves bribery – often because the intermediary or agent is in a commission-only role and has to win business to get paid, or because the company wants to win the business but equally wants to distance itself from any bribery. In this case, 28 contracts worth some £17M ($22M) out of the 74 investigated were found to involve bribery – but, often, whilst boards and senior officers of a company might have their suspicions, they can be reluctant to intervene when it might damage revenues and profits, on which they are rewarded.

Company compliance programmes can sometimes obey something of a saw-tooth pattern; commitment, investment and interest is low and the programme sits at the bottom of the hypothetical saw-tooth until the time comes that there is a problem – affecting the company or industry – that demands an investment of significant monies and resources. The programme then moves up the saw-tooth until the point that the problem recedes, whereupon the compliance programme is allowed to decay, at least until the next time – hence the saw-tooth pattern.

The problems with this entirely reactive and complacent approach are clearly manifold; periodic investment of this type is hugely expensive, the company is inevitably in a poor position to anticipate and react and, overall, there is no evidence of an effective compliance programme of the type necessary to satisfy regulators and keep the company out of the courts.

Risk Matrix
Risk Matrix

Conversely, an effective proactive compliance programme brings with it a huge range of tangible and intangible benefits, both seen and unseen. In this case, for example, a well-managed compliance risk programme would – without question – have identified bribery as a risk, a risk then compounded by the use of intermediaries and/or agents. That analysis would have put it in the top right-hand quadrant of the compliance risk matrix which would – or at least, should – have resulted in investigation and risk mitigation such that the DPA would never have been required

Linked to this, for many years companies have often focused on what is termed ‘input compliance’; essentially, get the inputs – such as training and testing – right and the company will be compliant. Unfortunately, that approach no longer holds, and companies need to focus both on input and output compliance – where, for example, technology brings together both whistle-blower and wide-ranging HR data to identify retaliation, which can often still be taking place despite perhaps the best training, policies and intentions. Similarly, the internal investigations in this case – which won praise after the event – can be largely avoided if a proactive approach is taken to join-up internal audit, compliance and security, for example, such that compliance issues are anticipated – rather than only appearing over the horizon when they have reached problem dimensions.

A proactive programme brings with it the ability for a company to be ‘demonstrably compliant’ – not only compliant but able to prove and demonstrate it to law enforcement, regulators, press, critics, competitors, shareholders and other stakeholders. Moreover, done well, it is a significantly less expensive approach than panic, event-driven periodic investments – and brings with it the dual bonus of both taking a company onto the compliance ‘front foot’ and delivering the ‘three wins of compliance’ – a compliant company, achieved at optimum cost with the ability to leverage and win business through a reputation for compliance, and ethics.

DPA’s – Background

DPA’s were introduced to the UK in 2014 and represent an agreement reached between a prosecutor and an organisation which could be prosecuted, under the supervision of a judge. DPA’s can be used for fraud, bribery and other economic crime and the agreement allows a prosecution to be suspended for a defined period provided the organisation meets certain specified conditions.

DPA’s enable a corporate body to make full reparation for criminal behaviour without the collateral damage of a conviction which might, for example, include sanctions or reputational damage – damage that could destroy the company and associated jobs and investments.

Sources, Links & Credits include: