VIEWPOINT: CORPORATE AFFAIRS
Five essential elements define what compliance must mean in the current environment
n an age of deepening regulation, it no longer takes, as former HSBC Chairman John Bond once claimed, years of dedicated bad management to destroy a company. Rather, compliance failures can do the job almost overnight. The very best companies know this, and view compliance as not only a ‘must do’, but also as a winning proposition – a differentiator that, instead of putting the brakes on growth, allows the business to speed ahead. In a fast-changing, increasingly digital economy, companies that are not vigilant on this score can quickly go extinct. The problem is that they face ever-stiffer challenges around issues like data privacy and employment conditions – in the IT space, the US, for instance, puts restrictions on people of certain nationalities performing certain types of tasks. Plainly, too, enforcement can at times go overboard – with countries as varied as India, Brazil, Vietnam and the United States all framing rules and regulations in the arena of corruption – which is often the most visible face of ‘compliance’. Business will need to respond to this challenge in an aware, forward-looking manner, which means complying with the law not only in letter, but in spirit. Critically, since compliance standards vary sharply across the globe, firms that venture abroad must be willing to tweak their business models, policies, and review mechanisms to ensure compliance, or else not go out at all. (CEAT, for example, does business in over 100 countries, but if it is unsure about being able to comply with local requirements, it limits its relationship with that country to one of simple trade, without setting up a permanent establishment.) The impetus must come from the top, but real compliance runs deep, extending vertically through the organisation – and into its relationships with partners and third parties.
The very best companies see compliance as a winning proposition – a differentiator that allows the business to speed ahead
Baker McKenzie has built a framework, which it has refined over several years, that identifies and distils the five essential elements of corporate compliance. Together, these elements – leadership; risk assessment; standards and controls; training and communication; and monitoring, audit and response – are meant to ensure that the organisation’s compliance systems stay up to date and receptive to change. All five elements are equally important, but the two that deserve the greatest attention are the first and the last: leadership, and monitoring, audit and response. Leadership means much more than ‘setting the tone from the top’ – which is today a given. Lofty messages, after all, are irrelevant if compliance is getting circumvented at the ground level. Essentially, leadership is about what management does in relation to valuing compliance in the business; having compliance-related KPIs for these individuals; and measuring its own performance on this front. In a nutshell, what is needed is people, at critical points in the business, who not only understand integrity, but are also willing to take that extra step to protect the business. When facing pressures related to paying ‘speed money’, for instance, an organisation can either succumb to it, or it can challenge the status quo. The ideal is to have a leadership that is incentivised not to fall for the temptation to get things done quickly, without caring about the ‘hows’. To support this effort, it is vital to have specific KPIs, to structure compensation and rewards around adherence to certain behaviour norms, and taking a firm line on employees (however ‘valuable’) who do not comply.
Together, leadership, risk assessment, standards and controls, training and communication, and monitoring, audit and response can help ensure that compliance systems stay updated and receptive to change
On the monitoring, audit and response side of the equation, most companies pay lip service to the issue, and many even have well-drafted contractual rights, for instance, to conduct third-party audits. The vast majority, though, have never exercised such rights – and would not know if their third parties are conducting business in ways that are at odds with their compliance programmes. Considering that 90% of enforcement activity globally emanates from third parties arrangements – and that firms operating in India make intense use of them – this is a critical issue. Internally, meanwhile, a good monitoring-and-response system will build clear consequence for compliance failures, and track whether strong compliance adherence is being properly rewarded. Equally, when someone needs to leave for such failures, it is vital not to sweep the fact under the carpet, but instead use that information in a way that creates valuable learnings for the business.
Plainly, compliance is a challenge in India, on multiple fronts. Anti-bribery action, arising from the FCPA and other such legislation, is a particular concern, even for businesses that believe they are ‘compliant’. Making ‘small’ payments of speed-money – no more than USD 100-500 at a time – might seem harmless enough, for instance, but aggregated over months or years, they can add up to a material sum – and thus attract US government attention. The solution is really to have zero tolerance for any such breach, and to support that with a variety of efforts, along several lines.
Working closely and transparently with regulators can pay off in multiple ways, and reduces the risk of falling on the wrong side of the law
The ‘pushback’ on compliance can come from anywhere. One company leases nearly all of its facilities in India, and insists on registering each of its leases. At one point, it came across a registrar who refused to process the papers without kickbacks, and the matter went on for months. To break the deadlock, top management reached out to an industry body, which in turn pushed the case with a state Ministry. In four hours flat, the job was done. The lesson is clear: however unpleasant it may be, sometimes, it is important to escalate matters at the government level. Encouragingly, many state governments are now seeking feedback, and trying to improve their processes, so the payoff from such efforts, for industry as a whole, can be significant.
Another company was struggling with the requirements of obtaining a particular license – which involved a substantial, and quite unreasonable, outlay of capital. Even as it was fully compliant with the spirit of the law, it simply could not comply with it in letter. Bringing the matter to the regulator’s notice, it found a sympathetic ear, but also, given the wording of the law, a helpless one. The regulator’s advice was to use industry bodies to represent the matter before government, and in parallel, to keep writing to the regulator, making sure that an adequate paper trail existed, documenting the fact that the authorities had been kept apprised of the situation.
A good starting point for building a compliance culture is to begin asking hard questions about the challenges that face the business on this score. In India, people are often loathe to do this, but it is always better to know the ground realities, which can only happen by sitting down with the teams and understanding how they manage various issues. In this regard, putting in place an ‘amnesty’ around information can be very useful. One business found, upon running into an FCPA-related matter, that it was employing over 300 third parties to secure various approvals. It subsequently cleaned up its system, bringing down the number of outside consultants down to 5 trusted ones.
Particularly in today’s FCPA-dominated environment, partner- and third-party risk is something to watch out for, and control
Businesses in India must grapple with a multitude of compliance requirements, not only for each individual function, but – in multi-sector firms – also for each brand. Staying up to date on regulation is thus absolutely vital. To achieve this, IBM hired a consultant to create an inventory tool that tracks the varying requirements of each function. It found that, in any given year, it needed to meet over 15,000 individual requirements. The tool is now regularly updated with new/modified requirements, and used to track compliance. More generally, firms must work to ensure that the business owners, process owners, and the Board all regularly review the firm’s compliance requirements and stay up to date with these. In some cases, new regulation can fall into a no-man’s land, so assigning, or better yet, voluntarily taking ownership for it, is essential. IBM’s CFO, for instance, led its internal implementation of a new e-Waste law. Working with outside partners and third parties Given the serious challenge compliance poses at various points along the value chain, organisations must be extremely careful about the partners they work with, and the third-parties they employ. Today, working with entities that are unwilling to invest in compliance is extremely risky. Unlike even a few years ago, the authorities are not easily satisfied with ‘certifications’ of various kinds from third parties, and they now look, instead for clear evidence of compliance. As should be the case internally, firms must have a zero-tolerance policy for their partners. Ensuring this is perhaps more difficult than being compliant oneself, but several measures can help. At one level, companies must embed external monitoring processes, such as surprise audits on their suppliers’ employment conditions, wage policies, and so on. For firms that engage in substantial foreign trade, working with WCO-certified ‘economic operators’ can be a good way of strengthening compliance. Educating one’s partners on issues like the FCPA and its foreign equivalents is also very important. So is laying out a clear escalation path, allowing people both inside and outside the organisation to have a clear view on where to appeal if they face issues. Further, the risks of compliance failure must be clearly assessed, and mitigation measures put in place. Importantly, when things go wrong, the system must be able to identify the wrongdoer, the nature of the transgression, the controls that have been circumvented, and the necessary remediation measures. That said, risk monitoring must be proportionate to its potential impact – because it would be too expensive and time-consuming to track every partner in detail. Moreover, what the enforcement authorities themselves expect is a clear understanding of the firm’s third-party risks, and how these are being managed. (The US authorities are particularly uneasy about indirect sales structures, which tend to be linked to improper payments abroad.) Last but not least, it is vital to continuously challenge the norms, and not get lulled into thinking, ‘This is how business is done here.’
-------------------
This article is based on discussions with Kumar Subbiah, CFO, CEAT and Chandrashekhar Thyagarajan, VP- Finance & CFO, IBM, at the Doing Business Globally conclaves hosted by IMA India and Baker McKenzie in Mumbai and Bangalore in April 2018
VIEWPOINT: CORPORATE AFFAIRS
A successful merger or acquisition rests on solid best practices at the pre-acquisition, deal-finalisation and post-acquisition stages