Compliance risks are an inherent component of global business in the 21st century; many risks are familiar and some are new, but all can inflict potentially critical damage on an enterprise. At the same time, there are nascent signs that the ethics and compliance (E&C) discipline is maturing in many respects, and that many E&C programs, in the words of one expert, “occupy a moment of great opportunity.”
The 2014 Risk Forecast Report from the LRN Ethics and Compliance Alliance (ECA) finds E&C leaders confronting continued pressure—from lawmakers, regulators and corporate management—to demonstrate that their programs effectively address a broad range of very specific organizational risks. As many manage with tightened budgets, they are increasingly challenged to integrate their efforts ever more closely with the core day-to-day business functions of their organizations.
This year’s Risk Forecast Report features 11 ECA experts scanning the compliance horizon for potential concerns, likely developments and important regulatory and compliance challenges. While each expert examines her or his own field, several common themes emerge. Among them:
- Within the governance structures of many companies, some E&C programs have gained sufficient gravitas and credibility to enable them to have a significant impact on organizational culture and level of misconduct. Critical to that progress is the level of oversight and engagement exercised by a company’s Board of Directors and the positioning of the Chief Ethics and Compliance Officer within an organization’s reporting structure.
- Digital technologies are complicating and transforming the work of E&C officers around the globe, generating major new risks in almost every subject area, but also offering exciting new potential solutions, especially in large-scale enterprises. Privacy and data security are critical concerns across national borders and multiple technology platforms.
- The audiences for ethics and compliance messages—multigenerational, multicultural and geographically diverse—can be difficult to reach and hard to impress. Communications and education initiatives in E&C programs need to seek new levels of employee engagement by exploring blended learning techniques.
Investigations and Prosecutions
Corruption and bribery continue to be leading concerns for ethics and compliance leaders, writes ECA expert Michael Fine (Anti-Corruption and Bribery: Vigorous Enforcement Continues), with one recent survey finding that nearly 40 percent of corporate executives think they may be required to investigate allegations of employee bribery over the next two years. Fine anticipates continued aggressive enforcement of the U.S. Foreign Corrupt Practices Act (FCPA) and slow, but steady growth in corruption and bribery prosecutions by other nations.
Amidst those enforcement initiatives, Fine notes the growth of compliance program “assessments” and associated “verification” measures that test
the quality of a company’s anti-corruption efforts. There is also new emphasis on anti-corruption and supply chain management, as companies are increasingly being held accountable for the conduct of their suppliers and distributors.
Fine also points to a trend toward “collective action,” a term referring to several different types of joint voluntary action by businesses designed to supplement traditional government enforcement. One example is “integrity pacts,” which contractually commit bidding companies to specified minimum integrity standards, together with oversight and enforcement mechanisms.
FCPA vigilance is well-advised, concurs another ECA expert, Bradley J. Bondi (SEC Enforcement and Compliance Priorities: A Renewed Focus on Enforcement and Accountability). He reports that violations of the internal controls provisions of the FCPA are a current priority of the staff of the Securities and Exchange Commission (SEC) and its Chair, Mary Jo White, who assumed leadership of the agency in April 2013.
“There is real concern that the DOJ (Department of Justice) and SEC may be setting the stage to charge independent directors and members of audit committees for knowingly failing to implement and/or maintain systems of internal accounting controls sufficient to provide reasonable assurances that transactions and assets are properly authorized and recorded,” Bondi writes. “In particular, directors may face internal controls charges for failing to implement the controls necessary to prevent improper payments, even in instances where the director himself or herself is not aware of the improper payment itself.”
The SEC has also sharpened its focus on investigating and pursuing alleged accounting misconduct, as well as insider trading, according to Bondi. “The uptick in SEC enforcement actions likely will not wane anytime soon,” he concludes. “Rather, with a new Chair at the helm of the agency, the SEC is more hard-charging than ever in its investigations and enforcement actions.”
Dealing with the U.S. Government
“Doing business with the government is not for sissies” is how one government contractor recently explained his experience. ECA expert Eric Feldman (Government Contracting: Surviving the “New Normal” of Instability) cites that quote and seems inclined to agree.
The U.S. government’s budget sequestration in 2012, followed by the 2013 government shutdown, “was like a tornado ravaging a town after an earthquake,” Feldman writes. Unfortunately, the worst may be yet to come, as automatic spending cuts in 2014 promise to be far more painful to both federal agencies and the contractors that support them.
Intensified competition for fewer contracting opportunities can create a high-risk environment within companies, according to Feldman. Employees “may feel motivated to ignore or marginalize their company ethics and compliance programs and use whatever information is at their disposal—even prohibited government or competitor acquisition data—to give them an edge in the bidding process,” he warns. “Such ill-advised actions will lead to government investigations, prosecutions, suspensions and debarments and increase the risk for contracting officials who might be entirely unaware of such behaviors within their companies.”
Ted Banks (Antitrust and Competition: Understanding the Risks) reports that the U.S. Justice Department collected more than $1.1 billion in criminal fines for antitrust violations in fiscal 2012; it also charged 16 corporations and 63 individuals with criminal antitrust violations, and courts imposed 45 prison terms with an average sentence of just over two years per defendant.
E&C programs should anticipate continued aggressive antitrust enforcement, according to Banks. And compliance officers need to insist on a seat at the table as acquisitions are being considered. “When a horizontal competitor is the acquisition target, insist that there be a good explanation as to why the transaction should be allowed to be consummated, in language that you can understand,” Banks advises. He also recommends due diligence review of the compliance programs of acquisition targets.
Such efforts are necessary even though the DOJ’s Antitrust Division regards compliance programs with “disdain,” according to Banks. “The official position of the Department of Justice is that, alone among all of the areas of criminal law that it enforces, antitrust compliance programs do not earn any credit when it comes to sentencing for an antitrust violation, since antitrust goes to the ‘heart’ of the company,” he writes. “Why this is so has never been explained, but that should not stop you from insisting on an effective program.”
For companies whose products are shipped from the U.S. and sold internationally, the federal government’s Export Control Reform Initiative (ECRI) will continue to dominate the trade compliance arena in 2014, according to Marian Ladner and Thomas Scott III (Trade Compliance: Implementing Export Control Reforms).
Export control responsibility for numerous lower-level defense articles was transferred last October from the State Department to the Commerce Department; as a result, Commerce now has jurisdiction over both dual-use articles (items with both commercial and military utility), as well as certain lower-level defense articles.
“Commerce Department controls rely more extensively on self-regulation than do the State Department controls, and as more items are shifted from State Department control to Commerce Department control, the level of required self-regulation will only increase,” write Ladner and Scott. They recommend that compliance officers have a strong understanding of the revised regulation and ensure that their engineering and information technology departments are directly involved in the process of reviewing products to adapt to ECRI reform.
The American humorist and writer Mark Twain once famously wrote, “The clothes make the man.” Well, more than a century later, ECA expert Marcia Narine reports that the definition of “clothes” has been the focus of a U.S. Supreme Court decision with important implications for worker compensation.
In her analysis (Labor & Employment: New Cases, Important Rulings), Narine explains that in the case of Sandifer v. U.S. Steel Corporation, workers argued that despite the terms of their collective bargaining agreement, they should have been paid for time spent putting on or taking off protective clothing in the locker room and for travel from the locker room to their workstations. The Court concluded, however, that the hard hats, gloves, steel-toed boots and flame-retardant suits which workers “donned and doffed” fit the definition of “clothes,” and therefore changing into their protective gear is not compensable under the Fair Labor Standards Act.
Narine also notes that as a result of the Supreme Court’s recent ruling in Lawson v. FMR LLC, protection of whistleblowers stemming from Sarbanes-Oxley now extends to potentially millions more employees, because it applies not only to publicly held companies but also to employees of privately held firms that contract to perform work for those companies.
Narine recommends that E&C professionals keep an eye out for Supreme Court rulings in coming months, including on a case affecting the President’s ability to make recess appointments to the National Labor Relations Board.
Digital Media: Risks and Rewards
And then there are compliance challenges posed by a host of digital technologies.
Robert Bond (Privacy and Data Protection: The View from Europe) offers perspective on a variety of those issues, especially the long-awaited proposed European Data Protection Regulation, which is likely to be approved in the current European Parliament and if so, would probably come into force in approximately two years, according to Bond.
The proposed Regulation contains several hotly debated measures. For example, the Regulation would require many large organizations to appoint a Data Protection Officer (DPO) with expert knowledge of data protection law who “may only be dismissed if he no longer fully fits the conditions for the performance of his duties,” Bond writes. “In other words, a DPO cannot be dismissed for convenience.”
The proposed Regulation also introduces a new “right to be forgotten”—now being called the “right to erasure”—which would enable data subjects to obtain erasure of data the subject had provided to a data controller; third parties with whom the data has been shared would be required to do the same. The right to be forgotten has attracted “significant criticism,” Bond says, and some critics suggest it may be unworkable in practice.
As the data debate rages in Europe, Michael Salvarezza (Records and Information Management: Dealing with “Big Data”) addresses a more fundamental question: “What exactly is a record and what exactly should be managed, preserved and disposed of in the world of ‘big data’ analysis?”
Many companies, for example, are abandoning efforts to control which digital devices are used by employees in favor of a BYOD (Bring Your Own Device) approach. Tracking and storing corporate data on those personal devices can be difficult, however, and many companies are electing to move all or part of their infrastructure to computer storage “in the cloud,” frequently owned and operated by third parties.
“Traditional records retention schedules are fast becoming obsolete,” writes Salvarezza, noting that corporate records managers who have employed retention schedules to detail appropriate retention periods and records disposition actions are now faced with adjusting their thinking.
Indeed, the explosive growth of social media networks means “increasing attention must be paid to how new technologies are being incorporated more broadly into the fabric of an enterprise,” advises Michael Connor (Social Media: The Challenge of Managing Millions of Friends).
Only a few years ago, Connor writes, a principal compliance worry was whether a company’s reputation and its business could be damaged by employees’ personal postings on Facebook. Now, the E&C spotlight needs to focus as well on a company’s own marketing and advertising efforts. One recent study concluded that 77 percent of Fortune 500 companies have active Twitter accounts while 70 percent are now on Facebook. Privacy and data protection on social media platforms are critical concerns.
Every company should have a social media policy, says Connor. “An effective policy should be simple, consistent and tightly aligned with a company’s code of conduct,” he writes. “Whatever the company code for in-person encounters, and whatever the rules for general good behavior, they apply in the online world as well. Potential penalties for violations, including dismissal, should be made clear.”
E&C Programs: Managing and Communicating
E&C leaders should know that their programs now occupy “a moment of great opportunity,” writes Rebecca Walker (Program Management: Board Oversight and Reporting Structures). “No longer viewed as merely an adjunct to the law department or internal audit or as merely a hedge against the possibility of a future prosecution, some E&C programs have gained the gravitas and credibility to enable them to have a significant impact on the culture and level of misconduct at organizations.”
Key factors in ensuring the standing of an E&C program within an organization, according to Walker, are the level of Board oversight of and engagement regarding the E&C program and the positioning of the Chief Ethics and Compliance Officer and the compliance program. “In order for Board-level oversight to create the right level of independence for an E&C program, the appropriate person within the function should be providing information to the Board—in an unfiltered manner,” she argues.
Getting your entire organization on board with the ethics and compliance message is critical. And “designing effective compliance and ethics education programs that reach diverse audiences across multiple time zones, in a progressive and innovative manner, is emerging as the new necessity,” says Marsha Ershaghi Hames (Education and Communications: High Expectations for User Engagement).
In the 21st century digital world, according to Ershaghi Hames, employees expect “on-demand access to knowledge” in an environment that is more informal, social and integrated 24/7. “The profile of today’s learner is one with multiple layers of distractions and information overload,” she says. “Critical content needs to connect with them in short, easy-to-digest segments that can be applied in practical and relevant ways.”
The weaknesses of many E&C education programs—such as online training fatigue, content that is irrelevant to many employees and passive learning—can be countered with what Ershaghi Hames describes as blended learning, which includes a range of delivery formats (e.g., online, mobile, live), instructional strategies (e.g., scenario- and game-based learning) and communication tools.
As we read through these reports by our ECA experts, we were struck by the diversity and complexity of the risks they analyzed and the challenges involved in working to create ethical cultures that address and mitigate those risks. For ethics and compliance leaders, the 2014 agenda certainly seems full.