Christopher Sindik, CFE
Senior Associate, Professional Services | The Red Flag Group®
It is the time of year to peer into the preverbal compliance crystal ball and pontificate on what is to be in 2019. There are certain trends which are obvious and lead us to the same conclusions year after year, such as:
- The value of compliance will grow and more people will see its importance.
- International enforcement of bribery laws will expand.
- It will be a new record-breaking year for FCPA fines!
- Technology is going to shake how compliance works to its absolute core.
As those headlines seem to be evergreen as January rolls around each year we, instead, want to look at some of the bolder and less safe predictions for 2019.
- The government is going to comment on or elude to the ISO 19600 or 37001 in an enforcement action against a company or FCPA guidance – So far, there hasn’t been an officially official comment on the standards or how they might play into the meat and potatoes of a supreme corporate compliance failure (AKA a “$” followed by somewhere between 5 and 9 zeros).
The ISO standards have been around for a couple of years now and some doubters think they lack teeth. There are some that argue it only mimics what’s in the FCPA Guidelines, UKBA and beyond so why have both and spend the extra money getting certified? The response to this argument is: it is better to be proactive with improving your programme and conducting a gap analysis before the feds come knocking. It is also a way to know your programmes are in line with guidance provided by the government with an independent accreditation for all to see. Many companies benchmark their programmes regularly but very few will announce the findings publicly. Getting certified is a good way to build up a reputation (or fix up a tarnished one) for a solid and defensible anti-bribery programme. This can instil confidence in customers and perhaps the government if this prediction holds true.
Nevertheless, the “wait and see” approach to ISO compliance certification will begin to tip when there is more of an official stance on the topic.
Want to learn more about ISO Standards? Register for our upcoming ISO webinar here!
- There STILL won’t be any real enforcement action or fallout for the Calif. Transparency in Supply Chain Act, conflict minerals or the UK Modern Slavery Act.
Remember these three government actions that created a storm of activity of the time? They made big splashes when they were introduced in:
2010 - California Transparency in Supply Chains Act
2010 – Conflict minerals disclosures via the Dodd-Frank Act
2015 – Modern Slavery Act
One compliance executive in 2011 even stated privately that it might be of collective burden to go into The Democratic Republic of Congo and surrounding areas, hire an army and try to solve the atrocities themselves instead of dealing with the headaches of the Conflict minerals disclosures. This is undoubtedly a flippant view of the human strife in the DRC region, but it shows how seriously these governmental directives were taken at the time.
Skip to 2019 and beyond where we have seen the tactic of some of these acts to “name and shame”. Essentially it was an effort to embarrass companies into addressing real issues that plague the world. Make no mistake that these acts are aiming to tackle serious and dreadful problems. However, companies need only to post 1- or 2-page letters on their actions to comply with them. True that many hours need to go into the research and sometimes audit of the supply chain, but it seems that these laws are not kicking up the fuss that perhaps the government intended. These type of “research and publicly disclose your failures” laws by regulators target the ego or reputation of large companies but it seems like they target might have been (and still is) off the mark.
To deal with these issues companies instead need to look not feel the naming and shaming via a public disclosure but instead be proactive in the monitoring of their supply chain and to better understand at the onset, who they are working with.
- Compliance programmes in Asia will grow by leaps and bounds
There were several scandals in 2018 that rocked some very large Asian companies and the fallout is still being felt. As we’ve seen in the past, the compliance function sometimes moves slowly and reactively to such news. The shock waves of major scandals have since died down in 2018 but now is the time for many of the lofty statements to turn into actions in the form of improved policies, processes and personnel.
Here at The Red Flag Group (who is headquartered in Hong Kong, if you didn’t know), we’ve seen firsthand a great spike in interest in China, Korea, Japan, Singapore, Hong Kong and other major Asian business hubs in the form of increased budgets and appetite for compliance improvements. The laws in the country are changing, the mentality of executive leadership is changing, and compliance programmes are changing in Asia. What does this mean to companies outside of the region? Expect more from companies doing work in these countries in terms of compliance controls as they develop. Additionally, for companies headquartered elsewhere but operating in Asia, it is time to inspect and probably improve the compliance programme if it has gone unchanged or unchecked.
- Artificial intelligence is going to write a bunch of bad due diligence reports
Technology sure is great, isn’t it? Now that we all have smartphones, blockchain, APIs and predictive analytics, information is quick, cheap and easy to find. So much so that now programmes can be written to scrape the web for articles on all the bad things that companies are doing. From there, reports can be automatically populated in just minutes and delivered to you. The only bad part… the reports are generally a mess, overpriced and lack any real information that might be truly helpful.
There are plenty of uses for technology in the due diligence and compliance functions. However, nothing can be substituted for the analysis, interpretation and critical thinking of a skilled due diligence researcher. While a computer programme could put together a due diligence report it is often an amalgamation of databases with little beyond raw data and boilerplate, generic commentary. This can lead to information overload and irrelevant findings, causing the need for follow up and a need for companies to do extra work themselves.
There is a place for technology in the world of integrity due diligence, but it should be used as a tool for the compliance practitioner, not to replace the compliance practitioner.
- More companies are going to move to a centralised compliance model
There is often a debate that companies have about whether to employ a centralised or a decentralised compliance model for their compliance programme. By centralised, it is meant that a compliance head office is tasked with making more of the decisions for business operations as it relates to integrity and reputational risks. In this model, there is, more or less, a single set of rules that need to be followed globally.
On the other hand, with a de-centralised model, each business unit/country/subsidiary or similar subsection of the company is tasked with making more of their critical decisions and only certain types of high risks are brought into a central compliance function. Similarly, each sub-group has more autonomy to draft their policies and procedures in accordance with how they do business.
As it has been seen with many enforcement actions, a lack of internal controls can be blamed for compliance failures. When parts of the business are left to establish their own compliance controls (albeit with oversight from a CCO) there could be more open space for graft. A decentralised model can be a necessity for compliance functions that lack sufficient resources as they simply can’t manage the sheer number of tasks in their docket. As a compliance programme grows and matures, the centralised model can appear to make more sense. This isn’t to say that a centralised model is necessarily better than a decentralised one, but it is an area where we see a shift coming.
Watch this space in January 2020, when we will look back at these predictions and see how closely our vision of the future with reality matched with reality.