For companies that are serious about being proactive and that see compliance as a competitive advantage rather than a box-ticking exercise, we believe several lessons can be drawn from our background in helping organizations see around unexpected corners — whether those be geopolitical in nature, compliance related or high-stakes security and risk.
Below are six common pitfalls and blind spots related to building and maintaining a compliant organization:
1. Failing to look at the external operating environment in your compliance risk assessment
Situation or market-driven factors, including political developments such as elections and rising geo-political tensions, are just as likely to lead to elevated compliance risks as weaknesses in companies’ compliance programs. Sometimes, even organizations with highly sophisticated programs find themselves in the wrong place at the wrong time or are simply unprepared for major market occurrences from a compliance perspective. Incorporating assessments on external developments into programs can reduce the likelihood of this happening.
This is naturally more practiced in the environment, social and governance space, and less so with regard to anti-bribery and corruption (ABAC), fraud and even — to an extent — sanctions risk. By extending this practice to risk assessments, disciplined companies can better focus on situation or market-driven compliance risks, and therefore draw from those risk assessments to model locally or situationally appropriate solutions (e.g., for local engagement strategies). Companies can also use this to enhance controls in high enforcement or highly politicized environments.
2. Considering impact only in terms of compliance enforcement
Compliance breaches or failures have consequences far beyond regulatory sanctions, they can create significant challenges or obstacles to business, locally and in other parts of the world. Indeed, compliance-related crises are on the rise globally, involving loss of licenses, civil society action against companies, disruption to operations and businesses and regulatory pressure. These issues can have significant reputational, operational and financial impacts. Considering broad-based impact is an excellent starting point to create linkages between compliance risk managers and other parts of the business.
This approach has two immediate benefits: first, it enables compliance teams to secure buy-in from the business and to draw on business resources to identify realistic options to remediate significant compliance challenges. Second, it raises awareness within compliance and other business teams to spot when a compliance breach might trigger other risks — a step which is critical to avert risk contagion and to contain and properly manage these risks.
3. Over-focus on list-based, reactive sanctions management
Taking an overly legalistic or black-and-white approach to sanctions management that relies on checking individuals and entities against specially designated nationals and other lists is no longer optimal or appropriate. The new order of sanctions is fast-moving and not necessarily tied to a widespread sanctions regime. Some sanctions regimes (e.g., Europe vs. U.S. on Iran sanctions) compete and are mutually exclusive, and others are not even labeled as “sanctions” (e.g., those against Qatar). Factoring country or industry risk into your sanctions assessment means that you can flag up potential or high-risk parts of your business that may come under or be associated with sanctions because of changes in the political environment.
4. Failing to achieve a sustainable use of resources
Most if not all compliance teams would be significantly more successful in their missions if they had limitless resources at their disposal. In truth, resources are often scarce and teams need to weigh carefully where they will deploy them with the greatest impact. Using a comprehensive, risk-based approach and being creative in considering both internal and external factors when benchmarking and prioritizing where best to place resources and conduct proactive testing (see point 5 below) can go a long way to help compliance managers make the most of what they’re given to work with. The first step in achieving this objective is typically for companies to look back at their baseline risk assessment and align annual strategy plans to the areas flagged as “highest” risk. That is easier said than done when teams also need to cope with daily, transactional support to the business.
With that in mind, the second step is to think about optimizing resources. If you have a small team, it could be a suboptimal use of its time to be conducting due diligence research. There may be more efficient ways to outsource and manage output from specialist providers. Considerations such as seniority and levels of experience are relevant to make this decision. Compliance management technology tools have significantly evolved over the past few years: there are more options for compliance teams to use economical, centralized management platforms. Many companies find this lightens the burden on their in-house team, allowing it to engage with business units to build capacity or tackle specific or more systemic compliance issues.
5. Not testing, monitoring or doing on-the-ground checks
Even programs that look fantastic on paper need to be assessed for their suitability in practice. Companies that fail to conduct regular audits and proactive testing and monitoring are less likely to identify shortcomings in the practical application of their program. In turn, companies that prioritize such work correctly through the focused application of the right tools can efficiently use testing with the greatest possible impact, even if those companies are working with limited funds. Data analytics and transaction testing tools, which are highly resource-efficient, are an excellent starting point for testing and monitoring. Their application allows companies to tie together different data points or data sets as well to map flashpoints in their organization where they need to dedicate more resources.
6. Generic ABAC training
Training that is general and not tailored to specific job functions by definition has limited applicability for different parts of the business where risks are the highest. Companies that go the extra mile and develop training programs aimed at specific job functions like accounting will have a greater impact. Where real-life case studies are used during trainings, they should be adjusted for different trainings to speak to the specific audience at hand and focus on applicable remedial measures or management strategies and lessons learned from the company itself. The focus should be on questions like “What did we do wrong to get into this situation?”, “What can we be better at?” and “What challenges would you and your job function face dealing with applying these management strategies, and where would you look for internal or external support?”
Maria Knapp, pictured above right, is a Senior Partner of Control Risks’ Compliance, Forensic and Intelligence practice covering Europe and Africa, supporting clients in designing and executing complex and multijurisdictional investigations, anti-bribery and corruption risk advisory, strategic intelligence, and third party management. She is a qualified solicitor who has worked and lived in the UK, France and Sub-Saharan Africa and is a fluent French speaker. She can be contacted here.
Oliver Wack, left, is a Principal of Control Risks and the head of its North America risk analysis and consulting team. He leads on the development of corporate market-entry and risk analysis and benchmarking programs, as well as the development and delivery of political and corruption risk analysis and consulting tasks for U.S. clients, with a focus on Latin America. He speaks fluent English, French, German and Spanish. He can be contacted here.
Maria and Oliver – good points all. These compliant organization program activities – contextual analysis, risk-assessment, appropriate resource application, active testing and monitoring, and targeted training – are each present in ISO 37001. For example, and going to your first two points about context, the anti-bribery management standard’s Section 4.1 (Understanding the organization and its context) and Section 4.2 (Understanding the needs and expectations of stakeholders) similarly encourage a broad consideration of external relationships and impact. Guidance that largely mirrors the (thoughtful) leading practices described elsewhere in your article is found in Sections 7.1 (Resources), 7.3 (Training) and 9.1 (Monitoring, measurement, analysis, and evaluation).
Comments are closed for this article!