When a company’s compliance function is strong and effective, its success often is measured by what doesn’t happen: fines, legal sanctions, lawsuits, negative press, reputational damage, lost business and market share. When there are no compliance-related incidents, management may cast a covetous eye on the compliance budget. Why not reallocate some of the function’s resources to fund activities that boost earnings and increase shareholder value?
But with the enforcement of anti-corruption laws intensifying globally, that’s a plan that will weaken the compliance function – and hurt companies – at a time when it’s most needed.
In fact, the assumption that compliance is simply a cost center merits challenging. As companies expand across borders, entering new markets and new ventures with new partners, their compliance programs must grow to encompass the many new rules and regulations that need monitoring. Seen in this light, the compliance function provides measurable returns that justify investment. Indeed, a strong compliance program can sharpen a company’s competitive edge.
FCPA: Feeling Its Oats
The U.S. Foreign Corrupt Practices Act (FCPA) is hardly new, but it is newly resurgent.
Signed into law in 1977, the FCPA contains both anti-corruption provisions and accounting requirements, stipulating that companies maintain accurate and detailed books and records and that they devise effective internal controls to detect FCPA violations.
Both the U.S. Department of Justice (DoJ) and the Securities and Exchange Commission (SEC) were charged with enforcing the FCPA—a difficult and delicate undertaking back when the U.S. was the only country criminalizing activities such as paying bribes to acquire new business. U.S. business executives criticized the law, claiming it put them at a competitive disadvantage against international rivals operating under different norms. But the idea spread, and the Organization for Economic Cooperation and Development’s (OECD’s) 34 member countries (along with seven non-member countries) have since adopted legally binding anti-corruption standards. In 2010, the UK enacted its own anti-corruption law, the UK Bribery Act, that many say exceeds the FCPA in its rigor.
And governments have been using these powers. Between 2005 and 2013, over 250 FCPA enforcement actions have been brought against U.S. companies and individuals, more than occurred in the preceding three decades. In 2013, the SEC and DoJ collected in excess of $635,000,000 in civil and criminal penalties from corporations and individuals. It cost companies about $80 million on average to resolve FCPA- related cases (including fines, legal fees and other costs) – a 400 percent increase over 2012.
Just recently, in February 2015, a publically-listed U.S. tire manufacturer agreed to pay more than $16 million to settle charges (without admitting guilt) that two of its African subsidiaries generated over $14 million in profits by using bribes to win new business. These bribes allegedly were written off as legitimate business expenses in its books.
According to the SEC, "lax compliance controls" allowed this to happen.
Sixteen million is a lot, but it’s a lot less than the $135 million a U.S. cosmetics company paid in December 2014 for the actions of its China subsidiary. What accounts for the difference? In levying the penalty on the tire manufacturer, the SEC noted that once the company became aware of its subsidiaries’ actions (through a tip), it "promptly halted the improper payments and reported the matter to Commission staff." The company "also provided significant cooperation with . . . the investigation." But according to the SEC and DoJ, the cosmetic company initially sought to cover up the issues after it became aware of them. And it failed "to put controls in place to detect and prevent payments and gifts to Chinese government officials."
Notwithstanding the fact that the cosmetic company’s profits from its illegal actions were greater than the tire manufacturer’s, the tire company’s compliance function received credit – and perhaps a relatively lower fine – for doing its job. The cosmetics company didn’t.
As companies continue to chase growth markets around the globe, strengthening their capability to recognize and reduce risk, and demonstrating an ongoing commitment to a clearly defined policy of compliance with anti-corruption legislation such as the FCPA, will offer a source of lasting value.
In late 2014, Alstom, a French-based power and transportation company, agreed to pay $772 million in criminal penalties to settle charges stemming from a global bribery scheme that persisted for more than a decade. The case set a new record as the largest criminal fine ever imposed by the DoJ for an FCPA violation. But it ranked in second place in terms of overall FCPA settlements, behind Siemens, which paid $800 million to resolve criminal and civil charges in 2008.
Alstom’s violation involved consultants it had hired to help with bidding and to provide other services. (As it turned out, those services included transferring bribes to foreign officials, which were recorded as commissions in the company’s books.)
Alstom, which has two U.S. subsidiaries, paid a steep price for what it did, but also what it failed to do: it declined to disclose the FCPA violations and, at first, to cooperate with the DoJ. The absence of adequate internal controls contributed to the size of the fine.
Under the FCPA, companies are responsible for the actions of their vendors, joint venture partners and acquired companies. The vast majority of FCPA prosecutions involve such intermediaries. As cost-effective as it may be to outsource various activities when entering emerging markets, risk and responsibility cannot be outsourced. Companies need to assess the potential risk that a third party represents before embarking on any agreement; they need to conduct effective due diligence. After an agreement is struck, companies are responsible for auditing third parties, verifying that they have documented compliance policies and confirming that their books are accurate. Too often, companies are leery of conducting detailed due diligence or performing audits because they are concerned about the cost, or fear intruding on a partner’s business.
Unfortunately, businesses too rarely think about the benefits that can result from conducting appropriate due diligence on third parties, as well as taking the time to communicate expectations regarding compliance. Making sure third parties have the necessary compliance capabilities and commitment – and the technology to track them – can be invaluable.
Beyond monitoring third parties for irregularities, companies need to implement formal “change management” programs to ensure that necessary improvements are made and documented. In the case of an impending acquisition, thorough due diligence may cause costly delay. But following a rigorous process prior to any deal, and implementing a robust program to evaluate and monitor compliance post- transaction will enable companies to limit, if not avoid, their liability under the FCPA.
The Compliance ROI
What can make the compliance function tempting to marginalize – and vulnerable to cost-cutting – is a lack of consistent oversight and hard metrics for success (beyond the mere avoidance of trouble). A compliance function that is not well thought out is at risk of not being highly thought of.
Creating metrics for measuring program effectiveness demands conducting and analyzing the results of internal audits. Companies should establish hotlines – and assess their use. They should track the rate at which employees take and complete compliance training, and benchmark their results against competitors. Taking these steps can transform compliance from an afterthought to a repository of codified knowledge about both the company’s internal culture and the ever-changing regulatory environment that can and should inform strategic decision-making.
Then, instead of looking to reduce compliance costs, companies can look to compliance as an opportunity to improve the business’s capabilities and invest accordingly.
Spending on compliance should be focused strategically on higher-risk areas.
Among those activities with the greatest potential liability would be interactions with third-parties.
Not that all third parties need to be treated alike. While most businesses have come to recognize the value of segmenting their customers by the potential revenue each represents, few companies systematically apply the same logic to their third parties in terms of risk to maximize the value of their investment in compliance. Companies could devote resources to placing their business partners in risk buckets, subjecting those third parties that represent the highest risk to the organization to the most intensive scrutiny and oversight, such as compliance audits that include a review of the third party’s books and records. Executing such audits provides a company with insight into how a third party is conducting business on their behalf, a level of transparency a company could never obtain elsewhere.
To populate the buckets, companies could use criteria such as:
Based on those results, the company could scale its compliance investment to the level of risk posed by each bucket, thereby reducing costs without dodging the company’s overall compliance responsibilities.
But more important, companies that implement a strategic, risk-based compliance program can use the higher transparency into and communication with their third parties to achieve economies of scale on matters beyond compliance. Companies could amend contracts to include co-marketing, distribution, or post-sales services to further reduce costs while growing market share in partnership with their third parties.
While much time is spent highlighting the risks third parties represent – and rightfully so – the fact is that they play a crucial and fundamental role in international business, and countless do so with a high regard for ethical practices. That said, many third parties, especially smaller ones, do not have the same resources to devote to compliance that their larger multi-national counterparts may have. When a company requests an audit of their third party, the range of response they typically receive varies from a welcoming with open arms to push-back, or even a flat out refusal. For the many that do cooperate agreeably, these third parties view such an exercise as an investment in the overall business relationship, a chance to build further trust and ensure that they are meeting the expectations of their partner. In this way, compliance becomes a value-generating function, not merely a cost center.
Companies Where Compliance Pays
Not surprisingly, companies that have suffered as a result of FCPA violations are the fiercest advocates for compliance investment. Interestingly enough, the most commonly used attack against compliance functions - that they interfere with a company’s ability to conduct business effectively - is often dispelled.
Since setting the record for the heaviest FCPA fine in 2008, electronics giant Siemens has become a poster child for investment in compliance.
What Is Missing from Third-Party Due Diligence?
It stands to reason that more comprehensive reviews of third parties will uncover vulnerabilities that might otherwise remain hidden. But to test our hypothesis, we conducted an analysis of 250 compliance due diligence projects we conducted for one multinational in 104 cities in 30 provinces in China over a due diligence cycle of four-plus years. After working with these businesses for many years, the client had originally assumed that there would be no surprises, but quickly realized just how much information about its third parties had previously remained unknown under the company’s previous review program. For example, the majority of the third parties in our sample had bid on at least one government project, and 59 percent had won at least one such bid.
Our due diligence process dug into multiple risk areas, such as:
Key principals: In investigating the backgrounds and practices of company key principals, we found that 42.5 percent were running additional businesses on the side. We also discovered that more than 27 percent of the companies studied operated from the same location as another business. Three-quarters of those co-located businesses were linked to one of the other business’s key principals. These side businesses can signal conflicts of interest that work against the client company’s aims, as can co-location, but combined with government projects, could also represent a backchannel for corrupt payments by the third party.
Reputation: We studied the eco-system of company suppliers and customers to see if there were reputational issues that could indicate a poor corporate culture that could ultimately lead to compliance violations. We returned adverse reputational findings for roughly one out of every four companies in the sample. Included in these findings were service complaints (30 percent), product quality complaints (20 percent), the company having been sued (11 percent), fines and/or bidding issues (10 percent), and key principals sued (2.5 percent). Poor reputations are generally earned and, when these issues remain unaddressed, can often result in poor financial performance that serves to tempt third parties into lapses of ethical judgment.
Political connections: In China, government officials are prohibited from holding interests in commercial entities. Through due diligence, one can identify persons holding shares on behalf of public officials. In China and elsewhere, this invites serious business and legal risks.
Sub-contractors: Extending background checks to sub-contractors can also pay off. For example, a parts distributor may become insistent on introducing one customer to another. This insistence often leads to a request for a fee for making the introduction, indicating self-dealing, or signaling that a bribe is being offered. In addition, when a supplier requests unexpected or unexplained fees or commissions that, too, should serve as a red flag, as should practices such as inconsistent invoicing or appeals for large discounts. Companies should – but often don’t – investigate and resolve these activities.
In 2011, the company’s then chief compliance officer delivered a presentation titled "The Business Case against Corruption." In it, he documented how the company implemented a plan to become a "recognized leader" in terms of its values and integrity. Among other factors, he cited the communications and behavior of its leadership and the objectives set out by its compliance function: to protect, detect, and respond. He touted the "Siemens Integrity Initiative" as "the biggest private sector contribution to the fight against corruption." The program kicked off in 2009; by 2010, the company, which had been in business for 163 years, linked it to the achievement of record returns.
The Panalpina Group, a Swiss-based transportation and logistics company, declared itself “the most compliant company in the industry” not long after it had agreed, along with a handful of oil and gas service companies, to pay $156 million in criminal penalties to resolve FCPA violations. Having created a central compliance function and built up an extensive training program, company executives spoke of the program as a competitive advantage:
"Panalpina is convinced that a well embedded and implemented compliance program pays off: it reassures customers, partners and employees and improves the organization’s efficiency," according to company literature. "Our achievements and the compliance organization itself can certainly be described as competitive advantages... The fact that we are also winning new contracts in countries with exacting legal requirements provides particularly convincing evidence of our customers' confidence in our compliance measures."
But it is not easy to sustain a culture of compliance. Nearly a decade ago, Boeing Chairman and Chief Executive Officer James McNerney began a speech by conceding that "a number of companies – Boeing included – have suffered from some very public ethics- related mistakes." He announced a campaign to shift the aerospace giant’s attitude about compliance from "This will keep us out of trouble" to "Hey, this will make us different and better and give us a competitive edge." As of last year, it seemed Boeing still had work to do. The company paid $23 million to settle allegations that it had defrauded taxpayers by overcharging for labor costs, evidence that compliance is an ongoing commitment rather than a one-time expenditure.
Unlike investing in plant or equipment, upping the compliance budget cannot always be justified strictly on the basis of return on investment. As elusive as the numbers may be, few would dispute that reputation is a vital differentiator in a crowded marketplace. Smart executives need to think strategically about how and where to make investments in compliance, rather than waiting for an exorbitant crisis or fine to infuse them with a sudden appreciation for the function.
Taking short cuts is no longer an acceptable long-term risk in today’s global economy.