The Future of Compliance: Metrics and Communicating Risks

What's on the horizon for the world of compliance and ethics? According to some top compliance executives, metrics and communicating risks will dominate the agenda.

The past few years have been heavily focused on regulatory issues, especially the Dodd-Frank Act, and more intense Foreign Corrupt Practices Act enforcement action on the part of the Department of Justice. Those issues aren't going away any time soon, but the function of compliance is shifting and attention is turning increasingly toward monitoring and measuring internal processes in addition to gaining a better understanding of the rapidly evolving international regulatory environment.

During the recent Global Ethics Summit last month in New York, much of the conversation centered on the FCPA. Sure, there was a lot of inspiring talk about performance metrics and monitoring technologies but nearly every conversation came back to the basic principle of avoiding fraudulent payments and managing government investigations, albeit it with a more international flavor. In other words, while the approaches to the problems may change, the underlying issues are still the same.

There's a good reason that compliance officers spend so much time thinking about improper payments. According to public disclosure documents, as of January 78 companies are under investigation by the Justice Department for possible violations of FCPA rules.

The overall challenge of creating the much sought-after “culture of compliance” is made more important and more difficult by the pace of international mergers and acquisitions.

Doug Lankler, chief compliance and risk officer at Pfizer, who spoke at the summit, summed up the question of What's next for compliance? by explaining it is mostly about “what is happening overseas and how we can expand into emerging markets while still remaining compliant and profitable.”

Overseas expansion is becoming such a large compliance issue because several countries are adopting or modifying corruption rules. For example, China is making a serious move to crack down on fraud for fear of, according to Ty Cobb, a partner at law firm Hogan Lovells, “being the next Russia, which has more or less lost its shot at participating in the global free market because of endemic corruption.” U.S. companies are going to have to come to terms with the fact that the enforcement regime in China is going to change quickly and it will look different to what we are used to here, said Cobb.

Brackett Denniston, general counsel at GE, said during the summit that he believes the major challenges facing many U.S. companies this year and beyond will be integrating acquisitions in remote sites, monitoring and preventing improper payments, and emerging regulation.

“The problem,” Snell explains, “is not that we don't know where the problems are—be it fraud or regulation or whatever—it is getting the right people to listen.”

—Roy Snell,

CEO,

Society of Corporate Compliance and Ethics

Being prepared requires a better understanding of exactly where the risks are, and this is where Denniston believes some of the most important changes are taking place. “The compliance function has become much more about metrics, especially for third-party vendors,” he said. Companies also need to do a better job of getting managers throughout the business to analyze information, assess unanticipated risks, and consider the impact of those risks. 

Pfizer has, focused heavily on metrics, explained Lanker. The company has several internal dashboards to measure compliance risks and then report the results to senior management and the board. There are three primary dashboards, one each for manufacturing, pipelines, and marketing. “We use color codes indicating what level of risk there is in each of the elements. It is simple and efficient and everyone understands it,” Lankler explained.

Metrics can be useful but effectiveness can be dependent on the type of company and the maturity of the program, said Julie Spellman Sweet, chief compliance officer and general counsel at Accenture. She said the metrics are generally better in the early stages of a program when it is being pushed out and participation can be measured. But after a while participation becomes mandatory and the metric ceases to mean anything, she said.

Metrics are not, however, a silver bullet to slay all compliance problems,   says Roy Snell, CEO of the Society of Corporate Compliance and Ethics. He says they can be difficult to define and many compliance elements are tough to measure.  “Everyone thinks it is a good idea but almost no one can do it properly. Measuring the effectiveness of a hotline or education program or disciplinary actions is a vague concept at best and impossible to accurately quantify,” Snell says.

“A few companies are doing interesting things but on the whole it doesn't work,” says Snell. “I have seen three recent attempts to develop a compliance program effectiveness tool. One of them resulted in a $2 million loss and the program was abandoned. Another has spent far more than that and what they have is so complex that it is not usable. And the third resulted in guidance as opposed to an effective measurement tool.”

Instead, Snell suggests that the compliance profession focus on achieving independence and educating management about what an effective compliance program looks like and why it is beneficial to the organization.

“The problem,” says Snell, “is not that we don't know where the problems are—be it fraud or regulation or whatever—it is getting the right people to listen.”

FCPA BACKGROUND

Below is an explanation of how the Foreign Corrupt Practices Act came into being:

As a result of SEC investigations in the mid-1970s, over 400 U.S. companies admitted making questionable or illegal payments in excess of $300 million to foreign government officials, politicians, and political parties. The abuses ran the gamut from bribery of high foreign officials to secure some type of favorable action by a foreign government to so-called facilitating payments that allegedly were made to ensure that government functionaries discharged certain ministerial or clerical duties. Congress enacted the FCPA to bring a halt to the bribery of foreign officials and to restore public confidence in the integrity of the American business system.

The FCPA was intended to have and has had an enormous impact on the way American firms do business. Several firms that paid bribes to foreign officials have been the subject of criminal and civil enforcement actions, resulting in large fines and suspension and debarment from federal procurement contracting, and their employees and officers have gone to jail. To avoid such consequences, many firms have implemented detailed compliance programs intended to prevent and to detect any improper payments by employees and agents.

Following the passage of the FCPA, Congress became concerned that American companies were operating at a disadvantage compared to foreign companies who routinely paid bribes and, in some countries, were permitted to deduct the cost of such bribes as business expenses on their taxes. Accordingly, in 1988, the Congress directed the Executive Branch to commence negotiations in the Organization of Economic Cooperation and Development (OECD) to obtain the agreement of the United States' major trading partners to enact legislation similar to the FCPA. In 1997, almost ten years later, the United States and thirty-three other countries signed the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions. The United States ratified this Convention and enacted implementing legislation in 1998. See Convention and Commentaries on the DoJ Website.

The anti-bribery provisions of the FCPA make it unlawful for a U.S. person, and certain foreign issuers of securities, to make a corrupt payment to a foreign official for the purpose of obtaining or retaining business for or with, or directing business to, any person. Since 1998, they also apply to foreign firms and persons who take any act in furtherance of such a corrupt payment while in the United States.

The FCPA also requires companies whose securities are listed in the United States to meet its accounting provisions. See 15 U.S.C. § 78m. These accounting provisions, which were designed to operate in tandem with the anti-bribery provisions of the FCPA, require corporations covered by the provisions to make and keep books and records that accurately and fairly reflect the transactions of the corporation and to devise and maintain an adequate system of internal accounting controls. This brochure discusses only the anti-bribery provisions.

Source: Department of Justice.

That means spending more time on educating senior leadership. “We need to become collaborators with the business people, and to do that we must learn to provide information in a concise, professional fashion. Business leaders don't have the time or interest in the minutia of compliance. Get out of the details and learn how to present to leadership to get them to buy in,” says Snell.

The question of executive understanding is a universal issue for all compliance officers. “If the business people have the mindset that ‘if there is a compliance failure it must be [the CCO's] fault,' then you might as well just go home. They have to take responsibility and have accountability but at the same time you have to strike a balance between compliance and business,” urged Lee Augsburger, chief ethics and compliance officer at Prudential Financial.  

Executives need to go beyond the basics of compliance, and the next phase is to get the board to have a greater level of trust in the CCO and start viewing him or her as a strategic partner. That is happening at some companies but probably not a majority, said Augsburger.

Unrealistic Goals

Jack Domme, CEO of Hitachi Data Systems, who also addressed the summit, suggested that we may be looking at the concept of ethics and compliance culture in the wrong way. “Nearly all ethics and compliance problems come out of setting unrealistic [performance] goals,” he said. The setting of unrealistic goals creates an incentive for unethical conduct.”

“For example, if you set a financial goal of making  20 percent a year profit then that will encourage or even force employees at all levels to take risks they wouldn't otherwise take, or to pay bribes to secure business,” Domme said. “If they feel pressured to make the numbers or else, then that builds a platform for unethical behavior and compliance failures,” Domme cautioned. Such pressure, when coupled with a weak ethical culture, can be a recipe for disaster.  If employees know they will not be punished for refusing these types of deals that will embolden them to make the wrong choice, he explained.

The setting of realistic goals might be the most important task facing compliance in the years to come. In order to achieve it, management needs to understand what is realistic. When bribes are discovered they should carefully examine the underlying reasons for the bribes. It is rarely, as Domme put it “as simple as it might appear on the surface,” and it is the job of the CCO to bring a new level of sophistication and understanding to the conversation.