12 June, 2015
When a company’s compliance function is strong and effective, its success often is measured by what doesn’t happen: fines, legal sanctions, lawsuits, negative press, reputational damage, lost business and market share. When there are no compliance-related incidents, management may cast a covetous eye on the compliance budget. Why not reallocate some of the function’s resources to fund activities that boost earnings and increase shareholder value?
But with the enforcement of anti-corruption laws intensifying globally, that’s a plan that will weaken the compliance function – and hurt companies – at a time when it’s most needed.
In fact, the assumption that compliance is simply a cost center merits challenging. As companies expand across borders, entering new markets and new ventures with new partners, their compliance programs must grow to encompass the many new rules and regulations that need monitoring. Seen in this light, the compliance function provides measurable returns that justify investment. Indeed, a strong compliance program can sharpen a company’s competitive edge.
FCPA: Feeling Its Oats
The U.S. Foreign Corrupt Practices Act (FCPA) is hardly new, but it is newly resurgent. Signed into law in 1977, the FCPA contains both anti-corruption provisions and accounting requirements, stipulating that companies maintain accurate and detailed books and records and that they devise effective internal controls to detect FCPA violations. Both the U.S. Department of Justice (DoJ) and the Securities and Exchange Commission (SEC) were charged with enforcing the FCPA—a difficult and delicate undertaking back when the U.S. was the only country criminalizing activities such as paying bribes to acquire new business. U.S. business executives criticized the law, claiming it put them at a competitive disadvantage against international rivals operating under different norms. But the idea spread, and the Organization for Economic Cooperation and Development’s (OECD’s) 34 member countries (along with seven non-member countries) have since adopted legally binding anti-corruption standards. In 2010, the UK enacted its own anti-corruption law, the UK Bribery Act, that many say exceeds the FCPA in its rigor.
And governments have been using these powers. Between 2005 and 2013, over 250 FCPA enforcement actions have been brought against U.S. companies and individuals, more than occurred in the preceding three decades. In 2013, the SEC and DoJ collected in excess of USD 635m in civil and criminal penalties from corporations and individuals. It cost companies about USD 80m on average to resolve FCPA related cases (including fines, legal fees and other costs) – a 400 percent increase over 2012.
Just recently, in February 2015, a publically-listed U.S. tire manufacturer agreed to pay more than USD 16m to settle charges (without admitting guilt) that two of its African subsidiaries generated over USD 14m in profits by using bribes to win new business. These bribes allegedly were written off as legitimate business expenses in its books.
According to the SEC, “lax compliance controls” allowed this to happen.
Sixteen million is a lot, but it’s a lot less than the USD 135m a U.S. cosmetics company paid in December 2014 for the actions of its China subsidiary. What accounts for the difference? In levying the penalty on the tire manufacturer, the SEC noted that once the company became aware of its subsidiaries’ actions (through a tip), it “promptly halted the improper payments and reported the matter to Commission staff.” The company “also provided significant cooperation with . . . the investigation.” But according to the SEC and DoJ, the cosmetic company initially sought to cover up the issues after it became aware of them. And it failed “to put controls in place to detect and prevent payments and gifts to Chinese government officials.”
Notwithstanding the fact that the cosmetic company’s profits from its illegal actions were greater than the tire manufacturer’s, the tire company’s compliance function received credit – and perhaps a relatively lower fine – for doing its job. The cosmetics company didn’t. As companies continue to chase growth markets around the globe, strengthening their capability to recognize and reduce risk, and demonstrating an ongoing commitment to a clearly defined policy of compliance with anti-corruption legislation such as the FCPA, will offer a source of lasting value.
Third-Party Risk
In late 2014, Alstom, a French-based power and transportation company, agreed to pay USD 772m in criminal penalties to settle charges stemming from a global bribery scheme that persisted for more than a decade. The case set a new record as the largest criminal fine ever imposed by the DoJ for an FCPA violation. But it ranked in second place in terms of overall FCPA settlements, behind Siemens, which paid USD 800m to resolve criminal and civil charges in 2008.
Alstom’s violation involved consultants it had hired to help with bidding and to provide other services. (As it turned out, those services included transferring bribes to foreign officials, which were recorded as commissions in the company’s books.) Alstom, which has two U.S. subsidiaries, paid a steep price for what it did, but also what it failed to do: it declined to disclose the FCPA violations and, at first, to cooperate with the DoJ. The absence of adequate internal controls contributed to the size of the fine.
Under the FCPA, companies are responsible for the actions of their vendors, joint venture partners and acquired companies. The vast majority of FCPA prosecutions involve such intermediaries. As cost-effective as it may be to outsource various activities when entering emerging markets, risk and responsibility cannot be outsourced. Companies need to assess the potential risk that a third party represents before embarking on any agreement; they need to conduct effective due diligence. After an agreement is struck, companies are responsible for auditing third parties, verifying that they have documented compliance policies and confirming that their books are accurate. Too often, companies are leery of conducting detailed due diligence or performing audits because they are concerned about the cost, or fear intruding on a partner’s business.
Unfortunately, businesses too rarely think about the benefits that can result from conducting appropriate due diligence on third parties, as well as taking the time to communicate expectations regarding compliance. Making sure third parties have the necessary compliance capabilities and commitment – and the technology to track them – can be invaluable.
Beyond monitoring third parties for irregularities, companies need to implement formal “change management” programs to ensure that necessary improvements are made and documented. In the case of an impending acquisition, thorough due diligence may cause costly delay. But following a rigorous process prior to any deal, and implementing a robust program to evaluate and monitor compliance posttransaction will enable companies to limit, if not avoid, their liability under the FCPA.
The Compliance ROI
What can make the compliance function tempting to marginalize – and vulnerable to cost-cutting – is a lack of consistent oversight and hard metrics for success (beyond the mere avoidance of trouble). A compliance function that is not well thought out is at risk of not being highly thought of.
Creating metrics for measuring program effectiveness demands conducting and analyzing the results of internal audits. Companies should establish hotlines – and assess their use. They should track the rate at which employees take and complete compliance training, and benchmark their results against competitors. Taking these steps can transform compliance from an afterthought to a repository of codified knowledge about both the company’s internal culture and the ever-changing regulatory environment that can and should inform strategic decision-making.
Then, instead of looking to reduce compliance costs, companies can look to compliance as an opportunity to improve the business’s capabilities and invest accordingly.
Spending on compliance should be focused strategically on higher-risk areas.
Among those activities with the greatest potential liability would be interactions with third-parties.
Not that all third parties need to be treated alike. While most businesses have come to recognize the value of segmenting their customers by the potential revenue each represents, few companies systematically apply the same logic to their third parties in terms of risk to maximize the value of their investment in compliance. Companies could devote resources to placing their business partners in risk buckets, subjecting those third parties that represent the highest risk to the organization to the most intensive scrutiny and oversight, such as compliance audits that include a review of the third party’s books and records. Executing such audits provides a company with insight into how a third party is conducting business on their behalf, a level of transparency a company could never obtain elsewhere.
To populate the buckets, companies could use criteria such as:
- Country/industry corruption levels
- The size and sophistication level of the third party (a one-man shop vs. a large and established international partner)
- How much the company spends with that third party
- What role the third party is expected to play
- The third party’s history of transactions with government offices and officials
- Relevant historical information, such as previous audit findings or reputational information about the third party’s track record on corruption and other compliance issues
Based on those results, the company could scale its compliance investment to the level of risk posed by each bucket,thereby reducing costs without dodging the company’s overall compliance responsibilities.
But more important, companies that implement a strategic, risk-based compliance program can use the higher transparency into and communication with their third parties to achieve economies of scale on matters beyond compliance. Companies could amend contracts to include co-marketing, distribution, or post-sales services to further reduce costs while growing market share in partnership with their third parties.
While much time is spent highlighting the risks third parties represent – and rightfully so – the fact is that they play a crucial and fundamental role in international business, and countless do so with a high regard for ethical practices. That said, many third parties, especially smaller ones, do not have the same resources to devote to compliance that their larger multi-national counterparts may have. When a company requests an audit of their third party, the range of response they typically receive varies from a welcoming with open arms to push-back, or even a flat out refusal. For the many that do cooperate agreeably, these third parties view such an exercise as an investment in the overall business relationship, a chance to build further trust and ensure that they are meeting the expectations of their partner. In this way, compliance becomes a value-generating function, not merely a cost center.
Companies Where Compliance Pays
Not surprisingly, companies that have suffered as a result of FCPA violations are the fiercest advocates for compliance investment. Interestingly enough, the most commonly used attack against compliance functions – that they interfere with a company’s ability to conduct business effectively – is often dispelled.Since setting the record for the heaviest FCPA fine in 2008, electronics giant Siemens has become a poster child for investment in compliance.
In 2011, the company’s then chief compliance officer delivered a presentation titled “The Business Case against Corruption.” In it, he documented how the company implemented a plan to become a “recognized leader” in terms of its values and integrity. Among other factors, he cited the communications and behavior of its leadership and the objectives set out by its compliance function: to protect, detect, and respond. He touted the “Siemens Integrity Initiative” as “the biggest private sector contribution to the fight against corruption.” The program kicked off in 2009; by 2010, the company, which had been in business for 163 years, linked it to the achievement of record returns.
The Panalpina Group, a Swiss-based transportation and logistics company, declared itself “the most compliant company in the industry” not long after it had agreed, along with a handful of oil and gas service companies, to pay USD 156m in criminal penalties to resolve FCPA violations. Having created a central compliance function and built up an extensive training program, company executives spoke of the program as a competitive advantage:
“Panalpina is convinced that a well embedded and implemented compliance program pays off: it reassures customers, partners and employees and improves the organization’s efficiency,” according to company literature. “Our achievements and the compliance organization itself can certainly be described as competitive advantages… The fact that we are also winning new contracts in countries with exacting legal requirements provides particularly convincing evidence of our customers’ confidence in our compliance measures.”
But it is not easy to sustain a culture of compliance. Nearly a decade ago, Boeing Chairman and Chief Executive Officer James McNerney began a speech by conceding that “a number of companies – Boeing included – have suffered from some very public ethicsrelated mistakes.” He announced a campaign to shift the aerospace giant’s attitude about compliance from “This will keep us out of trouble” to “Hey, this will make us different and better and give us a competitive edge.” As of last year, it seemed Boeing still had work to do. The company paid USD 23m to settle allegations that it had defrauded taxpayers by overcharging for labor costs, evidence that compliance is an ongoing commitment rather than a one-time expenditure.
Unlike investing in plant or equipment, upping the compliance budget cannot always be justified strictly on the basis of return on investment. As elusive as the numbers may be, few would dispute that reputation is a vital differentiator in a crowded marketplace. Smart executives need to think strategically about how and where to make investments in compliance, rather than waiting for an exorbitant crisis or fine to infuse them with a sudden appreciation for the function.
Taking short cuts is no longer an acceptable long-term risk in today’s global economy.
For further information, please contact:
Eddie Lam, Managing Director, FTI Consulting
eddie.lam@fticonsulting.com
Beth Epstein, Director, FTI Consulting
beth.epstein@fticonsulting.com
