Compliance efforts remain stagnant despite increasing regulation
Compliance executives universally agree they have an obligation to make sure their companies comply with the various laws and regulations that govern their industry and the jurisdictions in which they operate, but they are often at odds when it comes to determining the true value of an effective corporate compliance program. Just how much should an effective program cost? And how much money can a company save by having such a program in place?
Global advisory firm the Corporate Executive Board (CEB) recently released its RiskClarity quarterly report, ‘Understanding the true costs of misconduct’, which provides a framework for measuring the value of corporate compliance. CEB says its report findings can help companies to prioritize the types of investments needed for effective compliance risk mitigation and determine the level of investment that is right for them.
According to the report, ‘the median corporate compliance and ethics program budget remains at $1.5 million (virtually unchanged since 2008) and the median compliance staff is still small (only 0.6 per 1,000 corporate employees).’ These numbers suggest the resources companies dedicate to their compliance programs remain limited in spite of the added risk caused by costly regulations such as the conflict minerals rules contained in the Dodd-Frank Act coming online this year and stepped-up enforcement of the FCPA and its international counterparts such as the UK Bribery Act, Canada’s Corruption of Foreign Public Officials Act and the Brazilian Anti-Bribery Law.
‘Companies are symptomatically underinvesting in compliance,’ says CEB research director Abbott Martin. CEB believes compliance executives need to consider whether the $1.5 million most companies allocate for compliance programs is sufficient, given that fines and penalties for FCPA violations typically run into millions of dollars, and the potential cost of lawsuits, incidences of fraud and lost data from employee misconduct and lax internal controls can total millions more. Putting systems in place to prevent these incidents before they happen will be well worth the price.
‘The overall takeaway for the board and senior management is that the cost of this type of wrongdoing is much more substantial than they probably think,’ says Martin. He suggests boards be proactive and engage in risk mitigation by taking steps to create a ‘culture of integrity’ that is supported by the proper financial investment in internal controls and a well-planned compliance and ethics program.
Handling misconduct and costs
The costs of misconduct will differ for each firm, but one thing is certain – the greater the effort companies make to prevent misconduct before it occurs, the larger the payoff on whatever they spend on compliance.
‘There is a lot you can do to mitigate and reduce levels of misconduct across an organization,’ says Martin. ‘You are unlikely to fully eliminate misconduct, but even if you don’t, if you can point to the efforts you’ve made and show you are addressing the issue in a very systematic manner, you are likely to receive more leniency from the government [should employee misconduct occur].’
According to the CEB report, executives can begin to calculate the potential cost misconduct could have on their company by taking the median direct cost of fines from a range of incidents including FCPA violations, securities violations, money laundering, data privacy violations, fraud, discrimination and health and safety violations, and then adding the estimated potential indirect costs of misconduct, such as lost productivity of workers, lost stock value, external legal costs and employee attrition (see Counting the costs of misconduct, page 14). Martin warns that while the report lists the biggest compliance risks executives face, companies may have other risks specific to their businesses that should also be taken into account.
As you begin mapping out your overall compliance strategy, ‘think about where you want to allocate your resources against your highest-risk areas,’ Martin advises. ‘Make sure your compliance efforts are aligned with the highest-risk areas and the risks that put in jeopardy the corporate objectives you’re trying to achieve.
‘As you invest in your corporate compliance program, think about these risks and prioritize them according to what these costs show, but also prioritize building a culture of integrity that is going to mitigate – if not eliminate – some of the indirect costs that can otherwise emerge if your employee base doesn’t feel like these issues are being taken seriously.’
Putting the direct and indirect costs together, the CEB report estimates the median cost of an incident of misconduct could potentially be as high as $23.1 million, factoring in $17.3 million in fines and settlements, $5.3 million in employee attrition costs and $83,000 in external legal costs. Add to this a 14 percent drop in stock price, the cost of 44 days of investigating the compliance program and the untold cost of lost employee productivity and you have a significant potential loss for the company – so compliance executives would be well advised to take this risk seriously.
Building a culture of integrity
One very important step in mitigating the risk of experiencing an incident of misconduct involves creating a culture of integrity throughout the company. Martin says a culture of integrity is a foundational part of an effective compliance and ethics program.
Once the company has put strong compliance systems in place, developed appropriate policies on compliance and ethics, established approved training programs and implemented controls that can reliably monitor the program, the company must prove it is willing to reward the type of integrity that employees must demonstrate in order to make the compliance and ethics program work. Martin says that to establish an effective culture of integrity, companies should perform the following actions.
- Engage employees and win their trust. Employees must be regularly engaged and made to feel as though they will be protected in the workplace. ‘It is important to make sure employees feel comfortable coming forward to bring misconduct issues to the attention of their managers and to corporate compliance staff,’ he says. ‘That actually helps to resolve the issues faster.’
- Make transparency a priority. When issues of misconduct occur, the company must quickly and effectively resolve them in a public way. Business managers and corporate executives must also openly show the employee base how they’re working to prevent misconduct from happening in the future.
- Reinforce fairness. Corporate leaders must give employees some broad sense the company is taking clear steps to make sure all situations involving misconduct will be resolved fairly. ‘Trying to resolve these types of issues and saying, We treat these issues seriously is really critical for building a sense of organizational justice, which is a key part of an effective compliance program,’ Martin explains.
Building a culture of integrity can also have long-lasting financial benefits for companies. ‘The more you build the right culture and the more you have the compliance processes in place, the more likely it is that you will prevent and mitigate these types of incidents and the more defensible a position you will have created for yourself with the US government,’ says Martin. This point was proven in 2012 when a former Morgan Stanley managing director pleaded guilty to FCPA violations, but the Department of Justice declined to bring any enforcement action against the firm as it had ‘constructed and maintained a system of internal controls, which provided reasonable assurances that its employees were not bribing government officials’. The fact that Morgan Stanley voluntarily reported the violation, showing its integrity, also helped convince the regulators to show leniency when reviewing the case.
An example such as this demonstrates that investing in compliance and prevention does pay for itself, observes Martin. ‘People are understandably very concerned with the growing expense of internal compliance, but when you compare it to the cost of non-compliance, you can see it is often an investment that can pay for itself.’
Counting the Costs of MisconductEven single occurrences of misconduct may cost a company millions of dollars in fines and settlements. For example, during 2011 and 2012: FCPA violations had a median direct cost of $17.3 million per incident, with direct costs ranging from $2 million to $54.6 million per incident.
Indirect costs might exceed direct costs While direct costs are typically top of mind for compliance and business executives, depending on the type of misconduct, indirect costs associated with the violation may exceed the direct costs of the violation. Compliance executives should include the indirect costs of misconduct in their tracking of overall misconduct costs and should consider the following types of indirect costs associated with misconduct:
Source: CEB |