Q&A: localising a global compliance programme

February 2020  |  SPECIAL REPORT: CORPORATE FRAUD & CORRUPTION

Financier Worldwide Magazine

February 2020 Issue

FW moderates a discussion on localising a global compliance programme between Aisling O’Sullivan at Brown Rudnick LLP, Lisa Vicens at Cleary Gottlieb Steen & Hamilton LLP, Abdus Samad Pardesi at Kirkland & Ellis, and Adam Turteltaub at the Society of Corporate Compliance and Ethics (SCCE).

FW: In your opinion, why it is advisable for companies to localise their global compliance programmes?

Pardesi: Corporate compliance is fundamentally about complying with applicable laws and acceptable business practices. While there are some global best practices that all companies will want to adhere to, laws and business practices necessarily vary by region, and often by industry, which seems to suggest that localisation is the way to go. Today’s economy feels both global and local at the same time. It is global in the sense that there are large corporations doing business all around the world, and often across borders. But it is local in the sense that, even with a multinational corporation, business is still dependent on local, in-country transactions. A localised global compliance programme gives employees the best of both worlds: the resources, brand, infrastructure, and high-level principles and policies of a global company, combined with the sensitivities and nuance that comes with adapting to local laws and business norms.

O’Sullivan: Wide-reaching and extraterritorial legislation, such as the UK Bribery Act and the US Foreign Corrupt Practices Act (FCPA), has emphasised the need for localised compliance programmes. Against this backdrop, regulators and enforcement agencies are taking an increasingly aggressive and coordinated cross-border approach to enforcement, meaning that multi-agency investigations are now the norm. It is therefore essential for companies to develop and implement a dual-focused compliance framework, which is, among other things, tailored to the jurisdictions in which it operates. Not only does this ensure that a company complies with local laws, it can foster a wider culture of compliance and, therefore, improve risk management throughout the organisation.

Vicens: There are a number of reasons why an increasing number of companies are moving their global compliance programmes toward a more centralised model. First, standardisation. Companies find it easier to ensure consistency and minimise risks at the global level when compliance is centrally located. Second, limiting risk exposure. A company with operations in remote or high-risk jurisdictions with less robust compliance as a global matter must still abide by the rules of the most rigorous jurisdictions within its operations. Because of this, companies are situating their compliance programme where central decision makers are located, enabling a more consistent approach to risk management. Finally, proper response and coordination. Having clear reporting lines and processes around responding to potential misconduct allows decision makers to react quickly and appropriately if and when problems arise.

Turteltaub: There are two key reasons to localise compliance. First, the law locally can vary. What is fine in one country is not in the other. We see that in areas such as data privacy, where there are countries that are following the European General Data Protection Regulation (GDPR) model, and others that are not, or, probably more accurately, have not yet. Second, the compliance programme needs to reflect local culture and tradition. That means understanding how business is done in a country and how people work together. Some cultures, for example, are more hierarchical than others. For some, family relationships in business are common. For others, they are not. If you do not adjust your compliance programme to reflect these differences, you are likely to have a less effective programme.

The biggest problem that companies face is the misconception that being legally compliant and commercially practical is somehow a conflict.
— Adam Turteltaub

FW: How would you characterise the difficulties involved in establishing programmes that are both legally compliant and commercially practical? What, in your experience, are the most common issues that companies face during this process?

O’Sullivan: Compliance is often met with resistance, especially where compliance measures are perceived as hindering more immediate business objectives and the benefits are less tangible. Employees can resent compliance programmes, viewing them as a necessary, but overly expensive, tick-box exercise. While it is not always possible to align business and compliance objectives, an organisation can overcome these challenges by clearly explaining both the relevant risks and the measures taken to mitigate them. That clear communication must be pushed through by clear top-level commitment from the board downwards. Another challenge is staying apprised of, and adapting to, changes in the legal and regulatory landscape, to ensure that policies and procedures remain current and, therefore, essentially fit for purpose. Obviously, many companies must apply a global compliance framework while navigating various local inconsistencies, and sometimes direct conflicts, between different jurisdictions.

Vicens: The challenges involved in establishing compliance programmes that are commercially practical and legally robust can often be addressed through good communication and planning. Having representatives from the compliance function and the business work together to plan and execute a compliance programme is critical for creating a programme that is commercially practical and has buy-in from all relevant stakeholders. This can be achieved by using a working group that is responsible for evaluating the company’s risks and business objectives and coming up with a strategy that addresses both. The participation of the business in developing the programme is critical to assuring that the resulting programme is not ‘paper’-only and will actually work in practice with the support of the business. Later on, having members of the various business units work together with compliance to roll out the programme, lead training modules and act as ambassadors for the programme, can help instil that shared responsibility that really drives a culture of compliance.

Turteltaub: The biggest problem that companies face is the misconception that being legally compliant and commercially practical is somehow a conflict. Over and over again companies have found that the cost of being non-compliant far outweighs the cost of compliance. Businesses operate with countless standards that are not based in legal requirements: from how they manufacture to how they ship to where they sell. For each of these the business ultimately finds a solution. The same holds true for compliance. Businesses need to apply the same resources and thought processes to see how they can meet the legal standards.

Pardesi: Much of compliance is an exercise in building – and then following – processes and procedures. In my experience, there is often a tension between commercial teams that want to move things forward and conduct business, and compliance teams that want to ensure that approval processes are followed and documentation is generated and maintained. Commercial teams can often feel that compliance is holding them back. I often find that the best solutions involve a joint effort between commercial and compliance to create robust systems that are straightforward to follow, and automated where possible. A second challenge involves the age-old discussion over engaging in questionable practices because ‘that’s the way business is done here’ or ‘that’s what our competitors are doing’. Of course, these situations require discipline and steadfastness, but also a willingness to understand the unique circumstances of any given scenario to explore potential solutions.

It is often helpful for due diligence to be risk-weighted, such that higher-risk parties go through more extensive due diligence.
— Abdus Samad Pardesi

FW: What specific strategies can companies deploy to ensure they avoid coming into conflict with local legislation in markets perceived to have high levels of corruption?

Vicens: Companies operating in jurisdictions with high levels of corruption should exercise special caution in their approach to interactions with government authorities and third parties in general. They should develop good monitoring controls for their procurement, contract management and accounts payable systems – especially for the engagement of service providers, such as public relations firms, whose products tend to be less tangible or traceable, and therefore good conduits for improper payments. They also should make sure that they have appropriate policies and controls in place for political and charitable contributions and community relations work, as these can be high-risk areas for potential misconduct. At a high level, companies that interact directly with government authorities should ensure that meetings with officials are properly recorded, involve more than one employee, and occur with the oversight of compliance officers.

Pardesi: Local resources are invaluable. For larger markets, it is often beneficial for companies to have a compliance or legal employee in the country, or at least in the region. That employee would need to be responsible for having a strong working knowledge of applicable laws and norms. Alternatively, or in addition, companies can have local counsel that is responsible for keeping compliance and legal up-to-date on compliance-related legislation in the market. Undoubtedly, there is a cost associated with maintaining these local resources, but, arguably, it is the cost of doing business in the market, and companies often find that it is well worth the investment.

Turteltaub: Even in highly corrupt countries the law usually, if not always, says bribery is illegal. So, it is not local laws that are the problem but local custom. To be successful, companies need to make it clear to the local government officials that they cannot and will not engage in corruption. They also need to communicate that message internally. And those communications internally are most effective when it is not just a communication that says, ‘well, the law says we cannot pay bribes and we do not want to pay a large fine’. They work better when they are tied into a message about how we work, and these are our corporate values.

O’Sullivan: First, a company should obtain legal advice in the relevant jurisdiction in order to understand the local legal and regulatory framework. This knowledge and expertise will prove indispensable in establishing a tailored and localised compliance programme that is proportionate to the bribery risks that arise in that location. Second, a company should take a risk-based approach to designing and implementing policies and procedures which conform to local law requirements. In practice, this means conducting a risk assessment to identify the nature and extent of internal and external threats in the relevant jurisdiction. This should be supplemented by a suitably-resourced compliance and risk management function. Finally, employees should be trained in risk mitigation and compliance so that they can consider the risks and know how to mitigate them should any come into fruition.

FW: To what extent can appropriate due diligence on third parties help overcome geographical, cultural and industry-specific challenges?

Turteltaub: Effective due diligence needs to recognise the differences in business practices in each country. For one, knowing those differences can provide a roadmap to what the risks are. Second, knowing the differences enables you to better enunciate what information you want, why you want it, and what your expectations are of the third party. When it comes to industry-specific challenges, there too you need to be mindful of local differences as well. You may know the risks for your industry in your own country or region, but they may be quite different elsewhere.

O’Sullivan: Third-party due diligence is a central element for any effective compliance programme. It informs the application of policies and procedures and enables a company to mitigate its exposure to a wide range of compliance risks. However, while due diligence enables a company to identify and mitigate compliance risks, it should be combined with a tailored risk assessment that is proportionate to the company’s size, the nature of its business and the jurisdictions in which operates. It is also necessary to monitor and review third-party relationships, proportionate to any identified risks. Aside from mitigating risk, due diligence allows a company to evaluate its business relationships and ensure that engaged third parties adhere to and uphold company values and ethics. In this regard, a company should obtain representations and warranties (R&W) from third parties which confirm compliance with the same.

Pardesi: Third-party due diligence is crucial – it is part of a multifaceted approach that can help mitigate third-party risks. It is often helpful for due diligence to be risk-weighted, such that higher-risk parties go through more extensive due diligence. To that end, it can be helpful to have a set of criteria to ensure consistency when determining the appropriate level of due diligence. To help ensure additional mitigation of third-party risk, it can be useful for companies to have a fulsome third-party management programme. This may include due diligence, contracts with appropriate representations and warranties, training of the third party, along with an exam, a compliance manual or code of conduct, annual compliance certifications and ongoing monitoring, which could include audits and keeping an eye out for red flags.

Vicens: A third party is neither embedded in your company’s compliance culture nor under your ‘control’ in the same way an employee may be. For this reason, compliance risks are usually amplified when third parties are involved. Emphasising the value you place on your compliance culture, both in how you contract and communicate with third parties, is essential, as it requires third parties to internalise and share those risks. In addition, being able to map and detect risks, and to tailor your diligence and compliance training to your particular risk environment, will enable you to achieve greater risk detection and prevention and help you manage jurisdictional and cultural differences. Business culture and industries change over time, meaning that the risk landscape is dynamic. That is why conducting periodic risk assessments that take a fresh look at the control environment, the use of third parties and the likelihood of potential new risks are important to help manage geographical, cultural and industry-specific challenges.

Developing a compliance programme is an investment of time, money and human resources, and it will only be effective if it is as dynamic and adaptable to the risk environment in which the company operates.
— Lisa Vicens

FW: In your opinion, how should companies tailor their compliance programmes to correspond with global policies that may allow exceptions and defences in certain regimes but not in others?

O’Sullivan: There is no one-size-fits-all approach to a globalised compliance programme. Where compliance regimes conflict, companies will have to conduct a delicate and risk-based balancing act to mitigate their exposure in different jurisdictions. The difficulty in navigating conflicting regimes is best demonstrated with reference to the UK Bribery Act and the FCPA. The former prohibits facilitation payments, whereas these are permitted under the FCPA. Companies should tailor global programmes to adhere to the overarching compliance framework and ensure that key principles are embedded and understood throughout the organisation through internal and external communication, including training. At a local level, training can then be adapted to take account of jurisdiction requirements and cultural nuances.

Pardesi: I find that it is most helpful for companies to have a baseline set of policies that govern business conduct globally, with local standard operating procedures (SOPs) or some other framework that allows for exceptions for local business units to conduct themselves as expressly permitted under local laws or local trade association guidance, if any exists. Local trade association guidance has become increasingly important – it is often an organisation that serves as a coalition of local companies in the same industry, such as pharmaceutical companies. These organisations will sometimes create codes of conduct for member companies to abide by in a particular market. This framework gives the company flexibility and it assures local employees that they are in line with local guidance, as opposed to onerous requirements from another country.

Vicens: Whether a compliance programme allows exceptions and defences in certain regimes but not in others will likely have a minimal effect on how companies design and monitor their compliance programme at a global level. The most important drivers are making certain your programme is robust, that you are mindful of recordkeeping and other procedural requirements, and that you stay informed by the advice of local counsel and compliance officers on how to best abide by relevant local regulatory requirements, so as not to forget them when thinking about the broader global picture. In general, regulators in most jurisdictions will endorse either a leniency or ‘effective compliance’ regime, and there is always a benefit to defending a more robust compliance programme before regulators where instances of possible misconduct have been identified. The existence of a well-designed and robust programme may make regulators, in that context, more open to accepting representations regarding the company’s reliance on affirmative defences and exceptions.

Turteltaub: Companies need to be careful when tailoring their compliance programme. A company needs to be consistent in how it approaches issues around the globe, but if there are differences in law, there should be a reasonable amount of flexibility built into the system to accommodate them where appropriate. There should be a process for identifying the differences, reviewing them, and then determining when a local exception may be made. However, everyone needs to remember that just because you can do something in a given country does not mean you should.

FW: What essential advice can you give to companies on developing a legally compliant and localised global compliance programme?

Turteltaub: Make sure you engage local stakeholders. The programme will likely come out of headquarters, but if it shows that leadership is indifferent to local needs, it will be very difficult to get local support. Take the time to identify people who can ensure that what makes sense on paper in headquarters will also make sense halfway around the globe. Also, make sure you have people locally who can answer questions and employees can turn to when there is an issue. A helpline is great, but someone down the hall who they can look in the eye is even better.

Vicens: Think about it like building a home: does it have the right foundation and is it going to meet your needs? First and foremost, give long and hard consideration to your structure and reporting lines. How is it going to fit within your organisation? Next, is it tailored to your risks and will the policies and controls which comprise your programme work within your company? There is no ‘one size fits all’ compliance programme. Developing a compliance programme is an investment of time, money and human resources, and it will only be effective if it is as dynamic and adaptable to the risk environment in which the company operates. In developing a localised global compliance programme, one potential pitfall can be a lack of interaction between compliance and the business lines early in the process and a failure to create a shared responsibility for the resulting programme.

Pardesi: There are a few principles that I have found to be helpful in developing an effective local compliance programme. Perhaps the most important principle is ensuring that there are local compliance and legal resources that are engaged with the market, including regular visits, trainings or other touchpoints. Relatedly, I have found that corporate compliance can only go so far without buy-in from the business, including leadership. Much is rightfully said about ‘tone at the top’ and how leadership’s approach towards compliance affects the business unit’s overall attitude. In my view, shaping the tone of the organisation comes from investing the time to create a partnership between legal and compliance and the business. Other useful principles include thoughtful local SOPs that are tailored to the market and that are supported through frequent communication between local compliance and a central hub, to ensure consistency.

O’Sullivan: A key ingredient of a legally robust and effective compliance programme is regular monitoring and review. This ensures that policies and procedures evolve in conjunction with risk, as well as legal and regulatory developments and enforcement trends that are relevant to the local jurisdiction. Companies should conduct regular and comprehensive risk assessments which provide insight into the effectiveness of its systems and controls. A risk assessment should evaluate gaps in the compliance framework and detect red flags, violations and other shortcomings. In addition, companies may wish to seek independent verification as to the effectiveness of their compliance programme. By way of example, the International Standards Organisation introduced ISO 37001 to benchmark anti-bribery management systems. While the standard has international application, it is not a guarantee of compliance and will not serve as a defence to a charge of bribery.

A key ingredient of a legally robust and effective compliance programme is regular monitoring and review.
— Aisling O’Sullivan

FW: Looking ahead, do you anticipate that more multinational companies will take steps to localise their global compliance programmes? What are the potential consequences for those organisations that fail to adequately address this issue?

Vicens: Overall, there is a trend towards greater centralisation of the compliance function and there are some good reasons for this. This shift is as much practical as it is structural. A localised compliance programme allows for greater accountability, easier management and better coordination between specialised compliance professionals and the business. Corporations that fail to centralise their compliance programmes may find that they struggle with a lack of coordination and inconsistent monitoring of their programmes. They may also lose out on the opportunity to reinforce a single culture of compliance built on common ethical principles and a sense of shared responsibility. Creating a global programme also pays dividends in the long run. It takes some of the risk out of strategic growth to know you have a plan in place to integrate any new acquisitions into your programme. It also better manages costs by taking away the guesswork and inefficiencies of managing multiple and competing programmes and policies.

Pardesi: Assuming a company is of the size and scale that it can support localised, or regionalised, compliance programmes, I anticipate that it would do so. One consequence of not having a localised compliance programme is a potential disconnect between local business unit employees and the compliance function writ large. It is often beneficial for the compliance department to have a partnership, or at least a level of mutual trust and credibility, with the business to be able to function effectively, even if compliance is serving as a watchdog for the organisation. However, the partnership, and the credibility that underlies it, can suffer if local business unit employees feel that compliance is disengaged or otherwise divorced from reality, which can result in the popular refrain, ‘why is someone in another country telling us what to do?’ Close engagement by compliance can help set these expectations and provide context for the principles that animate the compliance function.

O’Sullivan: As companies attempt to navigate the disparate compliance regimes of various jurisdictions, we will continue to see a trend towards localised compliance programmes. This trend has, in part, been fuelled and exacerbated by inconsistencies in the approach taken by law enforcement agencies, such as the Serious Fraud Office (SFO), the Department of Justice (DOJ) and the Parquet National Financier (PNF), and the divergence in policies and guidelines. Jurisdiction specific legislation, such as the GDPR, is also shaping local compliance programmes. As regulators and law enforcement agencies continue to deepen cross-border relationships with their international counterparts, companies that fail to address localised compliance issues may attract scrutiny and find that they are in violation of local laws, leading to reputational damage and criminal and regulatory sanctions.

Turteltaub: The strongest programmes are already both local and global. They are making their codes of conduct available in local languages and are also doing so with their training. They are ensuring that the programme feels local as well. I know of one company that, even a decade ago, printed the code of conduct on different paper stocks in different regions so that the programme literally felt local. The bottom line is that compliance programmes need a strong tone at the top, but if the tone is not right in the middle it is not going to succeed. Localising the programme helps ensure you both get the right tone throughout the organisation and are much more likely to be successful.

Aisling O’Sullivan is an associate in the white-collar defence & government investigations practice group, based in London. Her practice focuses on compliance, corporate crime, investigations and civil litigation, including asset tracing and recovery. Ms O’Sullivan provides advice and representation to corporates and individuals facing criminal and regulatory enforcement action. She has acted on investigations led by UK and international agencies into allegations of fraud, bribery and corruption, false accounting and money laundering. She can be contacted on +44 (0)20 7851 6080 or by email: aosullivan@brownrudnick.com.

Lisa Vicens’ practice focuses on a broad spectrum of securities enforcement, investigations and compliance, as well as securities litigation, with a concentration in complex, cross-border issues. She frequently works on matters in Latin America, particularly enforcement matters involving clients in the region. Her litigation practice includes many notable securities actions and high-profile civil cases. She also has an active criminal pro bono practice. Ms Vicens joined the firm in 2005 and became a partner in 2015. She can be contacted on +1 (212) 225 2524 or by email: evicens@cgsh.com.

Abdus Samad Pardesi is a partner in the government & internal investigations practice group in the Chicago office of Kirkland & Ellis LLP. Mr Pardesi is a versatile enforcement lawyer, with a focus on anti-corruption compliance, employee fraud and international risk counselling. He has substantial experience litigating complex commercial disputes and has also handled numerous internal and government-facing investigations for public and private companies in a variety of industries and in multiple countries. He can be contacted on +1 (312) 862 3291 or by email: abdus.pardesi@kirkland.com.

Adam Turteltaub is the vice president of strategic initiatives & international programs for the Society of Corporate Compliance and Ethics (SCCE) and the Health Care Compliance Association (HCCA). He is responsible for the association’s marketing and executive relationships. He joined SCCE/HCCA with more than seven years of experience working with ethics and compliance professionals. Immediately before joining he was corporate relations executive for LRN, where he was responsible for the company’s conferences and events programmes. He can be contacted on +1 (952) 405 7922 or by email: adam.turteltaub@corporatecompliance.org.

© Financier Worldwide

THE PANELLISTS

Aisling O’Sullivan

Brown Rudnick LLP

Lisa Vicens

Cleary Gottlieb Steen & Hamilton LLP

Abdus Samad Pardesi

Kirkland & Ellis

Adam Turteltaub

Society of Corporate Compliance and Ethics (SCCE)

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.