Developing an effective compliance strategy


Financier Worldwide Magazine

March 2015 Issue

March 2015 Issue

In today’s corporate world, an effective compliance strategy is a ‘must have’ component of a company’s management portfolio. Over the last 12 months, an increasing number of companies have reported a rise in the extent and frequency of the risks they face: anti-competitive conduct, sector-specific regulation, international trade and economic sanctions, bribery and corruption, and cyber crime, to name a few. To successfully understand and manage such risks, companies need to actively monitor, evaluate and review the effectiveness of their compliance strategies.

FW: To what extent have the regulatory challenges facing companies increased over the last 12 months or so? How important is it for companies to have an effective compliance strategy in place to manage these challenges?

Gallinger: Some of the most significant regulations in the US over the last 12 months or so include the Treadway Commission’s COSO 2013 Framework, the Affordable Care Act, the convergence of the Financial Accounting Standards Board’s (FASB) and International Accounting Standards Board’s (IASB) Revenue Recognition Standards, and the Consumer Financial Protection Bureau’s TILA-RESPA Integrated Disclosure Rule. It is of paramount importance that organisations have a robust compliance strategy in place to manage the challenges arising from these regulatory changes. Organisations must be prepared to identify and manage these changes, implement a responsive strategy in a timely manner, and educate on the regulations and their impact on the business’s processes and procedures. In addition, because of the consistent change inherent to the regulatory environment, organisations must be proactive in keeping abreast of regulatory discussions and happenings that may precipitate new requirements far beyond the current year.

Altman: The regulatory regimes have not changed that much over the last 12 months from a statutory perspective. Rather, the key trends we are seeing relate to increased globalisation and the aggressive enforcement of existing regulations. The global reach of regulation has created new challenges. It is no longer enough to focus on a company’s headquarters and a few hotspots. Enforcement requires vigilance across the organisation. It also means that companies now face potentially conflicting regulatory schemes as they move from country to country and must be prepared to adjust their compliance program to react to these differences.

Eastwood: Regulatory challenges continue to be among the prime concerns of businesses. Companies must manage established and emerging risks, including anti-competitive conduct, sector-specific regulation, international trade and economic sanctions, bribery and corruption, and data protection. Cyber crime has rapidly risen on the agenda of governments and regulators. Mary Jo White, chair of the US Securities and Exchange Commission, has described cyber security as a topic of “long-term seriousness”. The increasing range of challenges is augmented by an increased effort on the part of regulators in developed and emerging markets to bring enforcement actions against corporates and individuals. A compliance framework is a minimum requirement in managing the range of risks, identifying and responding to emerging risk, and meeting changing regulatory expectations.

Moosmayer: As we all have seen recently with the $772m Alstom settlement, the US remains very active in FCPA enforcement. In Europe, the situation is more diverse. Some countries have started enforcing international corruption cases. In the Netherlands, SBM paid a $240m bribery related fine. Germany continues to prosecute individuals and companies. In the UK, the SFO at least tries to speed up proceedings, whereas other countries like Spain are busy fighting domestic bribery but are not yet working on international cases. Some European countries are doing very little and are being rightfully blamed by the OECD because they do not enforce the Convention at all. The OECD report on Foreign Bribery, which was published on 2 December 2014, provides a very good overview of the enforcement of the OECD Convention by its member states. Developments in China are certainly worth noting. In China, not only has GSK been required to pay $489m in order to settle its bribery case but there is a visible and sustained country-wide anti-corruption campaign against mainly mid-level public officials. However, events in China must be closely monitored in order to determine if there is also a political element to these enforcement activities. Companies would be well advised to expect even more enforcement around the globe going forward. We expect to see some similarities with enforcement activities in the antitrust space where authorities cooperate worldwide and even have rankings to determine who has imposed the biggest financial penalties against companies.

Heiman: The tempo of increasing regulatory scrutiny did not slow over the last 12 months. Having an effective compliance program is critical. Governments have said that an effective program can mitigate the risks of compliance breaches in areas such as corruption and fair competition. We saw this with the Morgan Stanley example a few years ago. Notably, the US Justice Department declined to prosecute Morgan Stanley for the acts of an employee when it was shown that Morgan Stanley had provided repeated training to the employee regarding expectations around corruption.

Lucy: Regulatory challenges have definitely increased. At an international level, various reforms have been generated that have impacted both the public and private sectors, which in turn has meant strategies have had to be developed to be effective in terms of enforcement. In some countries, reforms have been more complex and have even involved the development of computer systems. For firms in both the public and private sectors, it is very important that they have compliance strategies in place. For the public sector it can be a little easier as they have their internal audits or controls that will allow them to be more alert and aware of regulatory developments. However, for the private sector, this is not always considered mandatory in their organisational structures. Accordingly, it is very important that companies develop a program of effective and preventive compliance.

The establishment of a compliance committee would properly balance the development of policies and procedures, leaving the chief compliance officer to focus on ensuring that compliance has been achieved.
— Luz María Pineda Lucy

FW: In your opinion, what key issues should firms consider when outlining their compliance strategy? What provisions and controls should this strategy include?

Heiman: It is critical that companies understand their business model. Advisers can assist with the analysis, but there are no ‘off the shelf’ solutions. Every company should have a program that is tailored to their particular needs, and that will require input from across the enterprise, not just the compliance department. While the solutions may vary, certain topics must be considered, including the location of business operations, ownership of market channels, the strength of the company’s control environment, the regulatory environment of the company’s industry, and the company’s tolerance for risk.

Lucy: It is desirable that all companies analyse their risk-based compliance. If you start with a legal understanding about how the company would be vulnerable in its implementation strategy, it would be clear that carrying out a mapping process from start to finish is essential. What spheres touch each of the processes, and thus what regulation is obliged to comply at every stage of these processes would then become evident. It is necessary to take an initial brainstorming approach, with all areas involved in each process. Then establish a matrix of controls with the regulatory risks that are found in each of these processes. If the implementation has not been adequate, establish a remediation program with senior management’s approval. Companies should also establish an internal control environment that generates the proper monitoring of processes and their policy or regulatory implications.

Eastwood: Any compliance program must be built on the foundations of an effective risk assessment which identifies the types of risk which must be addressed and managed. Consistent and effective implementation, with support from senior levels of the organisation, is key. A suite of ‘paper policies’ without effective implementation which embeds practice into an organisation will not be acceptable to regulators should issues arise. Implementation should be sufficiently flexible in order to respond to any high-risk operations or jurisdictions in which a business may operate. A compliance framework should be informed by, and facilitate communication between, legal, risk, HR, corporate communication and internal audit departments, and provide for the effective reporting of issues to the board. Companies should actively monitor, evaluate and review the effectiveness of their compliance strategy.

Gallinger: Company leaders must take a hard, honest look at their organisations. Among other things, companies should review questions regarding issues such as where they conduct their business and what the local laws are, where their third-party relationships lie, and how their culture supports, or fails to support, regulatory compliance. Company leaders should be fully engaged in devising strategy and leading by example. Communication capabilities need to be evaluated. For example, is there open dialogue and continuous communication within the organisation that focuses on the changing landscape of compliance? Has the importance of responding to regulatory change proactively been conveyed as appropriate? Does the company have the ability to independently validate whether responses to regulatory requirements are implemented correctly? Additionally, in the pursuit of constant improvement, organisations should leverage lessons learned from past failures to facilitate future success in dealing with regulatory change.

Moosmayer: The compliance strategy of a company depends very much on a sound compliance risk assessment. In which markets and regions is the company active? How are the sales and procurement channels structured? Who are the customers and which intermediaries are used? Do you really know your joint venture partner? How is the regulatory environment of the business? These are just a few of the questions which firms should consider. Based on this risk assessment, a company’s compliance strategy will determine the risk mitigation and remediation measures of the compliance system and the necessary controls.

FW: What model guidance and framework templates might companies draw from when building an effective compliance program?

Eastwood: There is no ‘one-size-fits-all’ compliance model. The threat to organisations varies across jurisdictions, transactions, industry sectors and business partners. Compliance frameworks must be informed by industry best practice, peer group best practice, external review and assurance, and guidance from regulators. In the context of an anti-corruption policy, for example, the UK Ministry of Justice published guidance formulated around six principles which should inform businesses seeking to limit corruption risk. Campaign groups such as Transparency International also publish good practice guides. An interesting development in recent years has been the publication of standards. Notably the BSI 10500 Anti-Bribery Management Standard, which is now being used by the International Organisation Standardisation as a basis for the draft ISO 37001. Either would serve as a useful guide for the development of an effective compliance program.

Moosmayer: The ‘essentials’ of a compliance framework are quite clear. You will find the same key elements in all the relevant legal frameworks as in Chapter 8 of the US Sentencing Guidelines, the Guidance to the UK Bribery Act regarding adequate compliance procedures or in the recommendations of international institutions such as the OECD or the International Chamber of Commerce. The wording or structure may be slightly different, but in a nutshell they all stress the importance of a sound compliance risk assessment, comprehensive and unambiguous compliance guidelines and policies combined with a thorough training concept, well communicated reporting channels, and last but not least, investigation of potential misconduct and disciplinary actions in case a violation is proven. However it is a completely different task to implement this framework within a company. You cannot simply buy a paper program and sell it as an effective compliance system. Based on the risk assessment you have to carefully adapt and build the aforementioned elements in a way that they are understood and integrated into the relevant businesses. For this job, you need skilled professionals who know their company and the business environment, and of course a clear commitment by the top management.

Lucy: To develop a guide and framework that companies can use to develop their compliance strategy, it is highly effective to consider first the internal control framework. The vision of an internal control model as a framework for the development of a compliance program becomes essential for the daily operation of the company and its long-term survival. The COSO model can be very useful but each company must tailor its internal controls. A company’s structure, licensing, corporate governance, vision, mission and values are specific to its operations. Even if two companies are doing business in the same sector, controls will differ in practice. It is possible to consider a framework and model as a guide, however the development of the program would be unique for each company.

Heiman: There is no shortage of guidance available. The US Sentencing Guidelines, the US FCPA Resource Guide, the UK Bribery Act Guidance document, and OECD and World Bank publications all offer useful advice. In addition, there are a number of organisations that facilitate benchmarking conversations. Peer feedback can be the most useful guidance available when you are planning to implement or enhance a compliance program.

Gallinger: Organisations should look to the Open Compliance and Ethics Group (OCEG) for the latest, most comprehensive ethics and compliance models, framework templates and standards. OCEG’s latest publication, GRC Capability Model – Version 2.1, highlights a framework that accounts for all key aspects of a robust compliance and ethics program. OCEG’s approach to framework development acknowledges several components of compliance that are often overlooked, such as the contextualisation of an organisation’s culture, prior to the ideation of a revamped compliance program, the ability to react to and proactively anticipate desirable and undesirable conditions and events through managerial actions and controls, and the use of metrics and key performance indicators to assess the quality of the program.

Altman: Programs must fit the organisation in question, so it is impossible to suggest a one-size-fits-all plan. From a general point of view, I always suggest that companies look at competitor websites to see what their outward facing message is on compliance. Even a quick look at a competitor’s code of ethics can give you a good understanding of what challenges you need to plan for in your organisation. In some specialty areas there are developing model standards. For example, in cyber security the NIST framework talks about components of cyber preparedness that many companies are adopting.

Ethics and compliance are easily distinguishable. Ethics has to do with the culture of the organisation. Compliance is a routine, doing just what needs to be done. Ethics goes above and beyond.
— George Gallinger

FW: What do you consider to be the advantages of appointing a chief compliance officer and establishing a compliance committee? What functions and responsibilities should they hold?

Moosmayer: There are different models of a compliance organisation and the specific set up depends highly on the structure of the company and its compliance risk profile. Big companies with a significant compliance risk exposure tend to build a standalone compliance organisation headed by a chief compliance officer, who has direct access to the leadership of the company. Medium sized companies may lack these resources and opt for a joint compliance effort of different functions incorporating, for example, the firm’s legal, audit, finance and HR departments, which all report into a joint compliance committee. Clearly there is no ‘one-size-fits-all’ solution, however one thing should be clear – ultimate responsibility lies with the management of the company.

Gallinger: Having a chief compliance officer and compliance committee in place says unequivocally that compliance and ethics are very important to the organisation. It puts everyone on notice, including employees and other stakeholders, that compliance and ethics will be taken seriously. The chief compliance officer and compliance committee serve as the key disseminators of information throughout the organisation and play a critical role as advisers to top leadership. The compliance officer and committee should be vigilant about responding to new regulations and about anticipating regulatory changes on the horizon. A key responsibility should be the development of a comprehensive compliance plan, as well as spearheading changes needed to respond to new or amended regulations.

Heiman: In the absence of a chief compliance officer, many of the tasks related to such a role are shared by others or take lesser precedence. The issues involved are too important for them to be second-tier responsibilities. A compliance committee, when effectively used, can act as an adviser and a focus group for important developments that are internal or external to a company such as policy changes, business model adjustments, new regulations and entry into new markets. Both the compliance officer and compliance committee, when empowered by leadership and given sufficient resources, can be an important symbol of a company’s commitment to acting with integrity.

Lucy: The advantages associated with having a specialised person responsible are numerous. This person would be aware of all the regulatory changes and their implications for the company as well as the development of an effective compliance program that would allow the company to align to compliance with all the statutory or regulatory issues that are imposed. In addition, the internal aspects that each company develops and shapes with policies, manuals and other internal regulatory documents would be monitored. The establishment of a compliance committee would properly balance the development of policies and procedures, leaving the chief compliance officer to focus on ensuring that compliance has been achieved. This would also require the development of compliance reports to be shared with upper management or boards of directors. In the case of both a committee and a chief compliance officer, the development of the compliance program should be set, in order to obtain a complete and orderly interaction, to ensure a harmonious implementation.

Altman: There are two advantages to be derived from the appointment of a chief compliance officer (CCO). First, the appointment elevates the issue of compliance to a prominent role within the organisation and makes it clear that it is a core function. Second, it brings a level of professionalism to the process. The CCO is an expert at the functional area in the same way you would expect a chief financial officer to be. The compliance committee is another useful tool. Usually made up of business unit representatives, it can take the message and operation down to the business units in a way a compliance person cannot. When the two work together, it creates an effective program.

Eastwood: The first step is usually hiring a chief compliance officer or a similarly senior-level individual. In larger organisations, a compliance committee, a committee of the board of directors, assists the board with the oversight of significant related regulatory and compliance issues. The committee’s composition and charter are important. The committee should include a majority of independent directors to provide an objective view of the company’s compliance experts. Its main function is to provide a line of sight into the organisation for the board. The committee’s responsibilities may include reviewing and overseeing the compliance program, including but not limited to evaluating its effectiveness and receiving updates about the activities of the chief compliance officer and other compliance personnel, reviewing and evaluating internal reports and external data to assess whether there are any significant concerns regarding the company’s regulatory and compliance practices, an evaluation of whether compensation practices are aligned to compliance obligations, oversight of the implementation of the compliance program in relation to newly acquired businesses, reporting annually to the board on the state of the company’s compliance functions, relevant compliance issues, potential patterns of non-compliance and any other issues that may reflect any systemic or widespread problems in compliance or regulatory matters exposing the company to substantial compliance risk.

FW: In your experience, do companies generally appreciate the difference between compliance and ethics? How does each issue shape corporate culture in its own way, and how should companies use them to inform the way they do business?

Lucy: Generally, the difference is not very tangible for entrepreneurs, which can in principle be an advantage, as they are intrinsically related. A company that has implemented a corporate governance program can distinguish the differences between ethics and compliance, although one leads to the other. The difference is that it could be ethical and do business based on ethics but regulatory breaches could happen if you do not have a proper compliance program. Taking both elements and putting them together to create a robust compliance program based on ethics would give the compliance program an appropriate and unique form for that particular company. Once a company has achieved compliance, its business transactions would be performed ethically. The transactions would be developed based on the company’s compliance program, which should be developed founded on a mapping of risks and internal processes. A company that walks the talk – disseminating and practicing these aspects constantly – would be recognised in the industry or sector in which it operates as having a flawless reputation that in itself generates an absolutely valuable intangible asset.

Heiman: I believe it is inevitable that the terms ‘compliance’ and ‘ethics’ will wind up being intertwined. Everyone recognises the importance of complying with the law. However, talking about following the law does not motivate employees in the same way as a discussion about values. Our company stresses four core values, namely teamwork, excellence, accountability, and integrity. We drive our compliance education around these values. If we act in a way that is consistent with our values, almost all of our compliance obligations are satisfied. Companies should be talking about the values that are core to their enterprise.

Moosmayer: This is a difficult subject because ‘ethics’ can be interpreted in a number of ways. Equally, ethics can also be used as a ‘killer argument’ in the event that a fact based discussion comes to no discernible conclusion. I am well aware of the notion ‘legal but evil’ but I would say we should concentrate first on urgent, and unsolved compliance issues such as determining how best to fight domestic and international corruption. Regardless, integrity must play an important role in the establishment of a compliance system. There are a number of basic questions which should be asked when establishing compliance regimes. Questions such as “Would you do the same if this was your own company?” or “Would you tell your children what you have done today?” are powerful tools for self reflection, but they should be formulated as pragmatically as possible.

Altman: Ethics, to me, refers to the company’s internal values and its commitment to appropriate behaviour. This entails both following the law and doing what is right from a corporate citizenship perspective. It includes education and training, as well as communicating those values throughout the organisation. Compliance is the process by which the organisation assures itself and others that the ethics message is conveyed and implemented. It’s the old ‘trust but verify’ maxim. Compliance provides the tools to verify and the methods for reacting when something goes awry.

Eastwood: The terms ‘ethics’ and ‘compliance’ are often used synonymously but it is important to distinguish between the two concepts. Compliance focuses on regulation – are you following the law? Ethics, on the other hand, is about encouraging behaviour that is more than rules-based, choosing to conduct business in line with a broader set of values. A culture of ethical conduct will facilitate the effectiveness of compliance. Regulators in the financial services sector, for example, are placing increasing emphasis on the significance of ethical conduct and the ability of employees to act in accordance with an ‘ethical compass’. The best strategies recognise the difference between ethics and compliance and drive both as integral components of the company’s success.

Gallinger: Ethics and compliance are easily distinguishable. Ethics has to do with the culture of the organisation. Compliance is a routine, doing just what needs to be done. Ethics goes above and beyond. It defines an organisation and comes from the top down. Although not always black and white, everyone knows what something feels like when it is not ethical. Today’s employees want to work for ethical organisations. Firms increasingly understand that an ethical culture is a value proposition that enables them to attract the best talent, investors and customers, and improve morale. It should also permeate relationships with third parties. Firms promote an ethical culture by rewarding people who do the right thing and by consciously seeking out employees who want to do the right thing. That does not just mean being a whistleblower. Ethics can be saying “I know a better way to do something” – it is not just sitting there, remaining passive.

First, you should design your compliance training program in a way that transmits your values and expectations on a global basis. Have one clear organisational message, but, adapt it locally.
— Stuart Altman

FW: What advice would you give to companies looking to develop compliance training programs across their organisation? How important is it to regularly review and update training programs?

Altman: First, you should design your compliance training program in a way that transmits your values and expectations on a global basis. Have one clear organisational message, but, adapt it locally. Cultural differences play a huge role in these issues and training needs to reflect this. One-size-fits-all does not work here. Second, it is not enough to simply set up your program and push it out into the workplace. You need to monitor the program and its effectiveness. Do people attend? Are people understanding the content? I once had a CCO tell me how proud they were to have never gotten a call on their compliance hotline. No organisation is so perfect that there are zero complaints – something else was likely stopping employees from calling.

Moosmayer: Good compliance training can be a real game changer for compliance within a firm. On the other hand, poor training has the ability to be particularly destructive. While this may sound something of an exaggeration, everybody who has ever attended a boring compliance training session can surely empathise. Modern training techniques, whether carried out in person or via an IT solution, must be interactive, relatively brief and adapted to the applicable cultural environment. The trainer should always be a professional and be able to speak from their own experiences, as this can be often be particularly convincing. Creating and continuously adapting a company’s compliance training portfolio can be a challenge for any compliance organisation, but it is also one of their most important tasks. Arguably, it is much more important than simply writing a company’s compliance policy.

Gallinger: Compliance training should be folded into the on-boarding process for new employees and vendors. At a bare minimum, any new or revised regulation should be addressed with training. All training should be refreshed on an annual basis. Companies should not just pay lip-service to their training initiatives. They should put thought and the necessary funding into the task of developing a great training program that will resonate with trainees. Start from the top, with company leadership communicating the value they place on training, and make it mandatory. Do not approach training as a one-size-fits-all proposition. If a company has international operations, it must evaluate local conditions and tailor training in response to local regulatory and cultural dynamics. Third parties should not be omitted from training. Ethics and compliance training is not just important within the organisation, but should involve everyone who touches the organisation.

Eastwood: As part of effective implementation, personnel at all levels, including senior management, should receive tailored training on the company’s compliance program, responsibilities and how they are discharged, and how to identify and report risks. Training should be practical and clear. It is important that it is not seen as something which the company merely pays lip-service to, but rather is engaging and relevant to the business. Training should reflect differing risks across areas of the business, sectors and jurisdictions in which personnel operate. Online, desktop training should be seen as a minimum requirement. In-person training, rolled out regularly, should be updated to reflect industry standards and good practice so that it remains targeted and effective.

Lucy: The first point is that all employees know what the company does, how they operate and what is prohibited. To the extent that all employees are aware of internal policies, applicable regulations and their ethical behaviour, employees will be the ideal way in which the business can be relatively safe from falling into circumstances of failure, failure which can lead to fines and a loss of reputation. If companies take into account these elements when developing a compliance program, they will have a high success rate. Furthermore, companies should undertake a constant diffusion of information to employees, that way staff is always aware of applicable policies. Access to these policies is critical. Furthermore, it is important to review and update training programs, as failure to do so will result in employees not being updated. Companies must introduce dynamic elements that result in interesting and engaging training programs.

Heiman: It is important to think creatively about training for adults. Mix it up. Reliance on classroom style PowerPoint presentations will not sustain employee engagement. Training should be interactive and varied, be it in person, via webinar, online, or otherwise. It should also reward people for their knowledge. If someone can pass a test that demonstrates they understand the rules around data privacy or corruption, they should not be forced to go through training. Even if your program is effective and engaging, it will still require revision to keep it fresh. There are not many movies people want to see repeatedly. The same goes for your training material.

The impact for a business of failing to manage risks arising in international operations can have a significant impact elsewhere in the organisation.
— Sam Eastwood

FW: To what extent do multinational companies face additional challenges when rolling out a compliance strategy? Is there a need to narrow the focus of compliance initiatives, to avoid getting lost in the sheer volume of multijurisdictional requirements?

Gallinger: When rolling out a company-wide compliance strategy, multinational companies are challenged to keep pace with multijurisdictional requirements. Annual risk assessments should be conducted to identify both enterprise-wide and location-specific risk areas. Risks should be ranked based on the potential threat they pose to the company. Companies should focus on mitigating areas of highest risk first. Inevitably, some issues will require tapping into local experts who are conversant in the local regulatory requirements. A local liaison should be appointed to regularly report into the chief risk officer or chief compliance officer and keep them apprised of issues or changes in the local regulatory environment. Companies should strive to ensure that their compliance programs are cohesive, while at the same time are able to address location-specific requirements. This will prevent satellite offices from becoming disconnected and isolated from the home office.

Lucy: For multinational companies the challenge may be higher. Establishing multinational compliance committees to research and develop the most relevant and worrying jurisdictional issues, and thereby focusing on the most important aspects to be monitored, is the bottom line. Each national compliance committee should monitor the crucial points of that particular jurisdiction and submit those that are relevant at a multinational level. If tracking is done in layers the monitoring can be more agile and accurate. In turn, when the main points are identified, companies should take into consideration top management and, along with the local reports, the purpose of compliance initiatives would most likely be followed locally. This could be seen as a pyramid of enforcement.

Heiman: Additional jurisdictions increase complexity. But the best approach is to develop uniform company standards wherever possible. For example, some countries allow for facilitation payments, while others say they are prohibited. A company policy that prohibits bribes and facilitation payments eliminates this inconsistency. This makes for clear expectations, and it also allows you to talk to employees about your company’s values and policies, rather than what the law requires. There may be occasions where a local exception is necessary, but with properly structured policies, those should be rare.

Moosmayer: I would agree that it is a significant challenge to understand and adapt to the cultural environment when it comes to the ‘how’ we best communicate compliance topics. What works well in Japan may not work so well in Venezuela. But frankly there should not be a dilemma when it comes to the content of the strategy, particularly when we talk about core compliance topics. If we consider anticorruption, the standards today are more or less the same globally, particularly when you take into account the OECD and UN conventions against bribery. Yes, there is a deficit in enforcement in certain countries, but not in the rule of law. With few exceptions, this is also true for hardcore antitrust violations.

Eastwood: Multinational companies should implement global compliance practices to the highest benchmarks. In addition, practices must flex wherever necessary to reflect local regulatory requirements and varying degrees of risk. In the context of corruption risk management, for example, it is important that compliance policies and procedures are integrated across the organisation. Existing ‘cultures’ of corruption, limited resources and immature governance processes mean that it may be tempting for regional staff to create fiefdoms or cut corners far from the view of headquarters. The impact for a business of failing to manage risks arising in international operations can have a significant impact elsewhere in the organisation.

FW: How important is it for companies to ensure that suitable protection is available to encourage internal whistleblowers? If a particular issue is formally reported by a whistleblower, in what way should the company respond?

Heiman: A whistleblower-safe culture is of paramount importance. This is where a company gets to prove that it takes ethics and values seriously. Any hint of negative repercussions for good faith reporting will chill all reporting, and could potentially drive enterprise risks underground. Every whistleblower should receive acknowledgement for bringing the issue forward. The whistleblower should also be kept advised, to the extent possible, of the progress of the review of the matter. Whistleblowers should also be asked from time to time about whether they are experiencing any form of retribution and frequent reminders that the company does not tolerate such behaviour should be disseminated to employees. Finally, if the report is confirmed or there is retribution of some kind, those activities must be addressed swiftly, and the results should be made public when possible. This demonstrates organisational justice, something employees notice.

Moosmayer: Whistleblower protection is an essential element of each compliance system. And if a whistleblower reports potential misconduct, the compliance organisation or the legal department must follow up the complaint via a thorough investigative process in order to determine whether the allegation is plausible. That said, the reality is far more complex. Sometimes the whistleblower is involved in misconduct or the reporting was triggered by personal reasons. In some cases, reporting in bad faith may occur. Therefore, it is of absolute importance that the investigation is conducted by experienced and unbiased internal or external professionals in a due and fair process, maintaining the presumption of innocence regarding the subject of the allegation, but also protecting the whistleblower from internal retaliation.

Lucy: The extent that a company’s employees perceive and feel they have the reassurance and confidence to report unethical dealings through a complaint hotline would be the extent to which companies could be satisfied about the claims and not think of them as an unnecessary expense, if owned by a third party. It is important to ensure this access, otherwise the company will lose the spirit of having the hotline. In turn, if the company guarantees the right environment to file a report about the complaint, this lessens the likelihood of facts being converted into formal complaints. If a formal complaint is generated, the company should open the way for the investigation leading and implementing controls that have been broken in the corresponding area. The situation cannot be eliminated, only prevented. Once this happens it will be necessary to take the measures necessary to correct the procedures and policies that have been violated.

Eastwood: It is essential that companies create an open culture of communication, including the provision of mechanisms, through face to face meetings, in the context of appraisals, or through the use of technology, which provides an avenue by which personnel of all levels can report or discuss concerns. Early disclosure allows senior management to quickly address concerns, manage issues, and limit more serious regulatory breaches. Whistleblower protection rules apply broadly to all possible compliance violations. It is important to have safeguards in place to minimise the risk of follow-on litigation by the whistleblower, and to make those safeguards known across the organisation. The ‘bounty’ rewards on offer to whistleblowers by US regulators, in particular, should encourage businesses to facilitate reporting issues in-house. An effective whistleblowing policy should provide an internal mechanism for reporting which will feed in to mechanisms charged with investigating and remedying wrongdoing. Businesses should have a protocol in place in order to determine the decision-making process which should be followed to determine whether a formal investigation is required. The protocol should inform the business as to how investigations are structured, how they are performed, and by whom.

Gallinger: A sound whistleblower program is fundamental to an ethical company culture. Thus, a whistleblower policy needs to be a prominent component of a company’s compliance and ethics strategy, and the whistleblowing process needs to be clearly communicated to every employee and be easily accessible to all staff. Of paramount importance is the ability to assure the whistleblower’s anonymity and protect the whistleblower from retribution. Since an organisation only gets one opportunity to protect its first whistleblower, its whistleblower policy should be tested by an independent party. Common issues with whistleblower procedures include misrouting of whistleblower issues to biased parties and exposure of the whistleblower’s identity. Responding to whistleblower allegations should not throw a company into crisis mode. A swift but measured approach is required to register a complaint, route it to the appropriate parties for investigation, and then take appropriate action to resolve the issues.

Altman: Initially, if you are truly invested in the compliance program you need to be sure your employees are as well. And the only way to do that is to promote a culture of free exchange of concerns. Issues grow from manageable to crisis when people are afraid to raise concerns. Also from a legal perspective, protections for whistleblowers are growing. This is built into laws in many countries. A company can’t afford to run afoul of these standards. In terms of handling reports, there are a variety of methods. But the key is establishing a pathway and making sure it gets followed. Feedback to the whistleblower, even when the charges are unsubstantiated, is important as well.

It is of absolute importance that the investigation is conducted by experienced and unbiased internal or external professionals in a due and fair process.
— Dr Klaus Moosmayer

FW: Boards are now under increasing pressure to promote greater transparency and compliance reporting. What more can they do to position compliance as an integral, strategic component of conducting business?

Lucy: When a company makes the decision to have a person responsible for compliance, it has taken a big step. If all firms have a dedicated person responsible for compliance, on a national level an asset is generated, which means firms would have fulfilled their responsibilities. The company that promotes ethical business practices, and is in compliance with regulatory aspects, would prevent unethical situations. If a compliance officer is given a position in the management structure of a company and gets involved in the development of new products, this would enable a strategic vision to be in place – a component that puts the company in compliance.

Gallinger: There are many benefits to fostering a strong ethical culture, including the ability to attract and retain talent, earning the respect and support of shareholders and customers, and gaining an advantage over competitors. A strong ethical culture is fostered from the top down, so boards need to ensure that a discussion on ethics is on each agenda. It is their responsibility to understand what is already in place and what needs to happen to attain goals. Consideration should be given to developing metrics as a way to measure progress against goals. Some possible metrics include the number of employees who received training, visits to the organisation’s ethics website, and the like. Some companies find that employee reward or recognition programs contribute to the success of the programs because employees feel that their role in perpetuating ethics and compliance is recognised and appreciated.

Altman: Firstly, compliance functions should be assigned a prominent role within an organisation. If you treat it as a poor cousin of the legal or audit departments, that message will soon disseminate around the company. Secondly, senior leadership needs to be actively involved in both the communication and operation of compliance. Finally, those running the business units need to be made a part of the compliance process. This means getting their input into the program before imposing requirements, but also holding them responsible when things go wrong. Even with a professional compliance team, the business lines need to have a real ownership role in compliance.

Heiman: If regular time is not set aside during board meetings to hear about compliance matters, the board should demand it from management. Compliance risks should be an element of strategic reviews, and the board should press management on driving a culture of integrity. To the extent that management fails to act with the utmost integrity, the consequences should be severe. Finally, the same high standard should be applied to the board members themselves.

Moosmayer: Compliance needs to exist not only on paper but also in everyday life access to the c-suite. In reality this means that firms must provide clear access to executive management and to the core company processes where decisions are made. This access has to be granted ultimately by companies’ boards. Furthermore, boards have to promote and provide not only the famous ‘tone from the top’, but also ensure that this approach is taken up by all lines of management. While compliance can support the top-down approach, ultimate responsibility lies with companies’ boards.

Eastwood: Board members do not need to become compliance managers, but do need to exercise effective oversight of delegated processes to position them as an integral component of conducting business. While investment in compliance is a continuing theme, boards should examine and review whether they are creating effective compliance functions with individuals capable of delivering the necessary outcomes, including changing or preventing aspects of practice which may jar with certain business operations or personnel, the highest levels of an organisation should also be included in this process. Information is key here. Unless the board demands information which will allow it to properly test the effectiveness of the compliance program, the directors will not be fulfilling their responsibility. In recognition of this, the performance of top management is increasingly being resolved by more sophisticated companies in a way which rewards active engagement in compliance issues. Boards and directors should promote compliance as a function which facilitates profit, growth and transparency, rather than a function which impedes or restricts business activity. Compliance should be embedded into risk management alongside and with parity to legal, audit and other risk management groups, and should be involved in business activity as early as possible in the deal lifecycle.

FW: How would you rate the ability of most companies to prepare for and adapt to a more robust regulatory environment?

Eastwood: The appetite for risk management will inevitably vary between businesses and across jurisdictions. Most sophisticated companies have in place the components for an effective compliance program which will respond to key areas of regulatory risk. Corporates in developed markets are more likely to have designed and implemented compliance measures. However, effective implementation, particularly in emerging markets, remains a challenge.

Gallinger: While one must be careful to avoid broad generalisations, companies that operate in highly regulated industries such as financial services tend to be better equipped to adapt to changes in the regulatory environment. Their compliance programs are typically more robust, and internal control structures more mature than their counterparts in lightly regulated industries, which helps them anticipate, prepare for, and comply with new regulations. In addition, organisational size seems to be a reliable predictor of a company’s ability to weather changes in the regulatory environment, as the robustness and maturity of compliance programs seems to be commensurate with the size of an organisation. Small companies with limited resources are challenged to address regulatory requirements proactively. Regardless of company size, it is the responsibility of boards and senior management to determine the efficacy of their companies’ compliance programs and the ability of those programs to adapt to new requirements.

Lucy: Companies must be prepared for changes to the regulatory environment. However, many companies lack an individual or team that would be responsible for monitoring compliance. Sometimes this may be lost in the maelstrom of regulatory changes and fall into default, involuntarily because of misinformation. Being prepared for these changes can generate a low compliance rate, impacting them in their results. It is better to invest in a position of compliance. Companies should be aware that the regulatory environment becomes more specific and strict. There will be no going back, and instead the future may be more generally regulated. The ability to adapt depends largely on the person familiar with the information to implement the compliance program. Being constantly informed of regulatory changes also involves a team of people, which necessarily generates costs. However, this cost is better than paying fines and loss of business reputation.

Moosmayer: Awareness is certainly growing due to the high degree of publicity compliance cases receive when it comes to enforcement. Many companies and managers are beginning to understand that a compliance failure in a ‘remote’ country may directly affect the headquarters of the company and can ultimately lead to significant reputational and financial losses. However, although the risks are obvious, many companies are still not willing to invest the necessary resources and budget in order to be prepared.

Heiman: The easy answer here is that it comes down to resources. Large companies have an easier time dealing with regulatory changes because they have the resources to hire accountants, lawyers and other advisers. Conversely, mid-size and smaller companies will be disadvantaged because adequate resources are not readily available to cope with all of the changes. Nevertheless, large companies have been brought low because of failures to comply with regulatory obligations. Resources are no substitute for people with integrity, and large companies do not have a monopoly on that.

Compliance risks should be an element of strategic reviews, and the board should press management on driving a culture of integrity.
— Matthew Heiman

FW: In future, how much more regulatory pressure do you expect to see placed on corporate compliance strategies and processes? How do you expect companies to respond?

Moosmayer: We have reached a decisive point in the ‘evolution’ of compliance. Ten years ago, compliance was seen as a necessary reaction if a company was hit by an enforcement action. Today, compliance should be seen as a key element of good governance and sound risk assessment of a company, preventing future compliance violations. But this will only become a reality if legislators and regulators around the world, as well as international institutions, reward and incentivise those companies who are investing in compliance and voluntarily disclosing detected misconduct. Regulatory pressure should be combined with a modern incentive system for companies that are doing the right thing.

Heiman: I think that will vary from country to country, and it may largely depend on economic cycles. The last 10 to 15 years have seen increasingly expensive regulatory regimes placed on companies. We may go through a cycle where the level of regulation recedes or at least stabilises. While regulations can be well-intentioned, they are almost never without cost. As costs go up, some companies will exit the marketplace, and those that remain spend less on new projects, R&D and other activities that increase opportunities. This will likely slow growth. That’s a trade that policy makers should carefully consider when contemplating further regulations.

Eastwood: The trend for greater and more intrusive regulation shows little sign of waning. Regulatory pressure and tactics from the US, for example, are likely to influence activity in the UK, Europe and beyond. Companies will be under increased pressure from regulators in developed and emerging markets, and will continue to be challenged as regulators shift expectations in response to political, public and media pressure. Peer to peer pressure is also an important part of the regulatory picture, and it will continue to be so as businesses look to achieve compliance by imposing anti-corruption requirements on their counterparties, business venture partners and throughout their supply chains. In the UK, the availability of Deferred Prosecution Agreements as an alternative to full prosecution will rest heavily on conditions including the imposition of a compliance monitor and agreement as to remediation steps.

Altman: Regulatory pressure is a growth area. We are seeing expansion from a geographic perspective, but we are also seeing growth in the number of substantive areas that companies need to focus on. Cyber security, for example, was not on anyone’s radar from a compliance perspective five years ago. Today it may be the number one concern for many companies. In the financial community, the events of the past decade have tightened the regulatory regime as well. I think most companies have an ability to meet these challenges. Most of what needs to be done can be accomplished with a bit of effort and there are plenty of outside advisers who are experts at adopting state of the art methods to the particular needs of an organisation.

Lucy: Regulatory pressure is increasing, which in turn impacts the person responsible for compliance. Companies must respond proactively, not reactively. They should allocate both human and material resources to deploy adequate compliance programs. If preventive measures are not taken, the regulatory impact and compliance requirements can put a company at a distinct disadvantage. Conversely, if the company takes steps to keep its employees in an environment conducive to fulfilment, by reporting to the person responsible, the policies that are developed along with consistent information and preventive actions could result in a formula that minimises the possibility of failure. Businesses should be aware of the importance of having a compliance team under the leadership of a leader who loves their job and works harder to provide excellent results.

Gallinger: In the US, it seems a certainty that the regulatory environment will change along with the presidential administration. In addition, history has shown that crises having far-reaching effects such as the mortgage crisis and recession of the late 2000s precipitate more stringent regulations. Globalisation has sparked the replication of like-minded regulations from country to country to address far-reaching issues such as bribery and corruption. Companies should definitely anticipate more compliance pressure as regulators seek to address growing risks such as terrorism, cyber security and environmental issues. It is the responsibility of boards and senior management to understand their businesses and the risks inherent in the environment in which they operate. By understanding the risks inherent in the business, keeping abreast of emerging risks, and making sure these risks are being addressed by a strong system of internal controls, companies will be better able to anticipate and adapt to changes in the regulatory environment.

Matthew Heiman joined Tyco in 2007 and is the firm’s vice president and chief compliance & audit officer. Previously, Mr Heiman was Tyco’s lead counsel for its continental Europe fire & security business. Before Tyco, Mr Heiman was a lawyer with the national security division at the US Department of Justice. He was a legal adviser to the coalition provisional authority in Baghdad, Iraq and practiced as a trial lawyer with the McGuireWoods law firm. He can be contacted on +1 (609) 806 2233 or by email:

Dr Klaus Moosmayer is the chief compliance officer of Siemens AG and leads the global Siemens compliance organisation. Prior to this role, he served since 2007 as Siemens’ compliance operating officer and had a leading role in developing the current compliance program. Before entering the Siemens legal department he was in private practice as a lawyer. At the end of 2013 he was appointed as Chair of the Anti-Corruption Taskforce of the Business and Industry Advisory Committee to the OECD (BIAC). He can be contacted on +49 91 31 742 162 or by email:

Sam Eastwood is a partner at Norton Rose Fulbright LLP. He specialises in dispute resolution and business ethics. In 2008, Mr Eastwood established the dedicated business ethics and anti-corruption practice, which he continues to head. He advises major corporations on anti-corruption issues in connection with internal compliance policies and procedures, international business transactions and internal corporate investigations. He is consistently recognised in both the Legal 500, and Chambers and Partners directories. He can be contacted on +44 (0)20 7444 2694 or by email:

Stuart Altman’s practice includes white-collar criminal investigations and defence, including the representation of clients before various courts and regulatory agencies, conducting internal investigations, compliance and corporate governance matters, and complex civil litigation. He regularly counsels companies on the adoption and operation of their compliance programs. His practice focuses on matters related to bribery and corruption, cyber security, financial fraud, and government procurement matters. He can be contacted on +1 (202) 637 3617 or by email:

George Gallinger is a principal with CohnReznick Advisory Group and serves as national director of its Governance, Risk and Compliance practice. With more than 25 years of experience, he creates, evaluates, and helps to improve internal audit and risk management functions within organisations. He has a strong background in internal audit, fraud prevention and detection, regulatory compliance, and overall risk management. He can be contacted on +1 (973) 871 4060 or by email:

Luz María Pineda Lucy has been the Compliance and Risk Director of Corporación Mexicana de Inversiones de Capital, S.A. de C.V., Fondo de Fondos since 2009. She has been in charge of overseeing and managing legal and compliance issues, regulatory requirements, policies and procedures, code of ethics and conduct, risk management, corporate governance, and coordinating internal committees. Ms Lucy has pioneered the development of a compliance officer’s activities in this industry in Mexico. She can be contacted on +52 55 4433 4500 or by email:

© Financier Worldwide



Matthew Heiman



Dr Klaus Moosmayer

Siemens AG


Sam Eastwood

Norton Rose Fulbright LLP


Stuart Altman

Hogan Lovells


George Gallinger

CohnReznick LLP


Luz María Pineda Lucy

Fondo de Fondos

©2001-2019 Financier Worldwide Ltd. All rights reserved.