Mitigating Risks Through Compliance
Dauro L?hnhoff Dorea

Mitigating Risks Through Compliance

?Compliance procedures have become mandatory for all companies that not only want to comply with legislation regardless of the jurisdiction in which they operate but also wish to considerably decrease the risks associated with their activities. This is because as global regulations proliferate and stakeholder expectations increase, organizations are exposed to a greater degree of compliance risk than ever before.

?Compliance is a very broad term and has application to virtually every step, process, or department in a company.?Thus, this chapter will take a generic approach to the concept of compliance.

?Concept

?Compliance is a set of practices that aim to provide security and mitigate exposures and risks of entities of any nature, ensuring compliance with the acts, regulations, rules, and laws established internally and externally.?In other words, it describes the conduct of a company and its compliance with the norms of regulatory bodies.

?Basically, compliance programs have the role of creating mechanisms to avoid fines or the elevation of several risks, ranging from financial issues to substantial impacts on the brand and the performance of the shares listed in stock exchanges.

?Finally, compliance has the function of enforcing the rules to avoid all risk situations related to the regulatory part.

?The chart below shows the cycle related to compliance:

No alt text provided for this image

Risk Exposure

To understand risk exposure, entities or companies will need to improve their risk assessment processes to fully incorporate compliance risk exposure.

Due to the complexity of business today, compliance risk assessments can be made according to each operation and the regulatory framework that applies to it.

A robust compliance system must be dynamic, auditable, culturally implemented, and must also be deeply rooted in the guidelines established by the governments of the various countries, as is the case in the United States through the United States Sentencing Commission.

Having an effective compliance program in place that follows the standards and guidelines set by governments can reduce fines and penalties if an entity is found guilty of a compliance failure.

Both organizations and individuals can be found guilty of criminal conduct, and while companies cannot be arrested, they are subject to paying heavy fines, restitution, publicizing in the mass media the conviction they have received, and even asset forfeiture.

According to Paula Desio, deputy general counsel for the U.S. Sentencing Commission, in 2020 the most common offenses detected are (i) fraud, (ii) environmental waste disposal, (iii) tax violations, (iv) antitrust violations, and (v) food and drug violations, in that order.

The design and structure of a compliance program should parallel the organization's business and operating model so that it supports the company's strategy while meeting compliance needs. When developing business processes, practitioners should consider the compliance-related activities that are critical to achieving business objectives and minimizing potential regulatory, legal, and geographic challenges.

Generally, compliance-related education tends to be static, one-off training sessions focusing on independence, conflict of interest, and legal issues. However, leading practices suggest that compliance training should be part of continuing education requirements and emphasize the link between compliance and the business. Many employees do not know what their priorities should be or how their performance will be measured, which means it can be difficult to get front-line employees to understand and care about compliance risks. Hence the need for constant training and creation of the corporate culture of integrity.

The corporate culture of integrity should be required from the shareholders all the way down to the top levels of the organization.

Effective Compliance Programs

Criminal liability can attach to an organization whenever an employee of the organization commits an act within the apparent scope of his or her employment, even if the employee acted contrary to company policy and instructions. An entire organization, despite its best efforts to prevent wrongdoing, can still be held criminally liable for any of the illegal actions of its employees, executives, consultants, partners, or members.

The existence of Ethical and Conduct compendia that are merely enunciative, i.e., without practical reality, may aggravate the penalties that will be imposed by the authorities.

Therefore, inspired by the North American system, below are the main criteria to establish an effective compliance program:

?1.???Creating compliance standards and procedures reasonably capable of reducing the prospect of criminal activity.

?2.???Due care in the delegation of substantial discretionary authority.

3.???Effective communication to all levels of employees, partners, and contractors.

4.???Reasonable steps to achieve compliance, which include independent (without danger of reprisal) systems for monitoring, auditing, and reporting suspected wrongdoing

5.???Consistent enforcement of compliance and creation of a culture of corporate integrity, with standard-setting, including disciplinary mechanisms; and

6.???Reasonable steps to respond and prevent further similar offenses after a violation is detected.

Notwithstanding the above guidelines, which describe basic precepts of a responsible organization, compliance programs should be tailored to each entity, as they must be real and address all aspects of a company's operation.

The approach of basic principles of an effective compliance program has been adopted to encourage flexibility and independence for companies in designing programs that are best suited to their particular circumstances.

The difficulties that companies face in managing their corporate compliance program become more apparent when a closer look is taken at the key issues that many organizations face.

  • Visibility and transparency: Today's regulators expect nothing less than complete transparency about how corporate activities are carried out. This concept is applied to every department of the organization and can encompass diverse information, sometimes in real-time.
  • Communication and collaboration: it is imperative to ensure the constant involvement and connection of individuals throughout the organization. Previous decisions and potential changes in policies or even the products and services that the entity offers can have future and sometimes hidden downstream impacts.
  • Enforcement: Governments and regulatory bodies are increasingly scrutinizing companies' adherence to compliance, which can result in expensive audits and fines. Ineffective company enforcement of rules and regulations imposed by government agencies has many implications and can result in a domino effect of undesirable consequences.

?An effective compliance program must consider regulatory requirements, industry standards, entity codes, stakeholder interests, and leadership practices.

No alt text provided for this image

?Another aspect of fundamental importance is that the compliance program to be implemented is not only dynamic and auditable but also independent.?This means that any person who comes across irregular conduct, violation of the law, or disrespect for ethical issues, may do so anonymously and without fear of reprisal.?On the other hand, the channel for receiving the denunciation must be totally independent and have the autonomy to bring it to the attention of the entity's management and shareholders.?In certain cases, such as those of corruption in which the management of the entity itself and/or its partners and executives are involved, the responsible for the compliance program (in the market known as compliance officer) must directly inform the competent authorities of the occurrence of the illicit act.

?Perhaps, this independence is the most important requirement in the mitigation of risks, especially in what concerns the reduction of fines and softening of the effects of a crisis generated by an inspection.

?Extended Enterprise Risk Management

?Extended enterprise risk management is the practice of anticipating and managing exposures associated with third parties across the full range of an organization's operations, as well as optimizing the value delivered by the third-party ecosystem. A harmonized and integrated enterprise compliance program - which includes appropriate supply chain risk management activities and controls - will eliminate redundant efforts, enable execution, and facilitate adherence to compliance requirements by the business.

?The intent of extended enterprise risk management ("ECM") is that the integrity of the procedures put in place will not be restricted to the entity itself but will carry over to all those in the supply chain of goods and services to prevent unethical, immoral, and often highly illegal practices.

?An example of the practical use of the GCE is in the monitoring of the productive chain of goods and services of companies to avoid the occurrence of urban slave labor, understood as forced or under degrading conditions.?Even though the entity that purchases the services is not directly responsible for hiring the employees that work for its suppliers - in any link of the productive chain - it has a social responsibility and solidary ethics.

?The GCE cannot be hypothetical or merely guaranteed in a contractual clause.?It must be as auditable and dynamic as the entity's own compliance program.?Simply creating contracts that provide for fines or other consequences if the supplier does not comply with the established rules can be interpreted by the authorities as willful blindness.

?The theory of willful blindness had its origin in the Supreme Court of the United States, initially to classify certain behaviors linked to money laundering.?Its purpose was to criminalize the conduct of the individual who, knowing that the origin of the funds received was illicit, deliberately relied on contracts and/or intermediaries to try to shield himself from responsibility for his participation in the event.

?The Brazilian jurisprudence has evolved and has applied such doctrine in several areas of law that surpass the sphere of criminal law, but fully reach labor, civil, and corporate issues.

Appropriating the pondered words of Jayme Barbosa Lima Neto, to remain oblivious to all the rules, only because of the existence of a program and a compliance officer, as if blind to reality, does not exempt the agent from liability in the civil, administrative, and criminal spheres. The false ignorance of the facts makes the agent liable by the application of the willful blindness theory.

?Thus, it is imperative that companies not only monitor those with whom they do business but share a culture of integrity and ethics to transform society, starting with the company.

?Structural Elements of the Compliance Program

Some structural elements for the establishment of a Compliance Program are set forth below, based on the Deloitte methodology:

Governance and Leadership: Structures and processes through which the board of directors, executive leadership, and compliance professionals design, implement, maintain, and oversee ethics and compliance programs and foster a culture of ethics and compliance. This area also includes formal plans and career development programs that help position ethics and compliance as a key function within the organization.

Risk assessments and due diligence: processes to identify and prioritize ethics and compliance risks throughout the organization, as well as potential loopholes for fraud. These are carefully designed programs to assign responsibility for mitigating identified risks and include protocols related to screening new hires, especially employees in positions of significant authority.

Standards, policies, and procedures: a friendly, values-based code of conduct that addresses key compliance and ethical risks. These are plain language standards, policies and procedures that together create controls to address the key compliance and ethics risk areas facing the organization.

Training and communications: A risk-based compliance and ethics training strategy whose goal is to educate employees about legal and policy requirements, raise awareness, and influence attitudes and behaviors. Systematically developed compliance and ethics training and communication plans are also included, which are designed to provide individuals with skills or information related to risks likely to be encountered in the execution of their responsibilities.

Employee Reporting: "speak up" programs consisting of policies, procedures, and reporting channels for employees to ask questions and/or report potential violations or concerns without fear of retaliation. These programs are often extended to an organization's third parties or suppliers. This also includes information systems for collecting ethics and compliance-related data and metrics from across the organization.

Case management and investigations: case management systems that capture, categorize, prioritize, and assign accountability concerning ethics and compliance issues, disclosures and potential violations raised by employees. This also includes formal protocols and procedures that clarify the principles and steps to be followed regarding investigations into all categories of issues.

Testing and monitoring: testing programs within the compliance and audit functions that address the design and operational effectiveness of key ethics and compliance program elements and controls. This also includes the processes for ongoing monitoring of key compliance risks and early warnings of ethics or compliance failures. Mechanisms for leveraging the output from testing and monitoring activities for continuous improvement of the ethics and compliance programs are also present.

Continuous Improvement: Protocols and procedures to help ensure that appropriate corrective actions are taken following ethics and compliance violations or failures. This also includes periodic evaluations and assessments related to the design and effectiveness of the implementation of the organization's ethics and compliance program. Formal mechanisms to include risks associated with ethics and compliance failures in periodic risk assessments are also present.

Applied Technology Systems

It has already been said here that a compliance program cannot be just a dead compendium of ethics rules and procedures but must be something inherent to the business routine and culture.

The dynamics of the procedures must be auditable, because this is the only way to give credibility to the program in cases of fines, leniency agreements, etc.

More than anything else, technology in compliance programs allows compliance executives to integrate their concerns and priorities throughout the company. Today, there are several advanced, tamper- and error-tight technologies that make the compliance executive's job much easier.

Whether it's whistleblower reporting systems, or due diligence procedures, or employee training, or internal controls to support policies and procedures - compliance officers can take it all to the furthest reaches of the enterprise thanks to technology.

In the past, fraud - especially fraud involving third parties - was difficult to detect because documentation was paper-based, stored in inaccessible files or warehouses. The training was done through manuals or in person, and if employees took any tests at the end of the training, the test was another piece of paper that would be filed away. In other words, compliance programs existed, but they were exercises that employee did, rather than standards of behavior that could be monitored.

Technological means have increasingly brought real-time effectiveness and auditability to compliance programs. Intelligent systems have been created to make compliance objectives part of daily business processes, in which it is possible to gauge whether an organization's employees are achieving the objectives that the program imposes.

As such, technology applied to compliance has become imperative for an effective program to exist, because with it you can immediately monitor for red flags and impose corrective action before any deviation occurs.?A logical effect of applying technological systems is reduced losses, increased efficiency, and competitiveness against the competition.

Certainly, compliance technology has left less room for the operational parts of the business to break rules and expose the entity to undesirable risks, because corporate compliance programs exist to reduce business risks and make the business more reliable and transparent. This makes the compliance program more important to the business because it helps the company to be more responsive and agile in a complex and high-risk environment.

Likewise, technology has also transformed compliance professionals because of the skills compliance professionals need to fully utilize the systems.

First and foremost, the compliance professional must be able to identify and apply technology that meets the needs of the organization in which they work.

Understanding regulatory issues is crucial. Today, however, compliance officers also need to deal with issues such as data governance, risk taxonomies, data taxonomies, access controls, software integration projects, for example.?This is because compliance technology allows compliance programs to become more related to information gathering and analysis, on a scale incomparably larger than might have been imagined in the past.

Compliance executives themselves do not need to be Master of Data Governance, internal control, risk taxonomies, and so on. They do, however, need to know where to find that expertise. Compliance technology has driven the need to build alliances and gain consensus so that you can build sustainable, auditable business processes that pass regulatory scrutiny.

Also, as technology is applied to the compliance program, those in charge need specific capabilities to put all that potential to use. An example is when the new technology identifies weaknesses in your vendor integration process when then the so-called compliance officer will need to convince the operational teams to change their respective workflows; or propose the creation of a centralized purchasing function. Or, if the company is planning to enter new markets, or change incentive compensation policies, the technology will provide more information to demonstrate how these decisions may affect ethics and compliance risks.

Conclusion

Risk mitigation through compliance programs is a necessity for all types of entities, no longer an option.

Society deserves and expects companies to operate ethically and decisively to permeate all levels of collectivity with true and real principles of efficiency, transparency, probity, and honesty.?Evidently, this desire of the population is not restricted to the private sector, but mainly to the public power and its state entities. Indeed, government agencies must assess their specific problems and implement meaningful compliance programs to meet specific needs. Well-designed and effectively implemented compliance programs that consider lessons learned from the public and private sectors, along with adequate monitoring and auditing, help prevent serious compliance failures, challenges, and related consequences, even when humans prove fallible.

Certainly, diverse situations may arise that the compliance officer must address, focusing on understanding and identifying organizational blind spots, not just adapting to change. This is one area where an enterprise risk management (ERM) program and its compliance subset can work together to determine what the next big issue is and when the organization will be affected by it. ERM and compliance efforts should align, rather than overlap, so that each program works on separate missions to identify emerging issues.

In short, creating and implementing a compliance system that is effective, real, auditable, dynamic, and present at all levels of an organization will substantially reduce risk and the deleterious impacts of claims, damages, breaches, and more.

Aloísio Watzl Costa Lima

Sócio na JBA CONSULTORIA INOVA??O TECNOLóGICA LTDA

2 年

Parabéns, Dauro L?hnhoff Dórea pelo livro!

Pedro Casquet

Fundador da Casquet Advogados

3 年

Boa!

Leandro Stokna

Cyber security professional, computer scientist, consultant at new technologies and online courses author for maintenance and programming computers, web and smartphone systems.

3 年

Que artigo fantástico, muito obrigado por compartilhar conosco dr.! ????????????????

Fantastic Job Dr. Dauro. We are very proud to be associated with you.

要查看或添加评论,请登录

道罗洛恩霍夫·多雷亚的更多文章

社区洞察

其他会员也浏览了