|
Convergence of Anti-corruption Compliance Rules Presents
Risks and Opportunities
The convergence of various initiatives aimed at fighting fraud, corruption, and
other regulatory risks is spurring many companies to review their fraud and
corruption risk programs. While complex to navigate, this convergence offers
organizations an opportunity to bridge siloed gaps in critical information,
streamline fraud and corruption risk management, and develop an enterprise-wide
view of compliance.
“The confluence of these global initiatives — with both overlapping and discrete
requirements — presents companies with the challenge and opportunity for
organizational moves that can strengthen risk management, while considering the
broader enterprise compliance program and initiatives they may have in place,”
says Rob Biskup, a Deloitte Risk and Financial Advisory managing director in the
Forensic practice of Deloitte Financial Advisory Services LLP.
Given these initiatives, new and existing standards and guidelines, updates, and
increasingly detailed guidance, organizations might want to consider analyzing
the various requirements and reassessing what may be necessary to be compliant
while keeping the business safe and managing related costs.
“Not surprisingly, many stakeholders might struggle to understand which
requirements are similar, which are different, and where they overlap,” says
Bill Pollard, Deloitte Risk and Financial Advisory partner with Deloitte
Financial Advisory Services LLP. “For example, the new ISO standard attempts to
cover global expectations for anti-corruption programs, including those
recommended by the DOJ and SEC, as well as guidance under the U.K. Bribery Act,”
he adds.
It’s important for organizations to understand how the many requirements map to
their existing anti-fraud and anti-corruption compliance programs — as well as
to their enterprise compliance program — so that they meet regulatory
requirements while aligning with their risk profile and operating structure.
Furthermore, each of the various standards and guidelines related to fraud and
corruption — as well as the U.S. Sentencing Guidelines — requires consideration
of basically the same elements.
Siloed Efforts, Redundancies and Missed Opportunities
The responsibility for compliance with various standards pertaining to fraud and
corruption often resides in different corporate functions, such as internal
audit, compliance, legal, HR, IT and operations. “These silos are often
necessary, but can create their own set of issues,” says Holly Tucker, a
Deloitte Risk and Financial Advisory partner with Deloitte Financial Advisory
Services LLP. “Keeping certain types of activities cordoned off can also help
protect sensitive employee information, maintain date security, and avoid
internal conflict in the event of an investigation,” she notes.
However, a siloed approach can create gaps in critical information,
communication and efficient coordination among the various responsible parties.
It is important to recognize and bridge these gaps so those parties can
communicate clearly, share relevant information and effective compliance
practices, and identify issues in the compliance program, with the goal of
driving greater efficiency and value. When relevant information contained in
various silos is not shared, critical risks often pass unidentified.
A siloed approach can also create policy, procedural, process and even personnel
overlaps that, at best, result in inefficiency, duplicative efforts and waste in
the form of extra costs. At worst, it can give rise to contradictions and
conflicts between compliance teams and confusion among other employees, third
parties, and authorities. An enterprise-wide view, with strong coordination, can
help.
Coordination among the various capabilities within an organization related to
fraud, corruption and other compliance risk areas can help bring the appropriate
resources to a particular situation while avoiding unnecessary gaps. The intent
is not necessarily to centralize all compliance and risk management functions.
Rather, the goal is to create an enterprise-level point of contact, which
increasingly is a designated Chief Compliance Officer who oversees and
coordinates compliance activities related to fraud, corruption and regulatory
risk.
Various fraud and corruption activities may be siloed to protect employee
information, trade secrets, competitive data and other assets. But resources can
be shared across different compliance domains while protecting confidentiality.
For example, attorney-client privilege can be maintained in an internal
investigation, while the facts related to control issues can be shared in order
to address deficiencies. “Technology and training can play important roles in
effectively sharing relevant information, and there are programs and tools to
capture data across silos so it can be shared within,” says Matt Queler,
Deloitte Risk and Financial Advisory principal with Deloitte Financial Advisory
Services LLP.
Three Ways to Unlock Enterprise Potential
By taking the steps below, organizations can help tap the potential of various
stakeholders operating under the enterprise umbrella:
— Share information. Information is power, and the more people throughout
the organization who share the risks related to fraud and corruption, the better
equipped they can be to help respond.
— Understand what regulators want. Regulatory authorities are not solely
focused on how fraud and corruption compliance programs are structured. They
want to know that these programs are addressing the organization’s specific
risks effectively. Whether functions are distributed or consolidated, the
ultimate measure is how well they identify and respond to risks.
— Maximize assets. There is substantial, diverse talent and capabilities
in the various groups involved in anti-fraud and corruption efforts. Leveraging
the strengths of these different resources can help in establishing and
maintaining broad-based, effective risk management.
Standards and guidance will continue to converge on organizations as they work
to address fraud, corruption and regulatory compliance risks. As a result,
demands on compliance, legal, operations, finance, internal audit and other
functions will likely continue to increase, along with the pressure to respond.
Compliance activities should not be considered in isolation by any one group;
rather, they should be examined together by all respective functions in terms of
how they can be most appropriately addressed.
“Achieving an effective compliance program depends on communication and
cooperation among various groups and activities with a single point of contact
at a high level providing leadership. Technology and employee training can
reinforce the efforts of the various stakeholders, leading to improvements in
program efficiency, transparency and effectiveness,” notes Biskup.
This article was originally published on
wsj.com
|
