You are currently browsing the tag archive for the ‘Compliance’ tag.
In some parts of the world, bribing government officials is still considered a normal cost of doing business. Elsewhere there has been a growing trend over the past 40 years to make it illegal for a corporation to pay bribes. In the United States, Congress passed the Foreign Corrupt Practices Act (FCPA) in 1977 in the wake of a succession of revelations of companies paying off government officials to secure arms deals or favorable tax treatment. More recently other governments have implemented anticorruption statutes. The U.K., for instance, enacted the strict Bribery Act in 2010 to replace increasingly ineffective statutes dating back to 1879. The purpose of these actions is to enable ethical and law-abiding companies to compete on a level playing field with those that are neither. A cynic might wonder about the real, functional difference between, say, Wal-Mart’s recent payments to officials in Mexico to accelerate approval of building permits and the practice in New York City of having to engage expediters to ensure timely sign-offs on construction approval documents. No matter – the latter is legal (it’s a domestic issue, after all) while the former is not.
Moreover, the U.S. Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) have increased their oversight of bribery. At the beginning of 2013 they jointly issued the Resource Guide to the U.S. Foreign Corrupt Practices Act. For its part, the SEC has stepped up enforcement using its own resources. Recently, it charged a group of bond traders with enabling a Venezuelan finance official to embezzle millions of dollars by disguising the money as fees paid to the broker/dealer to handle apparently legitimate transactions. Tellingly, though, there was another relatively recent bribery issue that involved Morgan Stanley where the SEC declined to include that company in an enforcement action because it had demonstrated diligence to prevent it.
Before anticorruption laws, it was expedient for corporations to pay government officials to close business, get preferred status or prevent punishment. Once the laws were established, that stopped being the case. However, from a management standpoint, compliance with the law became complicated because of the dual nature of the corporation, which is both an entity and a group of individuals. In the case of the latter, when an individual breaks the law, is that person at fault, is the corporation or are both? Regardless of how a case is decided, there can be severe reputational damage to a company found violating the law, and that will have repercussions for corporate boards and executives.
This question leads to the agency dilemma, an important consideration in enterprise risk management. Economists long ago recognized the agency dilemma when the modern corporation separated the roles of its principals (that is, the shareholders) from its management. The agency issue exists where the best interests of the principals are either not aligned or in conflict with the interests of the agents (the professional managers running the corporation). But agency issues also extend to the company’s executives and may be rife in any large-scale business. Within the management group, authority to act independently is delegated down through the hierarchy, and the interests of the lower-level managers may be in conflict with those of senior executives, the board of directors and shareholders. For example, suppose that a local manager believes his performance evaluation, compensation and prospects for promotion hinge on the timely opening of a new facility. Confronted with a culture of payoffs for permits, that manager may try to find a way to pay officials for expedited consideration, especially if he is local to the area. From that individual’s perspective, corrupt activity may be the norm, and he may believe himself to be clever enough to violate company policy without detection.
It was once acceptable for a company to claim that it had a stated policy prohibiting bribery and that executives were ignorant of an employee’s actions. Absent proof to the contrary, that often was enough. However, the FCPA changed this norm, imposing the need for diligence and affirmative actions on the part of companies to prevent employees from breaking the law as well as to detect and report any such violations that do occur (which is how the Wal-Mart situation came to light). Public standards, too, have changed since the 1970s. Despite its self-disclosure after the fact and the steps it took to address the corrupt behavior, Wal-Mart suffered severe reputational damage. Yet even with the likelihood potential consequences, our benchmark research reveals that just 6 percent of companies have effective controls for managing reputational risk.
We assert that the most effective control is to prevent illegal activity from taking place at all. Short of that, companies that can demonstrate that they have taken all reasonable steps to prevent a violation of the law are in a better position to claim that the individual, not the company, is at fault.
An organization should have clearly articulated and documented antibribery and corruption policies and procedures, institute mandatory training of and signed acknowledgements of having taken it by executives and managers, and put in place incentives and disciplinary measures. However, these required measures are increasingly insufficient to demonstrate diligence in preventing corrupt activities. Companies also must have a software-supported internal control system that flags suspicious activity immediately and triggers a rigorous remediation process that analyzes, investigates and documents the disposition of each incident. Incidents that are detected long after their commission are more difficult to cope with and pose much higher legal, financial and reputational risk.
Software is available that helps detect activities that violate anticorruption laws and regulations as they occur or shortly thereafter; this is far more effective than waiting for internal audits or (worse still) whistleblowers to uncover malfeasance. To prevent violations of the FCPA and other antibribery statues, corporations must be able to monitor their financial and other systems for warning signs. These applications take advantage of operational intelligence, a class of analytical capabilities built on event-focused information-gathering that can uncover suspicious actions as they occur. Our research on innovating with operational intelligence shows that companies use an array of systems (led by IT systems management and major enterprise applications such as ERP and CRM) to track events, analyze them, report results and create alerts when conditions warrant them, as detailed in the related chart. The research also shows that about half (53%) use 11 or more information sources in implementing their operational intelligence efforts. In the future, effective FCPA software increasingly will need to look at a wider range of internal data as well as information from external sources and social media to determine, for example, whether a consulting company that just received a finder’s fee is run by or employs a relative of a government official. Today, companies can utilize software from large vendors such as IBM, Oracle and SAP, as well as vendors with FCPA-specific software such as Compliancy and Oversight Systems.
Bribery and corruption are unlikely to disappear entirely. Regardless of anyone’s best intentions, corporate boards and executives can find themselves enmeshed in a scandal not of their own devising. The best defense in such cases is plain evidence that the organization has done everything reasonable to prevent its occurrence and has discovered and dealt with it promptly if it does. Policies and training are vital components, but software can be the extra component necessary to improve the effectiveness of monitoring and auditing to support anticorruption efforts.
Robert Kugel – SVP Research
To comply with the Patient Protection and Affordable Care Act (PPACA or Affordable Care Act), which survived a Supreme Court test and a presidential election, all employers with more than 50 full-time employees must be ready by January 2014 to deal with the lion’s share of the law’s employer mandate requirements. Our recent benchmark research on governance, risk and compliance indicates that many of those employers have significant concerns about compliance issues: 53 percent of participants said they are concerned about them, and 42 percent said they are very concerned. Indeed, the Affordable Care Act is today the most pressing governance and compliance issue for most businesses.
Looking at your organization in terms of its people, processes, information and technology, you can develop a basic framework to assess how well prepared you are to handle its various requirements.
First consider the people aspect: Does your staff have the expertise to understand and track the different parts of the new law? Can you train your staff on what they will need to know about the employer mandate? With only about eight months until the mandate goes into effect, assessing, training and acquiring the talent to execute these functions must be an organizational imperative.
Evaluating the effectiveness of your existing HR and compliance processes is another necessity. Some, potentially including benefits enrollment, onboarding and compensation management, will need to be modified for the new conditions. Re-engineer processes to ensure that you track the right information to both demonstrate compliance with the Affordable Care Act and enable the business to make intelligent, cost-effective decisions in managing its healthcare expenditures.
The Affordable Care Act is based on information. It requires employers to track a number of categories of information, and employers will want to track other kinds also to ensure they are making the right decisions for their businesses. For example, the organization must know how many full-time and part-time employees it has, how many are offered a qualified health plan under the law, and whether that number meets the 95 percent requirement of the law. Tracking this information, as well as the potential costs of healthcare plans for employees and the potential liability for fines if the organization does not sponsor a plan, will require time and likely modification to current HR systems as well.
To pull the information and the processes together, organizations need effective technology. Those that do not have strong systems risk relying on existing systems that will prove inadequate to the task of tracking critical compliance information; spreadsheets will be especially inadequate, we believe. As my colleague Robert Kugel recently wrote, spreadsheets are good tools for personal productivity but not for collaborative enterprise-wide tasks, and modeling and tracking compliance with the Affordable Care Act is definitely that. Our most recent benchmark research on spreadsheets shows that spreadsheet maintenance is a burden that requires even casual users to spend more than one full day per month on it, and power users to spend 18 hours a month on maintenance. Using spreadsheets for complex reporting, modeling or enterprise-wide compliance with the Affordable Care Act will be a bad choice. Organizations also should evaluate core HR management and benefits systems to ensure that they have the correct fields and business logic built into them, as well as reports to both collect information required to show compliance and to help the business understand the effectiveness of the decisions it makes.
At this point I will make three recommendations. First, after evaluating the business from the people, process, information and technology dimensions and coming up with a list of what you need to do, act on it soon; don’t wait. With the clock ticking, you have little time to gain the expertise required, re-engineer required processes, look at information management and upgrade your technology. Second, do the work to understand and model the costs of the choices you will make under this law. Since employers can choose to play or pay, so to speak, they must understand the complete cost implications of both of these options. Finally, don’t be afraid to look at new software vendors if you find you have functional gaps. Specifically, if you have serious gaps in your ability to gather and track the information required in your HR systems, several vendors have developed products and services to help you address the requirements of this new law. Among them is Equifax Workforce Solutions, which I will be writing about soon; its product is crafted to help businesses model and track all the costs of compliance with the law. Another is Ceridian, whose new HR management and payroll systems are designed to help businesses track all the employee-level data needed to comply with the law. There are other vendors as well; it will be worth your while to investigate the market and determine which may suit your particular needs. And keep in touch with Ventana Research as we continue to track the options for managing the Affordable Care Act and locating technology to make it easier and more certain to be in compliance.
VP & Research Director