Compliance & Risk Assessment

compliance

Compliance & Risk Assessment

 

Part One: The Role of Compliance in Due Diligence Investigations

 

For company executives and risk managers, the opening decade of the 21st century may well be defined by the emphasis given to corporate governance and, more specifically, to the issue of compliance. So much so, in fact, that murmurs of 'over-regulation' seem to be an increasing part of boardroom chatter, as executives labour to ensure compliance with rapidly expanding rules, regulations, charters and reporting and monitoring requirements. In Part One of this feature, we briefly consider the significance of a culture of compliance when it comes to assessing risks in due diligence investigations.

 

As the CEO of Pasco Risk Management, George Nicholls is only too aware that compliance management has effectively become a full-time job. With Pasco operating in multiple jurisdictions across four continents, one of the key demands for Nicholls is to navigate the company through complex and, at times,ambiguous or even contradictory compliance requirements. He is also quick to acknowledge that while these requirements can be burdensome in terms of time commitments, they are an essential component to ensuring ethical business practices. “It should not be forgotten” Nicholls comments, “that one of the key reasons why we are faced with such intensive compliance requirements in today's business environments is to protect the interests of shareholders and other stakeholders in corporate enterprises”. Indeed, compliance is today a watchword of contemporary business processes largely because of a string of high-profile corporate failures in the late 1990s and early 2000s which shattered the confidence of investors and promoted a cynical image of big business around the globe. Nicholls considers the collapse of Enron in 2001 to be a watershed moment in the evolution of corporate culture. “Enron was more than simply another case of corporate fraud”, he emphasises. “It was a story of a corporate culture that had become defined by greed, a culture that permeated from the top down”.

 

Dr Mark Welman, Pasco's Managing Director for Africa and a behavioural scientist who has specialised in compliance strategies, supports this view by adding that “Enron was unique in corporate history in that never before had there been such an intensive autopsy conducted on a failed organization. At the end of that process there was initially a stunned silence, so to speak, that was quickly replaced by a crescendo of demands for better governance, better controls, and better management in large enterprises”. While there can be little doubt that today's companies are more accountable than was the case with Enron, Welman does not believe that we have seen the last of corporate scandals. “Compliance is something that can always be requested, can sometimes be demanded, but almost never can be forced”, Welman states. In fact, attempting to force compliance can be counter-productive. “People who are forced to do things end up being obedient, rather than compliant. Obedience means that I will do what I am told to do, but with little enthusiasm or commitment for the task at hand. Compliance, on the other hand, means that I will commit to a set of requirements out of principle and because I do so willingly, I will be far more likely to do it consistently and efficiently”.

 

Considered from a risk management perspective, compliance therefore has two dimensions. The first, which is effectively an outward-looking one, involves ensuring that the relationships between an enterprise and external partners and stakeholders is consistent with a given set of requirements and rules, some imposed by external authorities and some that are set by the organisation itself. This is typically what is meant by the term 'regulatory environment'. The second dimension of compliance is far more inward-looking, and refers to the attitudes, sentiment and actual behaviour within an organisation. Loosely, this relates to the 'corporate culture' that defines an enterprise and its values and ideals.

 

compliance2For Welman, it is essential for risk managers and governance officers to consider the possible discrepancies or tensions between these two dimensions of compliance. “Even subtle disjunctions between the two can be a red flag when it comes to assessing the future behaviour and prospects of an organisation” he states, arguing that this has fundamental implications when it comes to evaluating risks in respect of possible long-term transactions with an enterprise. “A glaring limitation to standard due diligence assessments is that they tend to be driven by a very technical approach to assessing compliance in target entities”, Welman argues. Drawing on his own experience in managing these types of assignments in Africa and other jurisdictions, Welman comments that “a typical due diligence tends to be based on a checklist-type model that is aimed at confirming that an enterprise complies with the regulatory environment, but there is very seldom an appetite to explore – either overtly or more discreetly – the corporate culture of a prospective partner in a transaction”. This omission can, potentially, have far-reaching consequences. “If we analyse the commonly quoted statistic that one third of business partnerships fail and another third are rated as less rewarding than originally hoped for, we find that in many of these cases there is a clash of corporate cultures or standards that could have been identified as a risk factor had a proper assessment been done”, he argues. The benefits of a more thorough approach focusing on the extent to which a culture of compliance exists within an organisation is evident from one case highlighted by Welman: “Some years ago we were asked to assess a financial institution in a due diligence assignment”, he recalls. “In that case one of the key risks that we identified was that the corporate culture appeared to be dominated by superficial obedience on the part of employees and management, without any genuine commitment to the principles of compliance. On this basis, our client walked away from a potentially lucrative deal, but this decision was more than vindicated when a few months later the institution that we had assessed was rocked by a fraud scandal in excess of US$ 80 million. In the subsequent investigation, it emerged that a number of employees within the institution had suspected that the perpetrator, who was a senior manager, was engaged in irregular activities – but their excuse for failing to report their suspicions was that they reported to the perpetrator and were simply doing as instructed. This is a classic case of compliance being sacrificed for obedience”.

 

In the next Part of this feature, we will consider some of the most important indicators of a culture of compliance, and how their assessment can form part of due diligence investigations.