If you think compliance is expensive, try non-compliance.
– Paul McNulty, former US deputy attorney general
The 21st century compliance universe is becoming ever more complex – “growing both in breadth and depth. The new normal is characterized by uncertainty, volatility, and a regulatory system that is trying hard to rein in the situation.” (Ramakrishna, 2015, p. 41). This reality challenges businesses of all sizes to be increasingly agile to enable them to adopt to rapidly changing regulatory environment and market conditions (Weigand, van den Heuvel, & Hiel, 2011). The implications from a company’s excessive exposure to the risk category of business risk alone can lead to a range of negative consequences like damaged organisational business model, loss of business opportunities and, in the worst case, the loss of authorisation to continue to operate (Ramakrishna, 2015). Other categories of risk include financial, regulatory and reputational – all of these with their own set of respective consequences on non-compliance and underestimation (Ramakrishna, 2015). This article seeks to give an introductory insight into global compliance management as a business imperative for companies of all sizes and maturity levels. Two examples of international and regional regulations will be briefly discussed as illustrations of an expanding and increasingly complex global compliance landscape.
Real Compliance Management is a Business Imperative
A solid, well-run compliance function has many benefits for companies – financial benefits (mainly from saving on the potentially colossal costs of non-compliance and litigation), increased trust from clients and improved corporate governance benefits (Mills & Haines, 2015). Transparency is an essential part of compliance, as it increases both its effectiveness and long-term benefit – the latter, as stakeholders may reward compliant companies (Robertson, 2020). Interventions like formal, medium- to long-term compliance programs not only serve to deter misconduct, but also play an increasingly important role in managing a company’s legitimacy, thus signaling “alignment with the normative expectations of external audiences” (MacLean & Behnam, 2010, p. 1500). Systematising compliance management requires an efficient and effective interweaving of documents, functions, processes and controls (Patra, Rahaman, & Vanitha, 2020).
Business process compliance is a sub-set of compliance, focused on the compliance of business processes, in line with the relevant legal prescripts and internal, organisational guidelines (Becker & Buchkremer, 2019). The company strategy developed, in this instance, requires the consideration of mainly two perspectives; (1) the existing documents in place laying out individual processes and how these are to be implemented, and (2) the actual (practical) execution of the business processes. Both must occur in a compliant manner, also ensuring that continuous execution and regular evaluations occur (Becker & Buchkremer, 2019).
The Organisation of a Compliance Function
What the organisation of a compliance function within a company is concerned, the recommendations by the Basel Committee on Banking Supervision (which focuses specifically on the compliance of banks) constitute a good standard to be upheld also by companies trading in other sectors: an independent compliance function is aimed to exist separately from other risk management functions (for example, risk controlling) and from operative functions (Meissner, 2018). Also, its responsibility focus will be on managing and maintaining compliance with external and internal laws, regulations and policies – ideally while maintaining independence with direct reporting to senior corporate decision-makers (Meissner, 2018).
The ISO 37301:2021, designed and published by the International Organization for Standardization (ISO) on 13 April 2021, cancels and replaces the existing ISO 19600:2014 compliance management system standard. In a nutshell, this new standard sets out the requirements for a functioning compliance management system. The principles underlying a compliance management system, according to ISO 37301:2021, should comprise the following foundational blocks:
- Good governance
This new standard, once implemented, is aimed to benefit companies by, for example, improving business opportunities, externally demonstrating a commitment towards the effective and efficient management of compliance risks and thereby also effectively reducing the risk of non-compliance (including penalties and reputational damages). Furthermore, this new standard is a so-called Type A standard, making it certifiable, which, in turn, has the added benefit of serving as a significant mitigating factor when a company faces corruption-related legal processes. The ISO has ca. 165 national standards bodies as members and represents 164 countries world-wide. So, while adoption of the ISO standards is voluntary, many national standards bodies are bound to make these compulsory for companies, thus adding to the compliance responsibilities.
Whistleblowing Systems are a Compliance Matter
The effective and institutional protection of whistleblowers is paramount in the fight against corruption. The United States of America is among the first countries in the world to introduce legislation to protect whistleblowers with its Whistleblower Protection Act of 1989 (Kosytsia, Kolesnikova, Kadala, & Baranova, 2019). The European Commission, in 2019, defined whistleblowers as persons “who report (within the organisation concerned or to an outside authority) or disclose (to the public) information on a wrongdoing obtained in a work-related context, help preventing damage and detecting threat or harm to the public interest that may otherwise remain hidden.”. This definition confirms the importance of company insider information to combat corruption, corporate/organisational wrongdoing and malpractice as well as the need to protect whistleblowers (Scherbarth & Behringer, 2021).
EU Whistleblowing Directive
On 23 October 2019, the European Parliament passed EU Directive 2019/1937 on the protection of persons who report breaches of Union law (hereinafter, the EU Whistleblowing Directive). Paragraph 1 of the preamble describes the importance of protecting whistleblowers:
Persons who work for a public or private organisation or are in contact with such an organisation in the context of their work-related activities are often the first to know about threats or harm to the public interest which arise in that context. By reporting breaches of Union law that are harmful to the public interest, such persons act as ‘whistleblowers’ and thereby play a key role in exposing and preventing such breaches and in safeguarding the welfare of society. However, potential whistleblowers are often discouraged from reporting their concerns or suspicions for fear of retaliation. In this context, the importance of providing balanced and effective whistleblower protection is increasingly acknowledged at both Union and international level.
The broad definition of work in the above quote (as ‘work-related activities’) is an indicator that the aim is to grant protection to the widest possible categories of persons, who have access to information, which would be in the public interest to report (Hobby, 2020). Companies with more than 50 workers must establish whistleblowing reporting systems while smaller companies are encouraged from adopting the same (De Zwart, 2020). The EU member states are given until 17 December 2021 to transpose the EU Whistleblower Directive into national law. For companies, whistleblowing (along with its systems and processes) should form an integral part of their internal compliance management, meaning that top-down encouragement, varying incentives and effective communication, in this regard, remain paramount (Teichmann & Falker, 2021).
Prompted by the increased news reports on public disclosures and the extensive financial implications suffered by exposed companies, a growing number of countries and regions world-wide have started to introduce binding legislation, this expanding and deepening the compliance universe.
This contribution sought to give a brief insight into global compliance management. An attempt was made to illustrate that compliance management is a business imperative that can save a company from paralysing fines and crippling reputational damage. An introduction to the ISO 37301:21 standard (in the context of compliance management systems) as well as the EU Whistleblowing Directive (in the context of whistleblowing as a compliance matter) served to illustrate current examples of the expanding compliance universe. Companies of all sizes and maturity levels require to take heed and place compliance management high on the corporate agenda.
Becker, M., & Buchkremer, R. (2019). A practical process mining approach for compliance management. Journal of financial regulation and compliance, 27(4), pp. 464-478.
De Zwart, A. P. (2020). EU whistleblowing rules to change in favor of whistleblowers. Journal of Investment Compliance, 21(1), pp. 55-61.
Hobby, C. (2020). Worker and Organisational Protection_ The Future of Whistleblowing in the Gig Economy. Emerald Publishing Limited.
Kosytsia, O., Kolesnikova, M., Kadala, V., & Baranova, V. (2019). Institution of Whistleblowers: Characteristic Features and Guarantees of Protection. Journal of Legal, Ethical and Regulatory Issues, 22(2S), pp. 1-6.
MacLean, T. L., & Behnam, M. (2010). The Dangers of Decoupling: the Relationship between Compliance Programs, Legitimacy Perceptions, and Institutionalized Misconduct. The Academy of Management Journal, 53(6), pp. 1499-1520.
Meissner, M. H. (2018). Accountability of senior compliance management for compliance failures in a credit institution. Journal of Financial Crime, 25(1), pp. 131-139.
Mills, A., & Haines, P. (2015). Essential Strategies for Financial Services Compliance (2nd ed.). Great Britain: John Wiley & Sons, Incorporated.
Patra, S. S., Rahaman, A. S., & Vanitha, K. (2020). Compliance Management System – Legal Management using SAP. International Journal of Innovative Technology and Exploring Engineering, 9(7), pp. 252-254.
Ramakrishna, S. (2015). Enterprise Compliance Risk Management: An Essential Toolkit for Banks and Financial Services. Great Britain: John Wiley & Sons, Incorporated.
Robertson, R. (2020). Lights On: How Transparency Increases Compliance in Cambodin Global Value Chains. ILR Review, 73(4), pp. 939-968.
Scherbarth, S., & Behringer, S. (2021). Whistleblowing systems: A systematic literature review on the design specifications and the consideration of the risk for organizational insiders to blow the whistle. Corporate Ownership and Control, 18(2), pp. 60-73.
Scherbarth, S., & Behringer, S. (2021). Whistleblowing Systems: A Systematic Literature Review on the Design Specifications and the Consideration of the Risk for Organizational Insiders to Blow the Whistle. Corporate Ownership & Control, 18(2), pp. 60-73.
Teichmann, F. M., & Falker, M.-C. (2021). Whistleblowing Incentives. Journal of Financial Crime, 28(2), pp. 394-405.
Weigand, H., van den Heuvel, W.-J., & Hiel, M. (2011). Business policy compliance in service-oriented systems. Information Systems, 36(4), pp. 791-807.