Connected Compliance
Leverage the value of connected compliance to your competitive advantage.
CONNECTED COMPLIANCE
The global case for integration
2018/19
Time for a paradigm shift
New global research from Baker McKenzie highlights endemic compliance lapses among multinationals. Cultural and organizational change point the way to a brighter future.
Jo Ludlam, Partner and Co-Chair of the Global Compliance & Investigations Group
In the autumn of 2017, we spoke with more than 500 UK multinationals about their attitudes to compliance. We found that a 'connected' approach - where organizations work in a collaborative, agile, strategic and effective manner - offered the greatest return to the wider business, with growing companies leveraging compliance to their competitive advantage.
This year, for the second edition of Connected Compliance, we have expanded our research internationally, gathering data from 800 business leaders across the US, Canada, Brazil, Hong Kong, China, Spain and Germany. We have explored the connectivity of teams globally and we have examined where regional and cultural differences are affecting attitudes to compliance. This new tranche of the Connected Compliance initiative looks specifically at the transition from a policy to an ethics-based approach, the dangers of acquiring a problem or non-compliant behaviour during the M&A process, and the interconnectivity of supply chain relationships, as companies wrestle with policing not only third, but also fourth and fifth party suppliers.
And of course, we revisited the central tenet of our Connected Compliance campaign - that successful approaches to compliance both protect and drive commercial growth - to see how far it resonated with global organizations. Once again, we found that while siloed departments struggled, connected compliance teams blossomed because they were able to perform that critical dual function. That means safeguarding the company's reputation as a good corporate citizen, complying with regulation to avoid costly investigations and fines, and defending IP and customer data. But it also means compliance teams making a greater strategic contribution to the business by taking an active role in growth decisions that support sustainable growth. In fact, growing organizations consistently outperformed their low-growth peers with their compliance connectivity.
But despite clear commercial incentives to integrate compliance across an organisation, we continue to identify significant gaps, with compliance teams most likely to sit on the side-lines during major commercial decision-making. At the same time, compliance considerations were largely confined solely to compliance teams - who in turn predicted a rise in breaches as they struggled to cope with increasingly complex global regulations.
Compliance teams are consistently struggling to connect across their businesses, regardless of jurisdiction, while also struggling to connect across borders. In fact, only one in five companies manage compliance in a broadly integrated way. Here, we look at the global data, noting the successes and pitfalls in each critical dimension of compliance capability. We also explore where regional differences exist and what companies in one jurisdiction can learn from their international neighbors.
Strategy: Making commercial connections
Strategy aligns compliance and commercial goals to increase business value.
Strategy is a critical component of connected compliance. It means finding the right balance between compliance and strategic growth, to increase business value. It aligns compliance and commercial goals.
Compliance as an enabler
A quarter of companies are currently targeting ‘aggressive’ growth, with the overwhelming majority seeking some form of revenue growth, operating profit growth or a combination of the two. To meet these ambitious targets, two thirds of organizations are taking calculated risks in pursuit of growth, according to our research. M&A is at the heart of this growth strategy for one in five respondents.
Few activities are as significant for organizations as large-scale M&A, which enables firms to make rapid seismic changes to their business. With the huge cost, cultural upheaval and regulatory scrutiny of large-scale M&A, risk is high, so compliance involvement in planning and implementing deals is essential. But our research uncovers serious and systemic misalignment between compliance and commercial strategy. Compliance teams are not consistently included in planning and implementing deals. In fact, less than half the respondents to our survey involve compliance ‘substantively’ in planning and implementing multi-billion pound M&A deals.
By failing to align compliance and growth, organizations are dramatically increasing their risk exposure. On average, 49% of organizations admitted to uncovering a compliance issue with a new acquisition only after the fact. This approach is highly inconsistent, given that three quarters of strategy heads claim that the compliance team should have an important role to play in meeting the organization's growth targets.
At the same time, large M&A will typically lead to a company acquiring new business partners who have not been through the firm's compliance procedures. Unsurprisingly, 70% of compliance leaders state that the team is being stretched by their company’s growth plans.
The lack of compliance involvement is apparent across many commercial activities. Our research finds that compliance is deliberately kept out of the loop for fear of issues being uncovered and plans derailed, with 40% of respondents reluctant to speak openly for fear of highlighting compliance challenges.
"If compliance operates as a completely separate function, they become the people you have to ‘get around’. They can be seen as blockers who are viewed as not really understanding what the business is trying to do. You can have a huge compliance department but they won’t necessarily stop bad behavior if that's the firm culture."
William Devaney, Partner
Keeping compliance at arm’s length is damaging. Not only are organizations undermining compliance’s ability to protect value by minimizing risk, they are also missing an opportunity to drive valuable business outcomes. When competitive advantage is slim and growth hard won, companies can’t afford to overpay on a deal or underestimate the cost of integration post-acquisition. With a fuller picture from compliance experts, heads of strategy are in a stronger position to negotiate more attractive terms on new acquisitions and maximize value for their organization.
Talking point: Growth and compliance
Mini vandePol
Asia Pacific Regional Head of the Compliance
& Investigations Group
"When acquiring a new business, there is an inherent risk of acquiring non-compliant practices at the same time. Non-compliance may be confined to an individual, or it can spread to a team, the business model or an entire organization. Considering and auditing the culture of new business partners is a crucial step - yet compliance teams are involved in only 43% of large-scale mergers and acquisitions. As such, merging parties often find themselves facing conflict and disagreement after ploughing ahead with deals that may pose compliance risks - a common occurrence according to business leaders.
"Failing to adequately assess compliance liabilities exposes the business to additional risk, but it also removes potential leverage for negotiating on the price or terms of a deal. In today's business environment, companies cannot afford to ignore the significant strategic contribution that compliance functions can offer. Compliance can start to shake its reputation as a commercial killjoy by becoming a real business partner - thinking beyond M&A due diligence to long-term commercial value.
"At the same time, mergers and new ventures may also provide an opportunity for positive behavioral change. Bringing in new voices to disrupt non-compliant thought patterns or behaviors can be a powerful driver for change. But legacy attitudes can be difficult to disrupt, so beware of an assumption that corporate culture will 'default' to previous norms after progress has been made."
Regional outlook >>
Collaboration:
Connect to comply
Collaboration builds connections and compliance accountability across the entire organization.
Collaboration is the second core tenet of connected compliance. It relies on the ability of the whole organization to build relationships, understanding and accountability for compliance across functions – from the boardroom to the frontline.
Life in silos
Siloed organizational structures are the scourge of connected compliance, giving rise to multiple compliance issues. According to our research, 45% of respondents believe compliance blind spots exist as a result of silos, where there is poor alignment between departments. The compliance team was most pessimistic about the lack of collaboration and alignment between their function and other business units. These silos can also exist within compliance and legal departments, with subject matter and regional teams failing to communicate effectively and viewing issues through a narrow lens.
In fact, 69% of respondents agree or strongly agree that their company could be more compliant with better cross-functional collaboration. Despite this, respondents appear to resist closer collaboration. While personal liability for compliance breaches is a concern, relatively few are willing to accept any accountability for compliance matters. Two thirds of leaders take more interest in compliance now that criminal enforcement against individuals has increased. However, the same number of people say that the compliance team takes sole responsibility for good governance.
Whose job is it anyway?
Reluctance to accept responsibility for compliance is apparent across organizations, with employees more likely to be rewarded for compliance effectiveness than senior leaders or board members. Companies are recognizing that compliant behavior relies upon a strong corporate culture - which cannot be established with the introduction of new policies alone. However, it can be problematic to place a high degree of responsibility on employees to self-manage compliance, given that our research uncovers glitches in chains of command and highlights that not all frontline staff fully understand compliance rules or have the tools to identify risk indicators.
Half of the respondents we interviewed said it can be confusing to understand compliance practice because the company has multiple policies across functions. Almost two thirds of compliance heads conceded that standards vary widely across different jurisdictions. And almost half of all respondents bemoan a bottleneck in escalation times between employees and leaders when it comes to compliance issues.
"Embedding functional compliance into business teams fosters collaboration and understanding between compliance and the business. Some financial services companies have done this particularly effectively, appointing go-to compliance contacts who sit within strategic business lines."
William Devaney, Partner
Certainly, compliance doesn’t end at the water’s edge. Failures and breaches rarely fall neatly in a single department or with one individual – they permeate artificial organizational lines. Regulators are increasingly able to join the dots, so organizations must collaborate, share responsibility and empower every business division to identify compliance issues that fall between the siloes. Compliance is now everyone’s job. But even with strong compliance strategies, it is difficult to predict whether employees will follow the rules when faced with a real world issue.
Ensuring employees comply is a key concern, according to our research. Over half the respondents worry about whether compliant decisions taken at the top are properly implemented down the chain of command.
At the same time, there is little desire and huge difficulty in policing employee action. Organizations are increasingly adopting a values-led approach to compliance – asking employees to ‘do the right thing’. In fact, 63% of managing directors encourage employees to use their own moral compass when it comes to compliance issues. Creating a simple, common language for compliance issues – one which is centered around values and ethics – can be a powerful tool for improving behaviors across large organizations.
"Hiring according to your culture, sharing compliance best practice regularly and using predictive analytics to preempt non-compliant behavior are just a few measures you can take to strengthen your employees’ ability to make the right decisions, and build your confidence in the logic of those choices."
Jo Ludlam, Partner
Talking point:
Culture and collaboration
Christopher Burkett
Partner
"Our research underlines an endemic lack of collaboration apparent in all firms, though high-growth organizations do work together more frequently. This may explain why their employees more readily understand and engage with compliance compared to counterparts in lower-performing businesses. Establishing a common corporate culture - with a strong compliance ethos - can be a powerful tool for enabling closer collaboration.
"In fact, more organizations are now looking beyond their basic legal obligations and adopting an ethics-based view of compliance. They have taken steps to elevate issues of compliance accountability to board level, improving responsibility and reporting lines, while also removing duplicative policies to converge instead around a central compliance theme that reflects the wider firm brand.
"Nevertheless, creating compliance policies is little use if the workforce doesn’t understand how those policies apply. Conducting regular vertical and horizontal risk audits will uncover compliance gaps and focus the whole organization on the most pressing issues. Vertical assessments tackle misalignment between employees up and down the organization, and horizontal assessments join the dots between functions and areas of compliance. Regular training sessions, leadership updates on compliance practice, and critical reviews of communication channels will also help uncover issues that could prevent knowledge of a serious compliance issue reaching the right people."
Talking point: Third-party risk
Jo Ludlam
Partner
"Legislation empowers authorities to hold companies to account for failing to prevent non-compliant activity in their supply chains. The ‘don’t ask, don’t tell’ approach often adopted by companies is therefore insufficient in some circumstances. Almost half the organizations we surveyed are choosing to avoid probing the compliance practices of their supply chain, while more than a half rely on third parties to police themselves.
"This is an increasingly complex issue for compliance; various areas of law approach liability differently and there are substantial contrasts across jurisdictions too. Compliance leaders are aware that they need to take a hands-on approach, but many organizations struggle to determine how far they need to go. Wide-reaching tax and bribery legislation piles on the pressure to implement watertight processes and procedures, and to include explicit clauses in third-party contracts to mitigate these offenses, but deniable culpability remains a legitimate defense against some supply chain compliance problems.
"More than a third of the participants we interviewed plan to make new investments in supply chain compliance over the next 12 months. But investment alone won’t mitigate risk. Organizations should conduct frequent risk assessment and gap analyses and carefully consider where to build closer relationships and adopt shared compliance objectives with suppliers. In fact, companies are now beginning to look further down their supply chains, to the behavior of fourth and fifth parties. That's a new journey - and one which requires rather granular management - but it offers an opportunity to stay ahead of the risks."
Regional outlook >>
Agility:
Connecting to change
Agility reduces internal complexity and ensures organizations can respond quickly to new challenges.
Agility is the third core principle of connected compliance. It ensures organizations are able to respond to the regulatory environment by taking steps to reduce internal complexity and fast-track guidance.
A daunting task
Organizations are overwhelmed by the volume and complexity of regulation in the market, according to our research. Business interests now reach all corners of the world – and disruptive products, systems and delivery models enter the market every minute. Several recent high-profile compliance issues have arisen because previously defined lines between market categories, models and norms have blurred.
Organizations are unsurprisingly anxious about the complexity of regulation in this environment, and don’t feel fully confident in their ability to navigate risk. According to our research, 56% of leaders are overwhelmed by the risk exposure of their business and 57% report that the volume of new regulation has made it incredibly difficult to remain compliant. As a result, serious compliance breaches are expected to rise. Already, more than half our survey respondents are aware of a hidden compliance breach in their organization that is yet to surface to the regulator or the public.
In addition to these regulatory developments, well-resourced agencies and prosecutors are also promoting more aggressive enforcement policies.
"Companies must keep pace with rapidly changing, often conflicting, export and trade regulations, which can change overnight. Failing to observe export control laws and international sanctions can have severe consequences for companies, including loss of export licenses, reputational damage, criminal and civil fines and even imprisonment."
Anahita Thoms, partner
It is impossible to hold back the tide of changing regulation but it is possible to manage it more effectively – reacting quickly to and preempting developments and changes. To do this, organizations must become more agile: integrating and simplifying compliance policies wherever possible to reduce internal complexity, staying in the know by building trusted relationships with regulators, and embedding compliance representatives within core functions to speed up response and decision-making.
Heloisa Uelze
Partner
"With regulatory obligations growing - and sometimes differing across jurisdictions - it is little wonder that business leaders feel overwhelmed by the global compliance risks facing their organization. With a majority predicting that breaches will rise - and more than half aware of compliance issues that have yet to become public - the importance of having a robust and agile compliance program could not be greater.
"Investigating compliance on a regional or a sectoral basis can be very effective and will help to catch issues early while they are still small and easier to manage. Dashboards and other scoring metrics can make the task of logging compliance checks more manageable, but those systems must also account for some measure of quantitative data - the numbers alone do not tell the full story.
"The most effective data will paint a picture about future risk, highlighting areas of danger that could spell trouble down the line. It's important to consider which areas are likely to be next under the regulatory cross-hairs: non-enforcement to date is no guarantee of non-enforcement in the future.
"Simplified and integrated structures allow senior decision-makers from different functions and regions to consolidate and amend information from inside and outside the compliance unit. Companies must also look to leverage other data points, including through their engagement with international non-governmental organizations."
Regional outlook >>
Talking point: Global vs Local
William Devaney
Partner
"Working across international borders is a given for large corporates, yet multinationals continue to struggle with inconsistent application and adoption of compliance standards. With almost two thirds of compliance heads reporting significant variance across different countries or locations - and more than half of business leaders ceding that overlapping policies can confuse employees - it is incumbent on organizations to spread their compliance knowhow to all jurisdictions in which they operate.
"Company policy should be applied worldwide, even when the law does not demand it, to demonstrate strong corporate values. Compliance should not be locally led, but empowering people in each region to implement the program can drive ownership and engagement. Focus, in particular, on individuals with the right attitude and foster them as an advocate for ethical behavior. Diversity is vital for ensuring regional and cultural positions are well understood and communication will be key to distinguishing what is flexible and what is strictly non-negotiable.
"The ability to keep abreast of emerging business risks and new regulation is key to compliance agility. Tailored regulatory updates and breaking news briefings can help businesses preempt what is on the horizon and allow them to get ahead of the curve. For example, by examining enforcement trends, companies can understand how to triage issues and prioritize compliance initiatives. Building a bank of insight provides the foresight needed to respond to the most pressing issues at the right time."
Regional outlook >>
Effectiveness:
Connected and efficient
Effectiveness means streamlining and reducing duplication - without reducing services.
Effectiveness is the final facet of connected compliance. Effective compliance is streamlined without sacrificing the ability of the compliance team to fulfil its dual function. Cost cutting is balanced, targeting duplication of efforts rather than reducing the scope of compliance services.
Compliance in the face of cuts
Support functions are a frequent target for cuts and compliance is no exception. Two thirds of all companies are tasked with making efficiencies in the compliance team, despite the fact that respondents tell us they already struggle to manage the various threats to their organizations.
When poorly managed, cost savings may jeopardize the effectiveness of the function. In fact, compliance is only effective if it is able to fulfil its dual role – protecting and driving business value – by responding to emerging risks. To that end, 62% of compliance leaders would like to invest more to make understanding and implementing compliance policies and procedures easier for all employees.
Nevertheless, when handled correctly, efficiency itself is no bad thing. Finding new ways to optimize compliance is important, especially given that duplication of compliance policies and procedures across functions is an issue for many companies.
It is vital, however, that compliance resources are directed at the areas that pose the greatest threat to the business. According to respondents to our survey, they are competition law, IT and fraud, followed by data and regulation. Despite being a relatively mature and defined area of compliance, competition law continues to be perceived as a significant risk owing to ongoing and heavy enforcement by the regulators. Competition violations are high profile, penalties are costly, and the level of complexity means it is not only difficult to give practical advice but it is also challenging to police.
Despite these risks, more than 40% of respondents are taking steps to reduce, in general, compliance services offered to the wider business. This presents a significant risk to overall compliance. One slip in a relatively innocuous area could lead to a much bigger issue elsewhere –further strengthening the case for connected compliance.
Talking point:
Integration as a tool for efficiency
Cecilia Pastor
Partner
"Though most organizations aspire to closer collaboration, only one in five would describe themselves as managing compliance in a broadly integrated way. Half the business community can point to organizational silos, while 45% of compliance chiefs say blind spots arise from poor alignment and collaboration between functions.
"Unsurprisingly, breaking down those barriers is a chief priority, with more than two-thirds claiming that they could be more compliant if they were able to work more effectively across silos. For companies, that could mean developing the ability to aggregate data at group level to help coordinate local teams. But it is vital to consider the user experience of the procedures, controls and tools that are being implemented - employees will only embrace new systems that make their lives easier. Physically moving people between offices is another avenue by which to meaningfully share experience and best practice. It also provides a real opportunity for wholesale change - and it can destabilize any developing norms of non-compliance.
"Importantly, effective compliance is not about shrinking teams or cutting cost, but rather finding connections, eliminating troublesome overlaps and breaking down the silos that create inefficiency.”
Regional outlook >>
Conclusion
Connected Compliance is a commercial necessity
Organizations around the world are recognizing that a weak compliance function is a significant hamper to sustainable growth and are taking steps to bolster their capabilities. From employee training in Brazil, to full-scale risk assessments in China and Hong Kong, multinationals are approaching the task from various angles, but one third of all compliance officers are planning to make investments in the next 12 months. Technology and IT are the focus for more than half the respondents we surveyed.
That investment cannot come soon enough for companies that are struggling under the weight of their rising risk exposure. A majority of respondents tell us they are overwhelmed - and it's a particular concern in Brazil, where almost three quarters of respondents are feeling the strain of increasing compliance obligations. Our findings suggest there is real cause for such concern, with a majority of companies admitting to compliance violations that have yet to come to light. The US faces a particular threat in this regard, with over two thirds of respondents reporting issues in their organization that are still to be discovered by a regulator.
Compliance teams are also struggling to defend their business on the transactional front: as organizations expand into new markets and adopt new business models, they risk acquiring poor compliance practice - or outright violations - as an accompaniment to the desired commercial benefits. That phenomenon is one that businesses have seen play out time and again - 60% have acquired companies with compliance issues that were clear from the beginning of the deal. In the US and Spain, as many as two thirds of organizations have made investments in non-compliant businesses, only to have to live with the consequences after the fact.
It's no wonder, then, that 70% of compliance heads feel stretched by their company's expansion plans - and perhaps a little aggrieved not to be more involved in significant commercial decision-making. In reality, just 43% of companies involve compliance in the planning of largescale M&A, despite 70% claiming that compliance has an important role to play in achieving growth targets.
The challenge then is to close the gap between perception and reality in the approach to compliance. In today's regulatory environment, it is no longer enough to play lip service to the contribution of the compliance team. It is incumbent on companies to place compliance at the heart of the business, by integrating teams and promoting a culture of compliance, from the boardroom to the shop floor.
All employees, irrespective of seniority or area of responsibility, should feel that compliance falls under their remit - though that remains a distant prospect. At present, around three quarters of respondents in China ,Hong Kong, Brazil and Spain believe that compliance is solely the job of the compliance team. That perception must change. Germany and Canada have made more progress in this regard, with half the respondents accepting that compliance responsibility extends beyond the compliance function.
In a bid to better instill compliance values across the organization, multinationals are beginning to move from a policy to an ethics-based approach to compliance, though companies in different jurisdictions are at different stages of that journey. In Canada, it's an approach adopted by just 37% of general managers, whereas in China and Hong Kong, 76% encourage employees to use their own moral compass to guide their decision-making.
Ultimately, effective compliance is good business - and that requires a connected approach, supported by a shift in culture. Collaborating across teams, geographies and areas of responsibility will reduce the risk of gaps while allowing businesses to respond and adapt to the shifting environment.
Key contacts and information
For more information about Connected Compliance or to discuss the findings in greater detail please contact:
Partner and Co-Chair of the Global Compliance & Investigations Group
Email me
Competition, Bribery & Trade Compliance Partner
Email me
Partner and Chair of the EMEA Competition Group
Email me
Partner and Co-Chair of the Global Compliance & Investigations Group
Email me
Asia Pacific Regional Head of the Compliance & Investigations Group
Email me
International Commercial & Trade Partner
Email me
Antitrust & Compliance Partner
Email me
Partner and Head of the International Trade Group
Email me
Find your Connected Compliance score
Try our compliance tool and see how you compare to others in your sector and to high-performing companies.
About the research
Baker McKenzie’s Connected Compliance report examines the compliance approaches and concerns of global multinationals. Opinion research was conducted in Autumn 2018 among: 200 respondents in the USA; 100 respondents in Canada; 200 respondents in China and Hong Kong; 100 respondents in Germany; 100 respondents in Spain and 100 respondents in Brazil. Opinion research was conducted in Autumn 2017 amongst 537 UK respondents. Study participants include a representative sample of compliance leaders (Head of Compliance, Chief Compliance Officer), growth leaders (Head of Strategy, Chief Strategy Officer, Business Development Director) and general managers (General Manager, UK Managing Director). Participating companies were drawn from the following sectors: Industrial, Consumer Goods, Energy & Infrastructure, Financial Services, Healthcare & Life Sciences, and Technology, Media & Telecoms (TMT). All companies had a turnover of £1bn or equivalent.