Expanding your compliance programme globally
Enterprise organisations are actively seeking to expand their global footprint to sell into worldwide markets. According to a survey administered by Fortune magazine in 2015, globalisation is one of the primary issues large organisations are developing their business strategies around. To expand globally, these organisations must develop and implement key commercial and operational priorities such as a common strategic vision across global business units, execution based on enterprise-wide and local objectives, and leadership and talent in local markets. Beyond these priorities, compliance functions within these organisations must also find ways to expand their compliance programmes to manage risks in new territories. While a robust programme may have been established for core business units in traditional markets, tailoring the programme to support operations in new markets requires significant additional effort. Doing business worldwide means more opportunities and more customers, but it can also mean more exposure to risks.
To successfully expand a compliance programme to support organisational growth, compliance teams must efficiently meet three key challenges:
- Learn to identify and manage risks and obligations in new countries of operation
- Establish visibility for the compliance programme across local business units
- Develop the programme regionally based on a global standard
This article provides an overview of these three challenges and proposes solutions that every compliance function should consider to properly expand the compliance programme.
New Risks and Obligations
The first challenge an organisation faces in expanding its compliance programme is managing a new set of risks and obligations applicable to the countries they intend to operate in. Traditionally, multinational organisations tend to focus on regulations passed by the United States, United Kingdom, or other western governments. However, countries worldwide are increasingly passing and enforcing compliance regulations of their own, which will affect organisations doing business in those countries. For example, recently, the Communist Party of China (CPC) introduced the National Supervision Commission, which proposes to set up local supervision branches across administrative regions in China to monitor all government employees for corruption. Previously, the CPC only monitored its own officials for involvement in corruption. This means the potential for corruption now exists in every interaction between an organisation’s sales team and any government employee in China.
Beyond regulatory obligations, organisations must also comply with customer expectations in areas such as responsible sourcing, health and safety, diversity, employee rights, and data security. A single mishap in any of these areas in any single jurisdiction can cause reputational damage, destroy consumer confidence, and ultimately hurt profits for the organisation globally.
To competently prepare to manage new risks and obligations, a compliance function should do the following:
- Ensure the compliance function is involved in strategic discussions to define the top 20 risks and obligations in local markets
- Conduct health checks at local business units to measure awareness of compliance, and how effectively compliance practices have been implemented
- Conduct regular training of employees on global and local standards and rules
Before deciding how to manage compliance risks locally, it is essential for the compliance function to identify and acknowledge the risks and obligations that apply to the organisation in the relevant market. The best way to do this is for compliance to be involved in strategic business planning discussions with local management – including sales, procurement, and legal. By proactively learning about key operations, products, and sales channels, compliance will be able to identify and advise on areas where compliance risks can emanate from and what controls and processes need to be put in place.
Next, the compliance function should conduct regular health checks to determine the level of awareness for compliance and how well protocols have been implemented at the local level. These health checks should be a mixture of interviews with managers of key departments at the local business unit, and review of documentation such as compliance policies and contracts. After the first health check, the compliance function should clearly set out the organisational standards against which the compliance programme is measured, and recommendations on initiatives and goals to be reached over the next six to twelve months. In subsequent health checks, compliance should determine how effectively these recommendations and initiatives have been implemented and how well the overall programme stacks up to organisational standards – and other business units.
Once risks and obligations have been identified, and controls put in place, training should be provided to employees to ensure effective risk management. Training should be provided in two ways – through e-learning solutions and via face-to-face training. E-learning solutions should be role-based and in local language, so that learners are only receiving content that is relevant to their daily activities and the markets they participate in. Face-to-face training should be provided on a periodic basis to test learner retention and to see how employees utilise understanding of compliance to real life situations.
Through a combination of the solutions described above, the compliance function can identify and manage risks and obligations affecting each individual business unit.
Establish Visibility for the Compliance Programme
The second challenge organisations face in expanding their compliance programmes is establishing visibility of compliance at the local business unit level. Until recently, global organisations have struggled to establish this visibility because the compliance function is often centered at the organisation’s headquarters, and sometimes does not actively reach out to local business units. In addition, compliance functions often lack “champions”, or key employees they can rely on, at the local business unit level to promote the importance of compliance. Lastly, regional business units may prioritise sales and business development over compliance – for a variety of factors such as needing to meet strategic objectives within tight frames, overcoming competitive forces, or other market pressures.
To effectively establish visibility for the compliance programme, a compliance function should do the following:
- Conduct roadshows to evangelise the compliance programme and function
- Hire local compliance professionals and identify champions
- Demonstrate how compliance can accelerate business growth
The best way to start establishing visibility for the programme is for compliance personnel from headquarters to visit local business units, meet with key staff members regularly, and conduct a session or training on compliance for all personnel. These sessions do not need to be extremely substantive in nature; rather, the purpose is to begin cultivating a culture of compliance, where employees appreciate the importance of ethical behaviour. To conduct a roadshow, local business units should set up an annual compliance day or integrate a compliance session within an all-hands meeting.
Once compliance professionals from headquarters have begun to develop visibility for the programme, they should ensure that a regional compliance team is set up to help oversee issues for local business units. While it may be difficult to hire competent compliance professionals in certain regions, this step is crucial to ensure that local business teams – from sales, procurement and legal, have a partner to help advise them on issues. In addition, compliance should identify local champions who can actively promote the programme and know how to apply ethical decision making and judgment to everyday operational situations. Typically, champions should be members of sales and procurement – individuals who understand and routinely apply compliant judgment to real life situations, and who can guide others within their teams on doing the same.
Lastly, and perhaps most important, compliance functions must be able to demonstrate how compliance can help accelerate business growth. This is the only way compliance can become a priority for new business units focused on growth and expansion. Compliance functions must be able to strategically use data to demonstrate the value of compliance. For example, when implementing a third party onboarding process at the local business unit level, compliance functions should be able to show how this process positively affected other business units it has already been rolled out in. The following key metrics should be identified to support the roll out of a third party onboarding process:
- How many third parties were onboarded within a set time frame (one month, one year).
- Turnaround time to onboard a third party.
- What red flags were identified, how they were resolved, and how they could have affected the organisation if not remediated.
- How much money and time a business unit saves by selecting compliant third parties from the start and avoiding turnover.
Develop the Programme Using a Global Standard
A compliance programme cannot be expanded to the demands of a growing organisation, if the compliance function cannot clearly articulate the principles and standards that should guide the development and management of the compliance programme, and the expectations to which employees are held to. Disparate understandings of what constitutes an organisational compliance programme and its requirements will lead to inconsistent application of the programme at the operational level.
For an organisation growing globally, unclear standards lead to new business units struggling to design and implement compliance programmes to govern their unique set of operations, risks and obligations. Poor implementation means risks will go undetected, unmonitored and eventually impact the organisation. To avoid these issues, compliance functions should build, develop and monitor their compliance programmes using a respected international benchmark, such as ISO 37001 on Anti-Bribery Management Systems. ISO 37001 is an internationally recognized compliance standard that harmonizes global anti-bribery best practices and gives organizations a way to prove commitment to anti-bribery through certification.
Global compliance standards set out a series of measures to help organisations prevent, detect, and address compliance issues. These standards essentially set out guidelines an organisation should take to develop its compliance programme. By developing the programme along a strict set of international guidelines, an organisation can better ensure each business unit develops key processes and controls in accordance with the same criteria. When each business unit follows the same set of criteria, employees will more easily understand what risks to monitor, how to identify potential issues, how to follow-up and remediate issues, and how to measure whether the programme is effective.
Two areas where a global standard can help guide the growth of the programme include third party onboarding and compliance documentation.
In third party onboarding, each business unit should develop its third party onboarding process using the same overall workflow. This means requests to onboard a third party are made similarly by every business unit, the same questionnaire or core of set of questions are issued to each third party, and the same departments are involved in key review and approval checkpoints in the process. By building the third party onboarding process on a global standard, it will be easier to implement this process in a new business unit, and key stakeholders will more easily understand their roles and responsibilities. From a risk standpoint, this also means each third party is subjected to the same standards and approval checkpoints (unless otherwise instructed by legal or compliance).
When it comes to compliance documentation, new business units often maintain documentation very differently compared to headquarters, and in some cases, do not maintain documentation at all. Instead, the compliance function should be able to articulate the minimum documentation types that must exist for each business unit, and ensure that local teams develop these documents accordingly. For example, compliance may require that each business unit develop its employee handbook and compliance policies in accordance with the global code of conduct. While each business unit is free to develop rules and exceptions based on the realities of doing business in their geographic region, a minimum set of standards should be developed based on guidance provided in the code conduct.
By developing the compliance programme on a global standard, compliance functions can more easily expand the compliance programme to new business units, and employees there can realise and adapt to the expectations and processes they must follow.
Compliance professionals can never rest easy. Organisations are growing globally at a rapid pace, and each foray into new markets means a new set of problems to manage and a new group of employees and stakeholders to guide. The key takeaways to successfully expand a compliance programme globally include:
- Identifying new risks
Instead of simply thinking about how the usual regulations might affect the organisation, it is important to learn and understand the new market, how the organisation plans to operate in those markets, what new risks are at play, and how these risks can impact the organisation. Additionally, understanding how to mitigate and manage risks inherent in certain markets is crucial when expanding your compliance programme globally.
- Being Visible
New business units will be focused on how to generate revenue. At the start, compliance may be a low priority. In addition, cultural factors may impact how much importance is given to compliance. The easiest way to underscore the importance of compliance is for new business units to understand the people behind the compliance programme. By bringing visibility to the human side of compliance, and extending your hand as a business partner, it will be much easier to develop and establish the programme.
- Setting Expectations Clearly
Employees at new business units, especially ones far from headquarters, may not understand what the compliance function expects of them. By building the compliance programme on a global standard, you can set out the minimum requirements expected of each business unit, and allow them to build out the programme based on the realities of their local environment.
Additionally, companies may consider:
- Creating and enforcing a decentralised model of compliance to match the decentralised nature of a multinational company
- Enhancing the promotion of a culture of ethics at different locations of operations, especially those that are rated medium and high risk
- Increasing and intensifying third-party screening
- Conducting continuous health checks and audits on business units and operations outside the headquarters
- Encouraging a culture of ethics where employees can safely speak up as soon as they detect unethical practices