In our experience, compliance professionals spend a significant amount of time and resources focusing on the “how” – designing, implementing, sustaining, and improving effective compliance programs. This focus is no doubt warranted given recent emphasis by enforcement authorities on the need for corporates to test the effectiveness of their compliance programs. However, we believe it is critical for compliance professionals and their business clients not to lose sight of the “why” behind their compliance agendas, including how to best articulate the business case for investing in a robust compliance program.
When asked why a particular compliance initiative or resource is necessary, compliance professionals may have the urge to rely on guidance from enforcement authorities, framing their response under the rubric of “the regulators’ expectations.” While pronouncements from enforcement authorities can, and should, be a part of such a conversation, relying solely on such pronouncements may not be fully satisfactory to business stakeholders who are not experts in compliance. Worse, it can give business stakeholders the impression that the compliance professional’s response to the “why” question is effectively “because I said so.”
Regardless of the maturity of a company’s compliance program, the ability to effectively articulate the business case for the program can be a vitally important item in a compliance professional’s toolkit, and critical to the overall effectiveness of the program. Among other things, achieving buy-in and support from employees, executives, and directors, as well as external stakeholders, such as business partners, will depend in large part on whether they believe that compliance initiatives are ultimately actually worth the time, resources, and effort.
With this in mind, we briefly outline below some of the key aspects of the business case for investing in a compliance program. As the business case will vary depending on the risk profile, operations, and culture of the organization, there is no “one size fits all” solution here.
- The Insurance Policy
A number of international legal regimes provide powerful incentives for the development and implementation of effective compliance programs by offering the prospect of more favorable resolutions in enforcement actions. Most notably for companies with potential exposure to U.S. law are the U.S. Sentencing Guidelines, under which a company can receive substantial discounts to criminal fines where it can demonstrate the maintenance of an effective compliance program. Along similar lines, under the U.S. Department of Justice’s (“DOJ”) Foreign Corrupt Practices Act Corporate Enforcement Policy, a company may be entitled to the presumption of a declination of prosecution altogether, or considerable discounts on applicable fines, if, in addition to voluntarily disclosing misconduct and cooperating in DOJ’s investigation, it demonstrates the “[i]mplementation of an effective compliance and ethics program.” In both cases, the ability to put a dollar amount on the value of an effective compliance program, at least as regards the costs of resolving an enforcement action, can be quite powerful in making the case for additional compliance resources.
The UK Bribery Act takes a different approach, providing an affirmative defense for the corporate offense of failure to prevent bribery where a company can demonstrate that it has put in place “adequate procedures.” And even in legal regimes where such incentives are not hard-wired into the enforcement framework, enforcement authorities may consider the strength of a company’s compliance program as a matter of prosecutorial discretion, e.g., as a mitigating factor in the assessment of penalties, or a reason to decline to bring an enforcement action altogether.
- The Security System
While the potential for more favorable resolution of enforcement actions is, in our experience, one of the most compelling aspects of the business case for investment in a compliance program, compliance officers should also focus on the potential for effective programs to detect and prevent potential fraud, corruption, and other compliance breaches either before they happen, or soon enough for companies to take meaningful mitigation actions. In this sense, a company’s compliance program functions as an early warning detection system.
The potential cost savings in this regard can be substantial. In its 2018 Report to the Nations, after analyzing over 2,600 cases of corporate fraud, the Association of Certified Fraud Examiners estimated median direct losses of USD 130,000 per case, with more than 20% of cases involving losses of USD 1 million or more. Moreover, given that these estimates do not include indirect downstream losses such as loss of business, legal fees, or costs from personnel turnover, they likely understate the true cost of compliance breaches, and, correspondingly, the true value of effective compliance programs in avoiding or reducing such losses.
- Avoiding Bad Deals
Along similar lines, when it comes to investment transactions or other transactions with business partners, a robust compliance program can help companies avoid bad deals. For example, robust integrity due diligence on potential business partners and investments can help a company identify significant fraud and corruption risks before the ink is dry and deals are consummated, thereby reducing the risk of follow-on investigations and/or enforcement actions. Additionally, robust pre-investment compliance measures can reduce the risk of adverse operational and financial consequences, such as overpayment for assets, the need to unwind problematic relationships with business partners, or exiting markets or business lines altogether due to compliance concerns.
- Enabling Business and Creating a Competitive Advantage
While much of the foregoing discussion focuses on avoiding losses, compliance professionals should also make the case for compliance efforts as activities that affirmatively create value for a business enterprise.
At the highest level, an effective compliance program provides guardrails that help a company to achieve business objectives while mitigating compliance risks. Good compliance officers are “business enablers” who do not say “no” reflexively, but instead work with the business to fully understand risks and business objectives and devise tailored, fit-for-purpose mitigation measures.
A company with an effective risk-based compliance program may be able to function successfully in a high-risk market, whereas a company with a weaker compliance program may decide that it is not up to the challenge of operating in such a market, or worse, may go into the market unprepared for the compliance challenges it will face. This dynamic is particularly noteworthy in Africa, where we sometimes encounter companies who perceive the compliance risks of certain markets as too high, leading them to pass on opportunities that could be realized if they had sufficiently robust compliance programs. Realization of efficiencies from well-run compliance programs, e.g., streamlining vendor diligence and on-boarding processes with the use of technology, can also impact the bottom line by freeing up valuable resources.
The ability to operate efficiently in higher-risk environments can give companies a significant competitive advantage, but they are by no means the only competitive advantages that companies can realize from maintaining robust compliance programs. In the procurement context, for example, many of our clients evaluate the strength of their suppliers’ compliance programs alongside traditional commercial criteria such as price and quality of services. In addition, lenders and investors are increasingly factoring compliance considerations into their decision-making processes. Finally, in an environment where issues such as sustainability and human rights are driving consumer and employee choices, companies should be prepared for integrity issues to become increasingly relevant to consumers and employees, who may vote with their feet if they are unsatisfied with a company’s commitment to compliance.
* * *
The factors outlined here are by no means exhaustive, and the framing of a business case will be informed by the information available to a company. It may go without saying that companies that are better able to capture and analyze information that quantifies the return on investment from their compliance programs are better able to articulate a compelling business case. This provides additional reason for companies to focus on the use of metrics in designing, implementing, and evaluating the effectiveness of their programs.
If you have questions about corporate compliance matters, please contact Ben Haley at bhaley@cov.com, Sarah Crowder at scrowder@cov.com, or Mark Finucane at mfinucane@cov.com. This article is intended to provide general information. It does not constitute legal advice.
© 2019 Covington & Burling LLP. All rights reserved.