In today’s environment of increasing use of and dependence on technology, complex and large volumes of business transactions, and multijurisdictional presence with cultural diversity, the risks for business operations have dramatically transformed. Organisations continue to rely on traditional approaches towards compliance, including orthodox manual audits with minimum use of technology which include traditional sampling methodology and checklist-based audit approaches. These factors, along with the lack of real-time monitoring, have rendered compliance programs ineffective and costly in the current environment.
Additionally, there is a huge indirect cost of ineffective compliance programs in the form of staggering financial penalties by regulators in the event of legislation violation, such as anti-bribery laws. The story does not end here, as organisations have to bear the additional burden of financial and reputational cost of internal and external investigations, private litigations, debarment from government contracts, and negative impact on share prices, monitoring by regulators, and remediation costs and legal fees, besides cost of internal resources to manage the crisis. All these costs tend to accumulate, and in recent times companies have had to spend large sums – in some cases billions of dollars – dealing with regulatory non-compliance, which impacted the growth prospects and reputation of the organisations for several years.
In many instances of recent regulatory action, it was found that organisations have not been able to keep pace with the rapidly changing business environment and fail to update their compliance programs in a timely manner. This could be due to reasons such as ineffective design of the compliance program, reliance on costly traditional approaches for monitoring, and poor implementation of compliance initiatives. Compliance teams remain under constant pressure to build programs that address concerns in a cost-effective manner, along with the stress of potentially being held personally liable for any noncompliance.
In the wake of this, there is a need for organisations to derive maximum value from their compliance efforts. While senior management teams would tend to look at compliance as a cost centre, with the right focus it can instead become a tool to effectively deploy resources to prevent fraud and misconduct, save dollars and maximise value for the organisation and its stakeholders. In the following paragraphs we list down a few areas that organisations should consider and prioritise to optimise the cost of compliance.
Proactive use of technology
Considering the increased volume, complexity of transactions, geographical spread, and disparate systems being used by stakeholders, it is imperative that the compliance team uses technology effectively. Integrating policies into systems with features of on-demand guidance in complex situations, periodic self-certifications, mobile-based applications for trainings, and monitoring transactions on a real-time basis are some of the goodpractices which can not only reduce cost but also improve the efficacy of the overall compliance program. Leveraging the power of technology to help reduce costs, as well as enhance the consistency of controls, must be considered part of the solution.
Challenging status quo
Legal and compliance risks and requirements evolve over time, which means that a compliance program cannot be static. Merely following a universal or general compliance program, without adding sensitivity for the local environment, is likely to result in an inadequate program. As such, an important component of a compliance program is to constantly assess, challenge, and update the program with global best practices and any changes in the environment.Though this may involve additional cost, a dynamic and customised compliance program can not only manage risk effectively in real time, but also reduce cost in the longer run.
Continuous or real-time monitoring
Traditionally, in many organisations, testing of controls on a retrospective and cyclical basis has been the key defensive control to evaluate the effectiveness of the controls and compliance program. This exercise, at times, is conducted months after business activities have occurred. Testing procedures are often based on a sampling approach and rely on activities such as reviews of policies, procedures, approvals, and reconciliations. Over the years, this approach has been recognised as being not only cost ineffective but also as one that has a narrow scope of evaluation, and is often undertaken too late in the day to be of value to business performance or regulatory compliance. Instead, tools for continuous monitoring, backed by data analytics, could become a cost-effective and result-oriented solution to perform control and risk assessments on a more frequent basis. We believe adopting the following specific measures may help organisations:
Develop customised dashboards based on rule sets to identify potential red flags from design and operations’ perspectives.
Develop customised tools or apps to assess risk in specific areas, for example, third parties, cash payments, training, etc., based on past experiences.
Conduct surveys with internal and external stakeholders to assess potential risks before they become significant issues
Remediation and self-reporting
Enforcement agencies around the world have become more active than ever before, and so immediate remediation and self-reporting can actually serve as a shield against criminal and civil prosecution. It has long been suggested that a proactive compliance program, along with diligent self-reporting, can provide companies with significant cost benefits, both external and internal. Global regulators are also mindful of elements that can be considered a valid defence by an organisation, especially in potential cases of bribery or corruption. These elements are:
Proactive efforts to identify and remediate anti-corruption issues, along with continuous monitoring and self-reporting.
Demonstration of adequate controls, making it evident that the incident is an isolated event rather than a systemic failure.
A clean organisational history of compliance, with no reports of misconduct, including criminal, civil, and regulatory actions.
Increasing accountability and awareness
We believe organisations should increase coverage and accountability of employees towards compliance initiatives, and compliance efforts should not center on just a handful of employees. Encouraging employee activism through periodic trainings and messaging can potentially deter wrongdoing and prevent lapses, and may save organisations from financial and other consequences.
It has been proven, time and again, through decisions of regulators around the globe that effectively implemented compliance programscan bring significant cost savings and can help avoid regulatory sanctions or penalties. Effective compliance should become a priority for businesses around the world, not only to meet regulatory requirements but also because of potential cost advantages.It is time for organisations tothink strategically towards compliance initiatives and invest in prioritised areas for efficient, result-oriented, and cost-effective solutions, enhancing the overall quality of governance as well as value for stakeholders.
About the Authors:
Sumit Makhija is Partner – Forensic, Financial Advisory) and Rohit Goel is Director – Forensic, Financial Advisory, Deloitte Touche Tohmatsu India LLP.