There is certainly no shortage of significant compliance issues in today’s complex business and regulatory environment. Our global economy has produced opportunities for growth and success that can come with an increased need for governance, oversight and formal corporate compliance.
The top five corporate compliance concerns trending today include:
- Managing a dynamic, ever-evolving IT environment
- Understanding and managing corporate enterprise risk
- Reducing the risk of tactical regulatory noncompliance
- Understanding and managing corporate compliance in international markets
- Managing a formal, robust corporate compliance program
While direct oversight of compliance is not the board’s responsibility from a day-to-day operational perspective, directors have a fiduciary responsibility to shareholders and in some cases may be held accountable for corporate misdeeds. The risk of potential personal liability along with the desire to serve the company and its stakeholders are strong motivating factors for executives and directors to execute and continually update robust corporate compliance programs.
The full board and designated committees should be engaged in the oversight of activities involving corporate compliance issues with timely and candid involvement from the CEO, CFO, CIO, corporate counsel and CECO (chief ethics and compliance officer), as applicable. The CECO position often includes responsibility for creating and maintaining an effective corporate compliance program. This position regularly reports to the board with ample opportunity for open dialog and action plans to address issues in real time.
1. Managing a dynamic, ever-evolving IT environment
Digital technology allows us to communicate instantly, merge data in moments and transfer volumes of information between multiple devices and platforms as if by sleight of hand. These capabilities also dramatically increase the potential for security and compliance breaches due to fraud or gaps in oversight. With an estimated 90 percent of data transmitted being digital, corporations must manage what amounts to an ocean of data, much of it highly sensitive in nature.
Technological advances including cloud computing and mobility have led the Securities and Exchange Commission and other regulatory agencies to re-issue compliance standards that address IT issues. Fortunately, the IT industry has kept pace, offering new solutions for retaining, sorting and indexing digital data – making it possible to manage the preservation and review of data before a company faces legal or regulatory inquiries.
These solutions can be costly and require diligence. Designated board committees should assess the overall IT environment, its susceptibility to risk and the effectiveness of the corporation’s policies and procedures surrounding IT. At least annually, the corporation should assess its vulnerabilities to external and internal threats to its data and operations.
2. Understanding and managing corporate enterprise risk
People talk about enterprise risk management (ERM) as an essential and worthy concept and then struggle to implement it. ERM means different things to different corporations, but essentially, it can be managed much as any other high-level priority. ERM strategy involves identifying, analyzing, monitoring and directing internal and external risk factors and leveraging controls to significantly lower risk. Such enterprise-wide risks include, but are not limited to, liability, compliance, financial, operational, strategic and reputation-related.
In addition to providing an overall corporate risk assessment and control environment analysis, ERM includes adding economic and strategic value for corporate stakeholders and leveraging opportunities created by managing risk. Anti-risk-related opportunities may include integration of isolated activities, greater integration of IT into general operations, and cost savings through vendor management, contract compliance, and outsourcing or co-sourcing of internal operations.
Boards may find it necessary to create a risk oversight committee for ERM. This process can be internally driven by a chief risk officer, internal audit or the CFO.
An effective ERM process provides for enhanced focus on key risks and, if applicable, can be a foundation for a successful internal audit plan.
3. Reducing the risk of tactical regulatory noncompliance
Regulatory compliance issues are heightened in industries such as energy, financial institutions and health care. Understanding and adhering to industry-specific regulatory environments may require a team of individuals with ever-expanding working knowledge of regulations, cases and enforcement of the regulatory agencies and, in many cases, the regulators themselves.
Most companies do not commit regulatory offenses by design. However, lack of intent or resources is no defense when it comes to legal and regulatory action taken against a corporation and its directors as a result of compliance breaches. Boards and executives must guard against unintentional noncompliance.
Ensure that regulatory compliance functions are internally challenged and regularly updated. This can be a subset of an ERM program or may need to be a separate initiative.
4. Understanding and managing corporate compliance in international markets
The international marketplace presents a world of opportunity for expansion, cost reduction and talent acquisition. With opportunity comes risk. Corporations engaging in business overseas need to be vigilant about contract law involving local country transactions, cultural differences in completing transactions and employment issues, to name a few concerns.
The corporation must weigh all of the benefits and calculated risks of operating in a foreign location. In addition to establishing the appropriate type of corporate entity from a financial and operational standpoint, the corporation must conform to the requirements of specific local authorities and agencies. This can be daunting and requires strong legal advice.
Taxation issues also raise compliance red flags for entities that conduct business outside the United States. The number, variety and fluidity of tax laws, treaties and regulations leave corporations vulnerable to foreign noncompliance related to tax that can be costly and time consuming.
There are also risks to manage associated with visas, operations, and the safety and security of personnel and holdings in foreign locations. Along with management, it is the board’s responsibility to ensure that international risks are appropriately managed and monitored.
5. Managing a formal, robust corporate compliance program
Compliance programs are becoming a necessity, and corporations must ensure that compliance is effectively analyzed and managed. According to the Association of Certified Fraud Examiners (ACFE), asset misappropriation, financial statement fraud and corruption are primarily due to: 1) lack of internal controls; 2) lack of management review; 3) overrides of existing controls; 4) poor tone at the top; 5) lack of competent oversight; and 6) lack of independent checks and audits. The ACFE has found management review of internal controls to be the overwhelming No. 1 modification of controls that organizations make in response to the discovery of fraud.
Rewards for whistleblowers and fraud hotlines, internal and surprise audits, and job rotations are frequently cited as significant components of compliance programs that help to prevent and detect abuses. These programs fall under the responsibility of the chief corporate officer who also has a direct line of communication to the board.
As noted at the Rand Institute’s 2009 conference on CECOs’ perspectives of prevention and detection of corporate misdeeds, essential features of a robust compliance and ethics program include:
- Compensation linked to compliance and ethics leadership;
- Enforcement of codes of conduct and policies, including nonretaliation policies;
- Professional management of the hotline and investigations;
- Companywide compliance-and-ethics infrastructure and risk assessment;
- Promotion and integration of compliance and ethics goals;
- Effective compliance audits and training based on real-life cases; and
- Direct communication between the chief compliance officer and a responsive board.
Not only is a formal program necessary, it also establishes the compliance culture of the corporation and modifies risk-associated behavior.
In closing, corporate compliance risk is a part of every operation. And, with all outstanding opportunities comes some degree of risk – not always negative. An emphasis on corporate compliance within a corporation supported by an active board of directors will help create and foster a strong corporate culture allowing continued growth and success.
The information contained herein is general in nature and is not intended, and should not be construed, as legal, accounting, or tax advice or opinion provided by Clifton Gunderson LLP to the reader. The reader also is cautioned that this material may not be applicable to, or suitable for, the reader’s specific circumstances or needs, and may require consideration of non-tax and other tax factors if any action is to be contemplated. The reader should contact his or her Clifton Gunderson or other tax professional prior to taking any action based upon this information. Clifton Gunderson LLP assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect information contained herein.