Compliance Risk Mitigation in Developing Economies

Transcription

1 Compliance Risk Mitigation in Ibrahim Yeku Esq. LLB, BL, CCEP-I,CAMS What is Compliance Risk? 1

2 Compliance Risk is defined as the risk of legal sanctions, material financial loss or loss to reputation an establishment may suffer as a result of its failure to comply with laws, its own regulations, code of conducts, and standard of best/good practices.(black Sea Trade & Development Bank). The risk of impairment to the organization's business model, reputation, integrity and financial condition, resulting from failure to comply with laws, regulation and internal company rules and policies. This includes the risk of failure to comply with established good business practices and failing to balance the expectations of key stakeholders such as customers, employees and society as a whole (AEGON). 2

3 The adverse consequences that can arise from systemic, unforeseen, or isolated violations of applicable laws and regulations, internal standards and policies, and expectations of key stakeholders including customers, employees, and the community, can result in financial losses, reputation damage, regulatory sanctions, and, in severe cases, loss of franchise or rejected mergers and acquisitions (Michael D. Kelsey & Michael Matossian). Basic Components of Compliance Risk Violations: (1) laws & Regulations (2) Internal Policies& Procedures (3) Code of Conducts, standard best practices. Consequences: (1) legal Sanctions- fines (2) Loss of Reputation (3) Financial Loss (civil damages) (4) Imprisonment 3

4 An organisation will be exposed to compliance risk when there is failure to comply with laws, regulations, internal policies & procedures and international best practices. The key phrases in the definitions are failure to do and resulting from failure to. What is your organization doing that is a violation or what is your organisation not doing or failing to do? What are the obligations required of your organisation by the laws, regulations, internal policies and procedures.? How well are you meeting these obligations? If you are able to provide honest and sincere answers to these questions, then you have yourself an insight into the compliance status of your organisation. 4

5 What is Compliance Risk Mitigation? Compliance Risk Mitigation is the process of reducing the possibilities of the occurrence of compliance violations (Yeku). The process of responding to unacceptable compliance risks to bring them to an acceptable level (AEGON). Compliance Risk mitigation is the process of developing and implementing controls such as standards, policies, procedures and guidelines to prevent or minimize compliance risks (ING Group). 5

6 Compliance in Developing Economies otherwise known as emerging economies are those economies with high potentials for growth, opportunities for investments and profitability. Continents with emerging markets are Africa and Asia. Seven of the ten fastest-growing economies in the world are in Africa and Asia. In recent times, transnational and multinational corporations have had more access to emerging economies in these continents, resulting in business expansion and transnational growth. The need to reduce the cost of business through cheap labour and access to the timing consuming populations has endeared Africa and Asia to the world as investment destinations. However, there are inherent compliance risks of doing business in the emerging economies of Africa and Asia. These risks are within (Internal), outside (external) developing economies and personal to organizations. Compliance in Developing Economies The Internal compliance risk is the risk of violating the relevant applicable laws & regulations in the developing economies. External Compliance risk is the risk of violating other laws that regulate an organisation outside the developing economies (in other jurisdiction where it operates or has business interest.) Personal Compliance risk is the risk of self-violation. The risk of violating an organization's internal policies and procedures, code of conducts & ethics of business operations. 6

7 Compliance in Developing Economies Prior to this time, foreign Companies operating within the developing economies often exploit the weaknesses in government institutions and regulatory bodies to operate above the laws. Unlike local corporate entities operating within the developing economies, foreign companies are often accorded special and privileged treatments in their operations. This may sound absurd but it was the major incentive for doing business in Asia and Africa. These companies enjoy and have uneven advantages over their local counterparts mainly because of their willingness to play by the rules and not by the books, paying their way through the system. Issuance of waivers in areas where there are clear cut statutory obligations are common trends in these economies. Most often that not, you have undocumented waivers, payments of fees that are not receipted and unsolicited questionable charitable donations. Compliance in Developing Economies Note, however, that while waivers are not bad in themselves, undocumented waivers and payment of fees not statutorily recognized or receipted for as waivers fees raise compliance question. Other areas where foreign companies operating in developing economies circumvent the laws are; (1) Custom Clearance, (2) Immigration quota applications (3)Import and export waivers (4) Tax exemptions; (5) Failure to follow government procurements laws in the awards of contract. (6) Offering of bribery to facilitate movement of files for approvals 7

8 Compliance in Developing Economies FCPA and UK Bribery Act put an end to the impunity enjoyed by foreign firms operating in developing economies. The FCPA and the UK Bribery Act radically changed the compliance landscape in developing economies. Both legislations made it mandatory and compelling for companies with interest in the UK and the US to comply with the provisions of the local laws in their respective countries of operation whilst observing to the latter the obligations under both laws. The FCPA and UK Bribery Act are major derivers of compliance with local legislation by foreign companies operating in the emerging economies. The uneven advantages foreign companies formerly have over local companies dwindle and nosedive in the wake of both (FCPA & UK Bribery Act) legislations. Compliance in Developing Economies The local companies are not directly subject to UK Bribery Act and the FCPA, hence not mindful of the compliance obligation created under these legislations in cases where there are no corresponding provisions in the local laws. This in itself raises questions that should be addressed in compliance policy or programme of any company that intends to do business in developing economies. How do you make compliance with the UK Bribery Act and FCPA a key component of your dealings with companies in developing economies? However, foreign companies operating in developing economies are subject to both local laws and other various applicable legislations like the UK Bribery Act and the FCPA as it affect the conduct of their business outside their parent country. 8

9 Compliance in Developing Economies Note that violation of local laws may trigger compliance violation under the FCPA and the UK Bribery Act. This is what I have called Cross Compliance Violation, a suggestion that violation of a local law by multinationals amounts to violation under the FCPA & UK Bribery Act. It is in the interest of the foreign companies operating in the developing economies to comply fully with the provisions of the local legislations to avoid Cross Compliance Violations. Compliance in Developing Economies The fear of compliance risk violation tends to over shadow the opportunities that exist in the emerging economies. The mere mention of investment in Africa and Asia automatically throws up the issue of compliance risk. It is however, worthy to note that compliance risk is not common to Africa and Asia but common to all. Countries in the developing economies are not the only corrupt countries of in the world. Therefore, the fear of corruption and compliance violation should not deter investment in these countries. The solution to maximizing opportunities and returns on investment in developing economies is compliance risk mitigation. 9

10 Compliance in Developing Economies Whilst certain compliance challenges may be common in developing economies, it must be stated that there is no one-size-fits-all approach to compliance risk mitigation in developing economies. A country risk assessment must be carried out with respect to specific projects to be undertaken in any of the developing economies. Country A may not have same compliance challenges as Country B, hence it is important to carry out a country risk exercise. Difference in laws presupposes difference in heads of compliance obligations. The success or failure of any organization operating in developing economies is dependent on the entry strategy. A robust entry strategy built on adequate compliance risk mitigations framework will help secure a company s interest throughout the lifespan of its operation in any developing economies. Compliance in Developing Economies In order to effectively mitigate compliance risk in developing economies, it is important to understanding the operating environment (Country of Interest). Understanding the operating environment is the first precursor into the development and implementation of an effective compliance programme. This is however beyond countries risk assessment but holistic understanding of the country of interest may include an awareness of its culture and the way of life of its people. Knowing the country beyond information contained in International Index will give a clear and thorough understanding of possible compliance risk. The facts that a cooperation has successfully implemented its compliance programme in line with FCPA and UK Bribery Acts in its host country /or country of origin is not sufficient. There is no room for copy and paste in compliance implementation. Compliance programme must be tailored to mitigate risk identified or associated with the business operation in any developing economy. 10

11 Can You Mitigate What You Do not Know? What is Compliance Risk Identification? 11

12 Compliance Risk Identification is the process of identifying events, actions or inactions that may give raise to compliance violation or that may expose an organization to compliance risk (Yeku). Mitigation of compliance risk starts with the identification of the potential risks an organization may be exposed to in its bid to do business in developing economies. Failure to properly identify compliance risk exposure in doing business in any developing economy could bring about adverse consequences of compliance violation. Where compliance risks are not properly identified the entire compliance programme will result in a sham. Mitigating compliance risk presupposes that the risks have been identified. 12

13 Companies intending to do business in the developing economies must develop compliance risk identification, assessment and mitigation framework which will focus on risks relevant to the Country of interest. Note, however, that there is no one-size-fits-all method of identifying all trends, vulnerabilities and risk in developing economies. It is therefore advised that companies should develop multiple methods of compliance risk identification. The following are capable of increasing compliance risks of doing business in developing economies: Use of Intermediaries Use of Sales Agent Acquisitions Excessive gift and hospitality to government customers and officials Excessive gift and hospitality to commercial customers 13

14 Receipt of gifts and hospitality Inappropriate use of petty cash Tax Assessments and payments Hiring relatives of company employees, government officials and customers Re-Hire of problematic former employees Import and export waivers How to Identify Compliance Risk 14

15 Ascertain whether there are corresponding obligations under local laws with respect to obligations identified under the FCPA and the UK Bribery Act. Identify and know the applicable laws, regulations that govern and/or may impact on the operations of your company operating in a developing economy. Engage the service or services of a legal attorney or partner with legal to identify relevant compliance risk related legislations and regulations, consult directory of laws and regulations if available. A simple request for a legal opinion may be of help in this regard. Identify key regulatory agencies and make direct enquiry. Understand industry best practices and the obligations arising thereto. Ascertain from the Company s compliance policy what are permissible or prohibited ways of doing business. Conduct Compliance Risk Survey Maintain Compliance Risk Register 15

16 Subscribe to an Compliance Information Database or Association to have access to information on emerging compliance trends. Set up a Compliance Risk Committee /Group Research and Data Analysis Build on existing risk identification programme by going beyond existing regulatory boundaries to identify potential risk. Note that certain risk may emerge outside the regulatory framework in existence in the Country. The primary risk identification obligations rest on Legal, Management and Compliance Officers. Legal Officers (i) Proactively identify new and changes in relevant local laws, regulations and standards in addition to those laws, regulations and standards identified by the organization. (ii) Review compliance related policies issued by the organization and determine whether additional or different obligations, local or international regulations or standard apply and communicate any additional requirements. 16

17 (iii) Resolve conflict between policies issued by the company and local law and/or international law to identify the relevant obligations. (iii) Review on annual basis compliance obligations of the company and sign off accordingly. Management (i) Confirm the existence of the identified risk arising from the compliance obligations. State and restate the commitment of the Company to fully adhere to it compliance obligations. Compliance Officer: (i) Translate compliance related rules, laws and regulations into compliance obligations. (ii) Identify with Management the Compliance Risks that arise from the company s compliance obligations. (iii) Work with legal officers when there is conflict (vi) Update Compliance risk register 17

18 Compliance Risk Assessment After risk is identified, the next step is to assess the risk. Compliance risk assessment will among other things, quantify and prioritize compliance risk and the impact of the risk on an organization's business. This is often assessed against the criteria for risk appetite and business objective of the organization. The outcome of risk assessment determines what mitigation measure will be ideal or be put in place to manage the risk. Compliance risk assessment therefore enables an organization to understand the full range of its risk exposure, including the likelihood that a risk event may occur, the reasons it may occur and the potential severity of its impact. Compliance Risk Assessment An effectively designed compliance risk assessment framework also helps organisations map these risks to the applicable risk owners, and effectively allocate resources to risk mitigation. An assessment of compliance risk in developing economies will require an organization to clearly define the compliance risk landscape and categories it into risk domain. Compliance risk assessment must be comprehensive, dynamic, customizable, allowing an organisation to identify and assess the categories of compliance risk to which it may be exposed. 18

19 Compliance Risk Assessment Note that some compliance risks are peculiar to certain countries. For instance, bribery and corruption may be more pronounced in some countries than others. Similarly, compliance risk may be high in certain sector of a country than in others. This is why you need to go beyond country risk assessment to industry specific risk assessment. For an effective risk assessment in developing economies, the following must be taken into consideration; Compliance Risk Assessment Collective Participation: Compliance risk assessment requires the participation of all interested entities or business unit in particular, the management and compliance officer in the subsidiary company. It is important to carry those who perform the core business operation along because they are able to appreciate and understand the risk the organization is exposed. Head office or parent company risk assessment may not address the compliance obligations or need of an organization as the process will lack credibility during implementation. 19

20 Compliance Risk Assessment Consolidate on Existing Policies & Programme: This implies building on existing policies that help in assessing the organization's risk exposure such as enterprise risk assessment. Example is internal audit reports and quality reviews. Identify Clear Ownership of Risk: An effective compliance risk must be able to identify the risk centers with the risk owners. The risk owners are those individuals responsible for managing the risk. The risk owners help in implementing mitigation measures and alert on emerging risk exposure. Compliance Risk Assessment Regular Risk Assessment Make Assessment Actionable Solicit external Input Use simple and plain language to communicate risk assessment outcome 20

21 Roles of Management & Compliance Officer in Compliance Risk Assessment. Management: (i) Participate in risk assessment (ii) Work with compliance officer to priorities risk (iii) Approve the outcome of compliance risk (iv) Approve the proposed risk assessment technique to be used. Roles of Management & Compliance Officer in Compliance Risk Assessment. Rate and Rank compliance risk Approve propose risk assessment techniques Participate in all compliance risk assessment Review, update or confirm the compliance risk accepted to the organisation. Prepare report of compliance risk assessment 21

22 COMPLIANCE RISK MITIGATION Compliance mitigation should mitigate the impact/or likelihood of the identified compliance risks through risk reduction by developing and implementing controls such as standards, policies, procedures and guidelines to prevent or reduce compliance risks. The following combination of mitigation strategies are ways of responding to compliance risk: (i) Risk Reduction (ii) Risk Avoidance (iii) Risk Transfer; and (vi) Risk Acceptance COMPLIANCE RISK MITIGATION However, the above mitigation strategies may not necessarily serve the interest of an organization with respect to compliance risk. For instance, Risk Transference will further expose an organization to third party risk. Risk transference is the involvement of handing risk off to a willing third party. The use of third party to perform certain functions is a compliance risk in itself. Therefore, you do not mitigate compliance risk by merely transferring the risk. On the other hand, you do by putting in place measures that will help minimize compliance risk exposure from the engagements of third parties. An effective compliance mitigation strategy must clearly communicate prohibited risks. The compliance programme must be designed to avoid identified compliance risks based on the outcome of the risk assessment conducted. 22

23 COMPLIANCE RISK MITIGATION An organisation must be able to define what is risk is acceptable in order to develop an appropriate mitigation strategy. This means only acceptable risk can be mitigated. The following are some of the possible mitigation strategy that may be apply to mitigatesomeoftheidentifiedrisk; a) Open and transparent procurement system b) Inclusion of Ant-Corruption Clause in Contracts c) Provide Trainings to key staff and personnel of contractors COMPLIANCE RISK MITIGATION d) Benchmark the price and other contract conditions. e) Procure evidence of establishment of an effective compliance programme. f) Organize face to face interviews g) Clearly define the scope of services h) Request restructuring of ownership or management when necessary 23

24 COMPLIANCE RISK MITIGATION i) Ensure that payments are made directly to contractor s account. j) Obtain non-conflict of interest undertaking k) Establish a transparent and legal payment system Challenges of Compliance Risk Mitigation Common compliance challenges in developing economies: Corruption Unstable Regulatory Environment Weak Regulatory Regime Cultural Imbalance 24

25 Challenges of Compliance Risk Mitigation Poor infrastructure Insecurity Third Party & Local Agent/Partner Lack of reliable information database Weak Judicial Institutions THANK YOU 25

26 REFERENCES Aegon Transform Tomorrow- Aegon N.V Group Risk UNISA Compliance Charter Compliance risk assessments ; the third ingredient in a world-class ethics and compliance programme ING Group Compliance Risk Management Charter and Framework Risk Identification and Assessment Methodologies for Securities Regulators OICU-IOSCO June Making Your Risk Assessments Count: An Operational and Compliance Perspective Black Sea Trade & Development Bank- Risk Management Guide Emerging Risks Barometer 2015 Risk Assessment Criteria- Sample Ethics & Compliance Risk Assessment Checklist by ORRICK 26