Designing a compliance programme that is robust and yet flexible enough to span multiple jurisdictions and industries is an increasingly common challenge for businesses as they expand their presence across Asia’s varied countries. And regardless of where businesses may be located, there are a few essential elements to include, experts say, warning there can be significant costs for overlooking these.
Asia is a vast region, and the compliance varies significantly from country to country due to disparate laws and unequal enforcement activities. The risks from non-compliance also differ substantially, affecting business decisions. And though an increasing number of companies have equipped themselves with compliance systems, or seek advice in this regard, setting up a compliance programme can still be a challenge.
Beth Junell, head of FTI Consulting’s risk advisory & investigations practice in Asia, says that when designing a compliance programme that addresses single or multiple jurisdictions, there are a number of important elements which must be carefully considered.
“The essential elements consistently referenced across the body of global guidance include: culture of ethics and compliance; appropriate governance and oversight functions; demarcation of roles and responsibilities; enterprise-wide compliance risk assessments; policies and procedures; training, education and communications; incident response and reporting; required management information and metrics; and monitoring or independent testing,” Junell tells ALB.
While each of these elements are equally essential, says Junell, some organisations may place more emphasis on culture than others.
When designing compliance programmes, adequate resources to implement and operate these —including people, technology and funding — are “essential,” Junell notes.
“There needs to be a clear articulation of applicable requirements – laws, regulations, guidelines and so on – which should be set out, in hierarchy, in global- and country-level policies and procedures. Country nuances and conflicts should be addressed/resolved via established protocols.”
— Beth Junell, FTI Consulting
While these are important across the board, there are a few areas that pertain more specially to global programmes, says Junell.
“There needs to be a clear articulation of applicable requirements – laws, regulations, guidelines and so on – which should be set out, in hierarchy, in global- and country-level policies and procedures. Country nuances and conflicts should be addressed/resolved via established protocols,” she says.
In Asia specifically, Junell says, FTI Consulting is often called up to assist clients to design controls, mitigate, or investigate and address non-compliance, whether intentional or unintentional, with laws and regulations in a number of key areas.
“The first is fraud, or white-collar crime, for example asset misappropriation, specifically employee embezzlement; procurement fraud; intellectual property theft, as accompanied by fraud; and misreporting to stakeholders, including misstated financial statements, public statements by CEOs of publicly-traded companies or mandatory reporting to government agencies,” she says.
Another area is corruption — “Specifically, bribery, relating to violations of local and global anti-corruption laws, and conflicts of interest; bid rigging based on collusion; and economic extortion,” says Junell. “The risk of violating laws or regulations is obvious, and certainly an effective compliance programme would mitigate the risk of intentional violation.”
Gwynn Hopkins, managing director at Perun Consultants tells ALB that when developing a compliance plan that spans multiple jurisdictions, it’s important to localise plans for employers and employees, adopt layered approaches, incorporating different tiers of policies on global and local levels, while also offering localised and tailored training to fit local laws and regulations.
Other important ingredients Hopkins cites for businesses are “nurturing a culture of integrity, observing local data protection regulation, recognising inherent risk of each jurisdiction, roles and responsibilities (leadership and corporate culture), regulatory business plans,” and clear guidance including case studies regulatory approvals as among the important considerations when tailoring a plan to fit.
Hopkins adds that among the risks, generally speaking, which companies are typically looking to mitigate against are “financial crime – AML and ABC policies and procedures, insufficient ongoing monitoring, Inadequate risk assessment/ratings, doing business with Politically Exposed Persons (PEP), sanctioned parties and attempts to circum-vent tax regulations – CRS, FATCA, plain tax evasion and so on.”
SERIOUS RAMIFICATIONS
With myriad considerations required, there are a number of oversights that are commonly made when designing and implementing compliance programmes across multiple jurisdictions, say experts.
“Two big mistakes related to implementation of a compliance programme across multiple jurisdictions are: Failing to understand actual compliance risks in each jurisdiction, and instead assuming risks identified at a global or regional headquarters level are universally applicable and that there are no additional country-level risks,” says Junell.
Another, she adds, can be failing to get ‘buy-in’ or establishing owner-ship from local business management “who is responsible for executing the programme on a day-to-day basis,” says Junell.
“An organisation cannot design and implement an effective compliance programme for a global organisation by only engaging a group of people from within the four walls of global headquarters,” she adds.
Among the common big mistakes Hopkins sees in compliance plans are not catching up with new regulations, insufficient practical directions for implementing compliance programmes, lack of adequate training.
And these can result in serious ramifications for businesses and staff, she says, noting that fines or penalties, reputation damage, negative press, remediation costs, personal legal risks for senior staff (for example, the business director), can all be dealt out, should the firm be found to be in breach.
Junell adds that the implementation process can also trigger a range of challenges for businesses should be aware of.
“If risks in the jurisdiction, or busi-ness unit, are not accurately assessed, then the ramifications are two-fold. On one hand, the business unit could be trying to implement policies and procedures that are irrelevant if the risks to which they relate do not exist for the business. While on the other hand, policies and procedures necessary to manage actual compliance risks that are present locally may not be implemented at all. Both scenarios would likely cause the compliance programme to be ineffective,” Junell says.
“Employees at the business unit are the front-line responsible for executing a compliance programme’s policies, procedures and controls. Therefore, these need to fit within the structure of what people are doing in their everyday jobs. If employees do not execute the compliance programme’s policies, procedures and controls as designed, or worse, circumvent out of frustration, then there is no first-line of defence. Designing workable procedures and controls is more easily accomplished by engaging with the business unit to understand their operating environment and what employees are already experiencing in their daily work life,’ she adds.
NEW AREAS OF RISK
Another area where there has been increased focus for companies is in the online sphere — specifically around the mitigation of cyber acts of aggression.
“Mitigating the risk of cyber-based attacks and crimes is at the top of many, if not most, risk management agendas today, and for good reason,” says Junell.
She adds the organisations are susceptible to different types of fraud, in the way of threat actors coming into an organisation through the internet, “often in collusion with insider threat actors”.
“Theft of IP, theft of credit card number databases or outright economic extortion are just a few examples,” Junell adds.
There are other, emerging risks too — including navigating different legal demands across jurisdiction tensions.
“Another key risk that is becoming more of a factor in Asia, presently in the context of China-U.S. tensions, is the conflict between laws with which an organisation must comply,” says Junell.
She notes that the recent developments in Hong Kong have triggered cause for careful consideration.
“The recent OFAC (Office of Foreign Assets Control) sanctions imposed by the United States against certain government officials in Hong Kong has raised a lot of discussion about whether complying with those sanctions would potentially be a violation of Hong Kong’s new National Security Law,” she adds.
But Junell says while this issue has received significant attention, “it is not the first time that organisations, particularly those with global footprints, have had to deal with conflict of laws situations,” she says.
“Multinational companies face greater challenges due to the diversity of the legislation in the jurisdictions in which they operate. Establishing an adequate and effective whistleblowing compliance programme is an important element in successfully implementing a robust system.”
— Gwynn Hopkins, Perun Consultants
Besides, compliance is no one-size-fits-all deal. Hopkins tells ALB that some companies do face more of an uphill climb when rolling out compliance programmes than others.
“Multinational companies face greater challenges due to the diversity of the legislation in the jurisdictions in which they operate,” he says.
To contact the editorial team, please email ALBEditor@thomsonreuters.com.