To help prepare compliance professionals for the year ahead, we’ve talked with industry experts, our colleagues at NAVEX Global, and ethics and compliance professionals from our more than 12,500 client organizations to gather insights on the top issues and trends that will impact compliance programs in 2016. We’ll share each of the trends here over the next few weeks.
Today, many ethics and compliance professionals, no matter where we’re located, find it to be important to keep up-to-date on the latest news from the European Union courts, the U.K.’s Serious Fraud Office and international organizations, including the United Nations, the International Standards Organization (ISO) and the Organisation for Economic Co-operation and Development (OECD).
It wasn’t always so. While we may run the risk of being called U.S.-centric, it wasn’t too long ago that E&C regulatory initiatives and best practices were centered on the U.S. Even a cursory study of business history will bear this out:
- The start of the ethics and compliance officer movement occurred in the mid-1980s with the Defense Industry Initiative;
- The 1991 promulgation of the Federal Sentencing Guidelines for Organizations (FSGO), with its model for establishing an “effective compliance program” and its “stick and carrot” approach, was the first wake up call for companies in all industries and set off the creation of many of today’s E&C programs;
- The rapid growth through the 1990s of the position of Ethics Officer in response to the FSGO and the subsequent sharing of best practices through the creation of conferences, forums and associations;
- The proliferation of regulatory and industry-specific guidance on how to create an E&C program, especially in healthcare and for U.S. government contractors;
- And the headline-grabbing scandals which, throughout this period, all seemed to involve U.S.-based companies.
Of course, there were non-U.S. organizations that championed ethics and compliance during this early period as well, most notably in the U.K., Australia, Israel, South Africa, Japan and the Netherlands. There were also international initiatives, including those led by Reverend Leon Sullivan, Transparency International and The U.N. Global Compact. But until ethics and compliance scandals began to implicate non-U.S. headquartered companies, the influence of these initiatives was limited, and the engine generating E&C momentum was largely based in the U.S.
All that changed when we crossed into the new millennium. If we look back over the last fifteen years, it is has been increasingly likely that ethics and compliance scandals occur in Rio de Janeiro or Wolfsburg, Germany rather than Houston or New York. It is interesting to speculate whether this trend is attributable to the increased interconnectedness of global business, the advance of the rule of law (especially as it pertains to combating bribery and corruption) or the scrutiny that comes from the never blinking eye of business and social media.
Whatever the reason, we now find ourselves at a time when regulatory initiatives and best practices are more likely to come from London than the U.S. (the U.S. Department of Justice’s Yates Memo being perhaps the one recent exception to the rule). The center of gravity has shifted. Consider the following list of recent regulations, enforcement trends and initiatives from outside the U.S.:
- The U.K.’s Modern Slavery Act 2015—which contains a provision that, with certain exceptions, organizations that do business in the U.K. must produce a statement for each financial year that sets out the steps they're taking to ensure that modern slavery and human trafficking aren't occurring in their organization or in their supply chains.
- The International Standards Organization’s (ISO) Compliance Management System Standard (ISO 19600) —a detailed and prescriptive guideline for creating, maintaining and documenting an E&C program;
- The European Court of Justice’s judgement on Safe Harbors related to privacy of personal information, which invalidated the Safe Harbor Framework, in place since 2002;
- The Russian Federal Act on Data Protection, which requires that personal data of Russian citizens be first processed and stored on servers located within the territory of Russia. This is only the latest in a dizzying number of data protection laws from outside the U.S, not only from E.U. countries but also from Argentina, Canada, Costa Rica, Hong Kong, India, Israel, Japan, Malaysia, Mexico, Peru, South Korea, Taiwan and Uruguay;
- And the U.K.’s recently-released Anti-Corruption Plan that highlights efforts to pull together a broad range of resources to fight bribery and corruption, including “government, civil society organisations, law enforcement and other partners.”
Many of these developments have broad applications and often are replicated in other jurisdictions. So, even if a particular regulation does not apply to your business, it nevertheless is important to pay attention.
Key Steps for Organizations to Take
- Get help to stay informed. The legal landscape is changing rapidly and it is important to fully understand the law in the jurisdictions where you operate. To do so, consider creating a mechanism to keep you informed and to help you anticipate, identify, prioritize and react to change. Enlist the help of local legal liaisons to keep you up-to-date. Also be sure to broaden your sources for information and best practices. If you regularly attend one or more E&C conferences, include a conference outside of your home country. If travel costs are an issue, enlist help from your in-country co-workers.
- Identify your organization’s obligations. It is not always easy to determine which provisions apply to your organization, but doing so is important. For instance, when setting up your compliance hotline/helpline you’ll need to know whether any country-specific data privacy regulations apply. Similarly, your code may need to be amended if you fall under the U.K. Modern Slavery Act. Likewise, you should reach out to determine whether anyone in your organization regularly deals with ISO, and, if so, whether any efforts are underway to comply with ISO 19600:2014.
- Keep key decision makers up-to-date. You may be in the best position to regularly update senior leadership on E&C regulatory and best practice developments. Include this information in your regular communications and as part of your risk assessment process. But don’t overdo it. Be selective and prioritize developments that are most likely to impact your organization.
- Work to overcome biases. It is common to resist best practices that “aren’t created here.” Whether the obstacle is personal or institutional, take steps that will open you and your organization to good ideas—no matter where they come from.
- Develop targeted communications, and training—and localize policies— for those impacted by new regulations. Often the most successful ways to implement such training is to involve local managers or compliance champions—both to ensure cultural resonance and local relevance as well as to demonstrate that these policies are priorities of the business, not just the E&C team. Localized policies relevant to those impacted by new regulations are also important.
