Banner artwork by metamorworks / Shutterstock.com
- The scope of compliance is expanding. In both privately held and publicly listed companies, compliance touches aspects of most corporate transactions.
- Pre-closing compliance requirements. From due diligence questionnaires to corporate fillings, compliance officers should be involved early in company transactions.
- Post-closing compliance requirements. Integration planning goes beyond legal work; compliance officers may need to overcome cultural differences, especially during M&A.
- Increased prominence and duties of compliance officers. They should now have a seat at the deal team’s table.
Over the years, the set of risks facing organizations has increased dramatically. There are risks related to compliance and litigation; integrity and ethical challenges (reflecting changing societal expectations); corporate governance and regulatory requirements; and geopolitical crises that now draw robust scrutiny. Risk is no longer reserved for only the financial aspects of businesses.
A proliferation of regulatory legislation has been mirrored with increased scrutiny from regulatory and enforcement bodies such as in the US, the Securities and Exchange Commission (SEC) and Department of Justice (DOJ) and in the United Kingdom, the Financial Conduct Authority (FCA), the Serious Fraud Office (SFO) and the Home Office, amongst others. One of the most recent and dynamic legal expansions worldwide has been with respect to modern slavery legislation and its supply chain due diligence requirements. Some examples are the Canadian Fighting Against Forced Labour and Child Labour in Supply Chain Act, the US Uyghur Forced Labor Prevention Act, the German Supply Chain Due Diligence Law and France’s Duty of Vigilance Law.
In many organizations, the legal, human resources, procurement, and finance functions used to conduct risk assessments and sound risk management cross-functionally. However, with organizations firmly guided by value based principles, and in order to tackle the growing number and complexity of rules and regulations, they have since elevated the compliance function to a more prominent place internally.
This, according to my direct experience, current role, and organization, has put compliance at the heart of the action. As a result, it placed compliance officers under extra pressure and provided them with an opportunity to expand the scope of their roles to include advice and assistance in corporate transactions.
Compliance officers are amongst the most progressive contributors to an organization, in that their role (and the expectations placed upon them) is subject to constant and significant change over short periods of time.
The scope of compliance is still broadening and deepening, so depending on the nature of the organization, the industry it belongs to and its risk tolerance, the reach of the compliance function will vary greatly.
There are, however, some parallels to be drawn. In most organizations, the scope of the compliance function includes, in general terms, advising the business on its risk profile and making balanced recommendations, monitoring such risks and the regulatory landscape, and ensuring processes are in place to mitigate inherent risks.
Although every organization has a different risk tolerance level, they all generally must abide by the same regulations in an increasingly complex world. Regulatory obligations go beyond anti-bribery and corruption or other white-collar crime and include, for instance, data protection, modern slavery, trade sanctions, antitrust/unfair competition, and whistleblowing. In addition, the compliance function is now more regularly called upon to advise and assist in regulatory areas that were not previously in its purview, such as electronic monitoring, cybersecurity/ransomware, and environmental, social, and governance (ESG).
Therefore, the compliance function assesses the organization’s risk tolerance level and highlights how enforcement agencies would view it when applying their principles to the effectiveness of the organization’s compliance program. Some of those principles can be summarized as follows:
- Whether the organization is making use of risk assessments.
- True commitment by the organization’s leadership.
- Adequate policies and procedures are in place.
- Autonomy and resources to carry out duties.
- Third-party management controls are in place and used.
- Training and communication are actively and continuously rolled out to stakeholders.
- Transparent reporting/whistleblowing mechanisms are in place and used.
- Incentives and disciplinary measures are used to promote and punish bad behavior.
- Improvements to the compliance program through testing and reviews.
Nevertheless, the compliance function should make measured recommendations more effective. If recommendations are too onerous, there is a chance that management might bypass them. If they are too soft, the probability of corporate misconduct increases. This is a delicate exercise, requiring soft and hard skills by the team.
The compliance function also sets its own strategic direction in line with the organization’s mission and vision. It does so by raising compliance to a strategic level, thus taking care that resources are allocated appropriately within its structure to support the organization’s high integrity standard. This is normally achieved through a set of processes covering, in general terms – risk prevention, detection, and response.
Moreover, there are extra scopes being put into the compliance function, in relation to corporate governance (i.e., ultimate beneficial ownership (UBO) due diligence, active involvement in legal entity set up/wind up) and corporate transactions.
Duties of a compliance officer
In broad terms, a compliance officer is in the business of persuading others to know where the lines of the road are, so that they drive between those lines. In other words, they help create an environment where honest and ethical behavior can foster. The true extent of what a compliance officer can do, however, still has not been fully grasped. It is one of those rapidly evolving positions where you must do your research, sit back a little, and think strategically as you learn and adapt.
Nevertheless, there are certain overarching duties of a compliance officer:
• Training and development
Compliance training rolled out on a regular basis (i.e., at least once a year) is essential to bring awareness of the organization’s rules and values. A mix of in-person and online training is preferable.
Training needn’t be limited to anti-bribery and corruption and should be wide ranging to include other areas handled by the compliance function. Nor should it be limited to a rules-based approach and instead should apply business cases to highlight how risks come to light. The importance is to educate employees on the ideals of goodness and keep them interested in doing the right thing.
Participation in investigations will depend on how much input the compliance function has in the area which is the subject of a complaint. For example, it will have a bigger involvement in investigations involving breaches of the Code of Conduct or anti-bribery corruption matters than it might in human resources matters, which many organizations do not usually delegate to the compliance function unless a serious offence is raised.
In any event, it should seek to be the spokesperson for all compliance related matters under investigation and coordinate the direction of traffic. Generally, the compliance officer will be made aware of a complaint received, and the full extent of his or her involvement will ultimately be determined by the organization’s senior management and/or Audit Committee.
A compliance officer requires autonomy, adequate resources, and access to all the echelons of the organization. Therefore, they will, depending on the organization’s structure, likely have access and numerous [dotted or otherwise] reporting lines to the general counsel, chief executive officer, chief financial officer, business unit presidents, board, as well as the Audit, and Governance Committees. This provides the compliance officer with a solid understanding of the organization’s values and is a reminder to every employee at every level, including the board, that every stakeholder must behave with integrity and in accordance with the values enshrined by the organization.
Regular presentations to the board and senior management on the level of organizational risk exposure and mitigation strategies organization is a core feature of the compliance officer’s role. Such face-to-face interaction is also the ideal opportunity for a compliance officer to go above and beyond their presentation duties and make suggestions for improvements to the organization’s compliance program.
• Demonstrating value
Because of scarce resources, small compliance teams, and large workloads, it is crucial that the organization fully appreciates its value. Such recognition provides the compliance function with continuity and grounds to seek additional resources where and when needed. One of the best ways to show value is to ask the business how the compliance function can help it succeed in its objective and not to tell the business what to do. The latter is counter intuitive due to the business’s priority in showing its own value to the organization, normally by way of bringing in revenue (with healthy margins preferably).
• Reviewing policies and procedures
A review of the organization’s policies and procedures not only ensures they are up to date with current rules, values, and societal expectations, but it also helps strengthen the organization’s aim of building a cohesive and effective compliance program. In addition, compliance officers draft policies and procedures, such as the organization’s Code of Conduct, before driving policy forward.
Communication is key to winning hearts and minds, but compliance officers should balance the drumbeat. If their tone becomes overbearing and the message repetitive, it will be lost on the audience. Consequently, the end goal of driving compliance to every corner and level of the organization will somehow be defeated. Therefore, the compliance function should let the organization set the tone. Thereafter, the mission of compliance officers should be to help the business make effective decisions.
The compliance officer’s role is not to shout marching orders from the mountain top. Instead, it should be about supporting all the functions of the organization with their compliance needs. The compliance officer has diverse responsibilities and is constantly debates at which table they should sit. It thrives and best serves the interest of the organization when it plays the role of team player and works in cooperation with the business in corporate transactions.
Compliance in corporate transactions
Whenever organizations grow, organically or inorganically, they increase output and business reach but also end up adding to their risk profile. Organizations are required to navigate through a highly regulated landscape during their day-to-day operations and intended growth process, consequently extending the reach of the compliance function to corporate transactions.
Whether an organization is buying, selling, restructuring, strategically disposing of certain assets, or exiting a market in order to focus and invest in other parts of its business, it will want to stay organized with respect to its compliance footprint. All parties to a corporate transaction will either look for or benefit from having the following in place to facilitate the due diligence process:
Compliance data room
A separate compliance folder in the virtual data room should be set up by the compliance function as soon as they become involved in a deal. Access to this folder should not be made available to the other party of a transaction until the deal team is satisfied (under advisement by senior management and compliance/legal functions) that it provides transparent disclosure and that it does not contain strictly confidential or privileged information.
Such folder would include several sub-tabs covering, for instance:
1. Investigations and audits;
2. Due diligence reports (i.e., sanctions screening, ultimate beneficiary ownerships (UBO), new parties, distributors, etc.);
3. Compliance training materials and attendance records;
4. List of countries the organization has done business in over a selected timeframe;
5. List of top suppliers;
6. List of top clients;
7. Contracts, particularly with third-party intermediaries such as agents, contractors, logistics specialists;
8. Overarching framework documents such as policies, standards, and procedures;
9. Confidential documents, which the compliance function together with the legal function can later assess whether they are disclosable.
As soon as a transaction is known to the compliance function, the team should start sifting through relevant records — whether located on the organization’s intranet, in hard copy, or in the relevant function’s files. Every organization has different record filing systems, with some more sophisticated than others, but unless misplaced, records should be easy to locate. Such records might be in the form of due diligence questionnaires, memos, contracts, leases, etc. and would eventually, upon review, be uploaded to the Compliance Data Room.
During the due diligence process, the compliance function should interview key functional managers, such as procurement, commercial, human resources, business development, and business unit vice presidents. This is because the opposite party will want to gain the best understanding of the business and its inherent risks.
•Due diligence questionnaires
These lengthy questionnaires cover a myriad of topics and require the involvement of several functions, senior leadership, and outside counsel to complete accordingly. There are certain aspects that will require solely the compliance function’s work and others that will require its coordination with other functions.
Records of online and face-to-face compliance training sessions, including materials, presentations, and total number of attendees should be made available. These would demonstrate where, how, and when the organization’s messaging of ethics and integrity is rolled out to its stakeholders, thus highlighting one of the effectiveness principles of the organization program.
Oversight of corporate housekeeping is a task often delegated to the compliance function during corporate transactions, in order to check, for instance, that tax returns, corporate and regulatory filings are in order and duly filed with respect to the target entity (i.e., modern slavery compliance statements, updated list of directors and registered address, delegation of powers).
•Policies and procedures
Save for minor tweaks, it’s usually late in the game for the compliance function to start reviewing the organization’s policies, making amendments, filling in gaps, or even drafting and filing missing policies once a corporate transaction is announced. Material changes would likely require board approval and need to be disclosed to the opposite party who could interpret it as a bad faith move to hide shortcomings.
Identifying and seeking to minimize compliance risks the day after the corporate transaction closes is a challenge that must be quickly overcome. Ideally, post-closing integration planning and execution should start before closing, although that might not always be possible or practical. Nevertheless, there are some considerations to bear in mind:
Overcoming cultural differences in how compliance is perceived is one of the biggest post-closing challenges, mainly in mergers and acquisitions (M&A). Such differences will be bigger in cross-border transactions in which assessments on the level of risk will fluctuate dramatically from country to country. At that juncture, it is paramount to deliver a coherent message to all stakeholders starting with the tone from the top. Compliance training should also be rolled out organization-wide shortly after closing to reiterate the message.
•Standards of governance
The compliance function essentially rose out of a legal requirement for organizations to abide by an ever-increasing set of laws and regulations. Following closing, it is key to carry out corporate housekeeping, so that the same level of care and diligence is applied throughout the organization when it comes to governance requirements, such as, for instance, updating registers of new legal entities with the latest corporate information, preparing regulatory statements consistently, and filing them with the appropriate regulators.
•Representations and warranties
This clause in the transactional agreement sets the state of play (including with respect to governance and ethics compliance) when the agreement is entered into and provides for remedies in the event of inconsistencies. It is good practice to be familiar with it and carry out a review of the terms post-closing.
•Consolidation of policies and procedures
Irrespective of the shape or form the organization takes following closing, all policies and procedures should be consolidated, to avoid discrepancies, and be brought up to levels the organization is expected to have.
•Harmonization of terms and conditions
The organization’s terms and conditions for doing business must be immediately revised upon closing so that everybody sings from the same hymn sheet. Those will need to be adjusted according to the direction the organization. If the organization has closed a cross-border deal, for instance, it must fully understand the implications of extra-territorial pieces of legislation, such as the Foreign Corrupt Practice Act 1977 (FCPA) and Bribery Act 2010 (UK Bribery Act).
•Integration of systems and processes
A multinational with different divisions spread out globally will undoubtedly face mismatches when it comes to the application of systems and processes, particularly in functional areas like procurement and supply chain, operations, and commercial. The gap usually widens further when organizations don’t have a centralized structure or offer shared services. Integrating systems and processes is therefore vital to realize synergizes whilst mitigating risks.
Ultimately, the organization’s stakeholders must understand and own their values and business objectives. The compliance function will provide guidance to the organization’s assessment of risks, through a set of skills and tools at its disposal, including risk monitoring using technology. In addition, it now plays an active role in providing organizations with the opportunity and strategy to grow and embrace a safer version of globalization.
Clearly, there are increasing expectations for the compliance function. This is welcome news, as it seeks to distance itself from occasionally being seen as a cost burden. Instead, the compliance function is proving its worth by being present at different tables and in several levels of the organization, thus helping uphold ethical and honest conduct while ensuring business objectives are met.
Disclaimer: The information in any resource in this website should not be construed as legal advice or as a legal opinion on specific facts, and should not be considered representing the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical guidance and references for the busy in-house practitioner and other readers. Information/opinions shared are personal and do not represent author’s current or previous employer.