Systems for Combating Criminality
(1)
Ernst & Young, Cologne, Germany
In 1969 in Palo Alto, California, Philip Zimbardo smashes the windshield of his dark blue car with a sledgehammer—and secures his place in the history of crime-fighting forever.
However, the man with the sledgehammer is not a notorious vandal. Zimbardo is a psychologist and a very renowned one at that. He is also a young man. On the day that he smashed the windshield of his car, Zimbardo was 36 years old and one of the youngest professors in the USA.1 The destruction of his car was not simply an outburst of rage but part of a social experiment that has significantly changed the way in which criminality is currently understood and combated.
A few weeks before the event in Palo Alto, Zimbardo parked a different car in the Bronx area of New York. He unscrewed the number plate and opened the hood of the car. Then he simply sat back to watch what happened. After only a few minutes, a family started to take the car apart and demolish it. He later found the car completely gutted after 3 days. A seemingly clear lesson: This is what happens if you park your car in one of the worst neighborhoods in the country.
Until Zimbardo took matters into his own hands and reached for the sledgehammer, the same experiment had been running for 1 week in sunny California without any vandalism—in fact, entirely in vain. A passer-by had even closed the hood of the car when it started to rain. But something remarkable happened later. Once Zimbardo had smashed the windshield of the car himself, other passers-by also started to vandalize the car. And the vandalism continued here until the car was also completely gutted. And all this in a sleepy American town where the crime rate was insignificantly low in comparison to the Bronx area of New York.
The observations made by Zimbardo were used by the sociologists James Q. Wilson and George L. Kelling in 1982 for their “Broken Windows Theory” (see Wilson and Kelling 1982; as well as Hess 2004). The theory proposes that large criminal acts can be triggered by smaller crimes. A good metaphor for this idea is a broken window in a house that leads to the decline and criminalization of the whole city district if it is not immediately repaired. According to the theory, the first signs of social disorder will already lead to a causal chain reaction that increases the general level of insecurity and breaks down social control—thus promoting criminality (see Laue 2002).
Yet how do broken windows fit into the context of this book? The purpose of this small excursion into experimental criminology is to clearly indicate those areas where it is really necessary to act in the fight against white-collar crime and corruption—namely, prevention and early detection. In a figurative sense, it is also possible to find broken windows in commercial companies that will gradually lead to major losses—and which subsequently develop into huge scandals. The process for identifying and repairing these windows, or even better, preventing them being broken in the first place, has become a key focus of corporate management in recent years—this concept is often substituted by the keyword “compliance.”
It should be clear to everyone that simply responding in a selective manner cannot be the solution to protecting company assets against criminality. Anybody who wants to effectively exclude the general risk of damage and personal liability will not be compelled to take systematic precautions as a result of entrepreneurial thinking alone. A contribution will also be made by the national and international legislative environment. After introducing the basic concepts behind “deviant behavior” from a criminological viewpoint and describing the methods used in forensic investigation, this chapter will then focus, as a result, on systematic protection against white-collar crime and corruption.
Ultimately, the purpose is to ensure that all employees abide by existing rules—meaning they observe legal, ethical, and sector-specific rules, as well as operational and behavioral rules within an organization. Managers describe this observance of the rules today as “compliance2.” Therefore, the targeted control and influence over this observance of the rules is called “compliance management.” The central organizational measures that a manager utilizes in order to establish, test, and strengthen this observance of the rules are combined together to form a “compliance management system.”
However, the intention is not and should not be to safeguard against every single conceivable misdemeanor. No compliance management system in the world is capable of achieving that goal. What compliance management should actually achieve is the prevention and early detection of systematic misdemeanors.
How this type of preventative system is created, and which processes, methods, and responsibilities are incorporated into it, will be extremely dependent on those areas of the company that are specifically at risk. This means that effective compliance management systems are—across the board—designer solutions. The reason for this is that they are directly based on the individual risks faced by a company, as well as its cultural and organizational characteristics.
The phrases “anti-fraud management,” “internal control system,” and “risk management” are often uttered together in the same breath as compliance management. However, it is not possible to clearly differentiate between these concepts without there being any overlap. These concepts are briefly explained below to help avoid any confusion.
The different terms have primarily developed over time and describe systems designed to identify and manage company risk from different perspectives. The “Internal Control System” (ICS) has its roots in accountancy and primarily focuses on the proper handling of accounting-related processes; for example, processes such as the separation of functions or the “four-eye” principle.
Over the years, these basic principles have also been adopted in other areas that do not have anything directly to do with accountancy. “Risk management” was initially based on a generic view of the detailed risks faced by a company, which are then systematically identified, analyzed, evaluated, monitored, and controlled. It is already possible to notice some overlap here with an internal control system. “Anti-fraud management” originated during the establishment of a more stringent internal control system following investigations into the financial scandals facing Enron, WorldCom, etc., and the term can be found, in particular, in the wording of the Sarbanes-Oxley Act (SOX).
“Compliance management” was motivated by similar events and developed, in particular, as a result of high profile competition violations in the areas of cartels and corruption.
Anti-fraud management and compliance management are currently moving closer and closer together. This is because measures incorporated into an anti-fraud management system to combat “fraud against a company” are often based on the same principles as measures found in compliance management that focus on “fraud by employees of a company.” A common feature here is that both disciplines aim to prevent intentional or negligent behavior that breaks the regulations or laws. The difference is that noncompliance can benefit the company in a superficial sense, while fraud always damages the company directly.
Alongside the issue of fraud, an internal control system is also designed to avoid errors—meaning damage caused due to negligent behavior. For this reason, it is self-evident from a criminological/criminalistic standpoint that the concepts of anti-fraud management and compliance management are set to converge.
It becomes clear at this point that the precise components incorporated into a fully functional compliance management system remain flexible to a certain degree, and can never be exactly the same due to the range of different business activities and the nature of each company’s corporate culture. This chapter will focus on the various steps that can be taken on the path to developing a tailor-made preventative system. A model will be presented that has proven itself effective both in the field of consultancy and in practical application—namely, the closed loop compliance system. This model aims to determine individual risk and create a system that protects, sensitizes, detects, solves, and learns—meaning it attempts to sustainably minimize damage caused by “deviant behavior” over the long term.
The fact that many more aspects apart from just controls and regulations play a role in the design and implementation of compliance management systems is part of a holistic approach to compliance consultancy that is gradually becoming established in the world of business. Especially if the objective is to use compliance management as an instrument for actively creating value, an approach that is based too strictly on the concept of control is more likely to achieve the opposite effect. Ultimately, it will prevent more business transactions than it enables. Practical experience has shown that anchoring the concept of compliance into corporate culture and management is a decisive factor in the success or failure of a system and it is increasingly important to “strike the right tone.” Interpreting compliance as a restrictive monitoring system is a completely understandable reaction, which unfortunately in practice very rarely achieves the desired goal. This is because it excludes the positive aspects that compliance can deliver to the company as part of the management system—especially in terms of value creation.
It is particularly these aspects, which are in essence of a commercial nature, that should be included in the discussions about a compliance management system. The fact is that targeted management measures do not only enable compliance to be tested but also increase the efficiency of internal processes.
The conflict between culture and control is an aspect that is only dealt with to a limited extent in the fight against crime outside of the business environment. For example, the American police authorities—particularly in New York—reacted to the “Broken Windows Theory” from Wilson and Kelling in the 1980s by almost universally introducing the concept of “zero tolerance” (see Dreher and Feltes 1997). In other words, by cracking down hard on crime. However, the fact that this strict approach is only one side of the coin when it comes to compliance management will also be part of this and the next chapter.
4.1 Critical Preliminary Remark on the Design of Compliance Management Systems
Whether there is really an explicitly stated legal obligation in Germany for managers to establish a compliance management system is not clear from a purely legal standpoint (see Moosmayer 2012, p. 5). Nevertheless, the facts gleaned from a range of recent court judgments send a clear message. In accordance with the Stock Corporation Law (especially Article 91 of AktG) and the German Regulatory Offenses Act (especially Article 130 of OWiG), the management of the company has a responsibility to ensure that the company does not suffer damage due to white-collar crime and corruption.3 This includes, at least indirectly, the development and supervision of protective measures. In an international context, the requirement to set up and maintain this type of preventative system is much more clearly formulated in SOX and the UK Bribery Act. These laws even predefine some of the content and individual elements required in a compliance management system.
Despite this obligation to protect the company, experience has shown that the way “deviant behavior” is handled is still characterized to a major extent by reactive thinking. A substantial proportion of companies still only respond once it is too late and misconduct has already caused damage to the company. There are only very few companies who really give any thought in advance to providing adequate protection against existing risk, even though the generation of companies and managers who treat occurrences of white-collar crime as isolated cases and either do not respond or only do the bare minimum required are indeed threatened with extinction. The consequences in terms of criminal liability are now simply too serious and sure to catch up with all those who do not emphatically embrace this subject sooner or later.
It is still likely that the extent to which a fully comprehensive preventative system can be established in a company is primarily dependent on the level of pressure perceived within the company. In purely objective terms: the more a company has suffered in this area, the more willing they are to protect themselves with preventative measures in the form of a compliance management system. Once misconduct and the resulting investigation become public, it does not take long before there will be a clamor for compliance. It appears that getting your fingers burnt still seems to be the best lesson when it comes to white-collar crime and corruption.
Following internal investigations or investigations carried out by the criminal prosecution authorities, the pressure to respond could, however, result in an excessive desire to take action. In many cases, this stems from a panic reaction to the increase in supervisory duties and personal liability. Otherwise it could result from a completely inappropriate overreaction to the act of deceit itself. Taking action for the sake of it and panicking when it comes to issues of compliance will almost inevitably lead to disproportionate controls being placed on employees. This is because anyone who is not aware of the types of risk faced in their various business areas, or how to tackle them in a targeted manner, will simply introduce control systems based on a “one size fits all” approach along the lines of the motto: “the more controls, the better.” Yet it has been observed time and again in practice that management systems that are hastily stitched together will fail sooner or later, or will progressively reveal their fragmentary nature.
The fact that this type of approach to compliance creates more problems than it solves will be discussed and demonstrated in Chap. 5. In this critical preliminary remark on the design of really effective compliance management systems, it is nevertheless vital to underline the fact that compliance systems introduced as control-oriented reactions to cases of damage often prove insufficient. Truly effective compliance management systems need to delve deep into the heart of the company and its business activities and, most importantly, deal with the relevant compliance risks in an interdisciplinary manner. In order to design and implement these types of programs, a certain degree of calm and careful planning is required, which is probably something that is only possible to a very limited extent after a case of damage in the company. However, there is something else that is even more important in the design process: Proper expertise and, where necessary, good consulting services.
It is not difficult to imagine how the boom in compliance, triggered directly by the events at Enron and WorldCom and the effect they had on the relevant legislature, also saw new providers of corresponding management systems spring up everywhere like mushrooms after a rain storm. What actually qualified these consultants to design, implement, or evaluate compliance management systems was not, for a long time, defined by any documented criteria. The IDW PS 9804 standard from the Institute of Public Auditors in Germany now provides some standardization in this area, although the differences in quality within the field of compliance consulting remain huge. This can prove both costly and dangerous for anyone with an acute desire to take action but who does not have much experience with the subject matter.
There are in fact many possible approaches to compliance management and the methodological models used to implement it. Consultants constantly attempt to outdo one another with flowcharts, organograms, and particularly clever schematics to illustrate how the implementation of the “perfect” compliance management system can be realized. At the real heart of the matter, however, lies the interplay between the various areas of expertise that are required to make a compliance management system function properly. Therefore, it is helpful to briefly describe these specialist areas and which types of consultant are necessary to develop a properly functioning system.
An auditor (1) who is able to understand commercial business relationships and apply the right methodology to reliably check the correctness of balance sheets and reports will almost always be required. A lawyer (2), whose specialist knowledge guarantees that processes in the company will be implemented in a legally watertight manner and that the content of the compliance management system fulfils all of the national and international regulatory requirements, will also be very helpful. To be able to determine how white-collar crime and corruption develop in a company and how individual crimes run their course—or in other words what the modus operandi is (for this term see Berthel et al. 2006, p. 36 ff.)—there is no alternative but to engage the services of a criminalist (3), who can use their knowledge gained from the investigation of previous fraud cases to design precisely those mechanisms that are effective in real life. Finally, there needs to be a process consultant (4) who can integrate the developed system and its elements into the everyday business of the company and into all the company processes.
None of the different consultants mentioned here could develop and implement a comprehensive protective mechanism, able to withstand the threats faced in reality, on their own—irrespective of how large, small, specialized, or even one-dimensional the company may be. A lawyer lacks the criminalistic knowledge, while a process consultant has not mastered the auditing methodology, and so on. All of them thus benefit from each other. It is hard to say which expertise is most important in this team and it is certainly dependent on the individual company and the risks it faces. However, the consultant that is likely to be the most difficult to find on the market is the criminalist, as this specialist expertise can usually only be gained by working in the police service or public prosecutor’s office. It is naturally possible to participate in a training course and study relevant literature on forensic auditing, etc. However, there is no weekend seminar in the world that can really replace the experience gained from fighting corruption and criminality on a daily basis.
In the final analysis, precautionary compliance management involves the application of investigative methodology for the prevention of white-collar crime. Consultants and system architects that do not possess or cannot purchase this type of core expertise in forensic criminalistics are always faced with the danger that, while the early warning systems and controls they develop are methodologically sound, they themselves will nevertheless only really understand and hence be able to prevent the sociological phenomenon of “deviant behavior” to a limited extent. Crimes and the methods used to commit them will simply slip by their controls.
Experience has shown that many lawyers or process consultants who develop and provide compliance management systems tend to set them up in a very formal and systematic manner, with the result that they only scratch the surface of the real problem. Therefore, the focus should always be placed on identifying critically afflicted areas of the company and from there develop precisely those controls that can really help to prevent manipulations or other “deviant behavior” in the long term. It is certainly also clear that a compliance management system can only be effective if it “understands” the company. The system will then in turn be understood, accepted, and sustainably implemented within the company.
Before we follow this preliminary remark by looking at the “compliance loop” as an effective model for compliance management systems, it is first necessary to reflect on the basic concepts and fundamental principles of compliance management. This is because no matter how well a compliance measure is designed, it remains nothing more than a patchwork solution if the right prerequisites have not been met in order to effectively integrate it into the company. In simple terms, this means that something along the lines of a “compliance organization” must be installed and networked throughout the company—based on fundamental concepts that will ultimately guide the entire system.
4.2 Methodological Principles for Compliance Management
Anyone who wishes to tackle the subject of compliance in a structured manner by setting up a management system and anchoring the concept firmly in the company should not make the error of pressing ahead without proper consideration—even if the regulatory pressure is high. In a similar way to every other strategic company issue, good and solid planning will always prove more successful than hectically rushing around and giving in to the desire to simply take action for the sake of it. This is particularly important because compliance is a subject that can have a profound effect on the whole company—both for the good and for the bad. Therefore, before we outline an example model of a compliance management system with all its elements and interrelationships, it is necessary to answer some fundamental questions: What form could a compliance organization in the company take? How is it possible to prevent this organization existing in isolation within the company? How can it be guaranteed that the subject will be taken seriously throughout the company and also by business partners? Where can and should compliance be anchored in the company and backed up with personnel and processes?
Before we even give any further thought to the concrete risks faced by the company or the organizational approaches for implementing compliance measures, it is necessary to clarify some basic methodological principles. These form the foundations upon which everything else will be built. If these foundations are unstable, there is a danger that the whole system will collapse in on itself like a pack of cards at a later point in time. What do we mean precisely when we talk about these basic foundations?
The first thing to realize when talking about the subject of compliance management is that we should really be discussing integrity management. This is because persuading employees not to infringe on the legal regulations or other defined rules is what lies at the core of the issue. In other words, they must act with integrity.
This type of infringement can be carried out intentionally—with the person’s full knowledge—or also due to negligence. Or in some cases it could also originate due to a mistake or because the wrong priorities were set. In this context, regulations or controls act as nothing more than aids because they only limit a person’s freedom of action to a certain degree and can be overcome or disregarded. A brief look at the daily events reported in the economic press and the lessons learned from the latest fraud and corruption cases will certainly support this presumption.
Therefore, compliance management is basically the responsibility of personnel management. Yet it is also much more: compliance is also a social responsibility. After all, employees do not change their personality when they enter the company premises, but are shaped by the influences in their private and social environments. Nobody should deceive themselves by assuming that white-collar criminals are socially isolated beasts. This fact alone implies that corporate culture plays a crucial role in what lies behind all of the measures for guaranteeing integrity in everyday business practices. If this culture tolerates corruption then all of the measures constituting the compliance management system are ultimately pointless. Both the innate creativity of humans and their drive to break the rules are simply too great.
The key phrase here is “integrity management.” The objective behind compliance management systems is to prevent negligent or intentional misconduct by employees. The boundaries independently imposed within these systems regularly go above and beyond the legally defined limits. Why is this the case? On the one hand, because the company is aware of their social responsibilities and does not want to be perceived to be a company that pushes the legal boundaries. On the other, it is to try and avoid further measures being taken by the criminal prosecution authorities or other supervisory bodies that would result in legal regulations being introduced to prevent even the smallest hint of noncompliance.
It is thus only logical to take advantage of crime prevention models when faced with the question of how to systematically prevent misconduct. When one looks at leading compliance management systems around the world, which are based on the so-called “3-pillar model” (prevention—detection—reaction), this only confirms the rationale behind using crime prevention instruments.
For the purpose of clarification, measures for “prevention” focus on the awareness of the employee and are also designed to help support correct behavior. “Detection” involves management measures that serve to monitor the system. And the area of “reaction” covers all actions dedicated to handling cases of noncompliance, as well as making any necessary adaptations to the system when the risk landscape changes.
The question that now naturally arises is how can this type of system be integrated into a company. The so-called “Three Lines of Defense” model5 provides practical assistance in this area (Fig. 4.1).
Fig. 4.1
The three lines of defense model
The first line of defense against noncompliance is the operative business of the company itself. The employees working in this area must be able to recognize and manage those risks that arise in their everyday business. This requires, as already mentioned, a corresponding level of awareness about the risks and additional measures for providing assistance—such as guidelines or software and applications that control the relevant processes. Employees must be fully aware of their responsibility for their own actions during everyday business. They must not get the impression that their colleagues in the compliance organization are solely responsible for reducing risk.
The compliance organization itself represents the next line of defense. For example, it is there to clarify the situation where there is doubt or handle inquiries relating to specialist analyses for pending business transactions. The legal department or the corporate security department can also provide assistance in this area. A good example here would be a planned business transaction abroad in a high-risk country that involves the intended engagement of an agent.
The third line of defense is auditing. Downstream and targeted auditing of compliance guarantees that the compliance management system is working as designed. Alongside process-related auditing, this level of defense also requires transaction-related auditing—so-called “ex-post” auditing.
Here is a brief summary: it is particularly important that management personnel take a serious approach to compliance. This approach, together with the corporate culture, will form the backbone of the entire system. The 3-pillar model and the “Three Lines of Defense” will ensure that the system will be designed to prevent crime and guarantee that the concepts behind it become securely anchored in the company.
So far so good, but now the question of what precisely the compliance management system should be targeting naturally arises. A brief anecdote provides a good insight into the problem. The managing director of a company explained once that his compliance officer had identified over 200 laws that were relevant to the business and with which it was necessary for the employees of the company to comply in future. Among others, they included the Dog Owner’s Ordinance (Hundehalterverordnung) issued by the city council in Berlin, because the company had a guard dog at one of the company locations.
This clearly illustrates that while one cannot simply state that things such as the Dog Owner’s Ordinance are unimportant when (further) developing compliance management systems, it is also not necessary to set out to rediscover the world. Rather the goal should be to establish the strategic priorities for the company. The real reason for dealing with the subject of compliance is primarily the fact that the massive corruption, fraud, and cartel cases, as well as data protection infringements, have demonstrated that previous management systems in these companies did not have this subject sufficiently under control.
Nevertheless, compliance management systems have actually been used in most companies for a while now. And management systems have been around for even longer, for example, to ensure that tax laws are correctly observed in the tax department. Accounting departments also have systems for properly managing financial reporting requirements and the accounting process. In the example above, the situation would, in all probability, already have been handled by the corporate security department responsible for the guard dog.
This perspective on compliance management was given to demonstrate the next requirement, now that the perspective of the management personnel/corporate culture has also already been discussed above. And that is that once the organizational elements have been clarified, it is important to decide which risk areas or legal spheres should be targeted by the newly implemented or refined compliance management system.
A short tour of the methodological principles here should highlight the fundamental elements that need to be included in a compliance management system: compliance culture, compliance objectives, risk management, compliance organization, compliance program, compliance communication, and the permanent monitoring and improvement of the system. Incidentally, these seven basic elements are found in IDW PS 980, which is the auditing standard for testing compliance management systems. This standard is formulated quite generically on purpose and will be discussed in more detail at the end of the chapter.
4.3 Compliance Culture, Compliance Objectives, and Compliance Communication: Elements of Strategic Corporate Management and the Management of Personnel
The corporate culture, compliance objectives, and compliance communication are inextricably linked in the compliance system and thus also in the strategic corporate management and the management of personnel. Before we consider these elements and their interrelationships in a little more detail, it is necessary to first take a look at the abstract concepts behind this subject. It is worth examining the prevailing general management culture, which has been influenced by the economization of incentive structures over recent decades in the Western world.
Comments on the Prevailing General Management Culture
The prevailing management culture continues to be strongly influenced by the “Chicago School” (for more on this term see Reder et al. 2008), whose guidelines and economic concepts have developed from their origins in North America in the 1960s into the paradigm of the modern global economy. The Chicago School and probably its best-known and leading thinker Milton Friedman (1912–2006) understood the economy as follows: the state must not constantly control and reprimand its citizens in their search for prosperity. Entrepreneurial activity can only develop for the good of society if there are free markets that regulate themselves (see Friedman 2004).
These ideas are based on a concept of humankind that has increasingly started to crumble. Economic behavior—according to the representatives of the Chicago School—can be almost totally explained by the neoclassical price theory. At the center of this explanation is the concept of “homo economicus,” whose purpose in life is to maximize his or her own benefits (see Franz 2004).
In order to demonstrate the relevance of these ideas for the modern world, one interpretation of the financial and economic crisis in 2009 stated that the dogma of self-regulation had turned out to be a disastrous fallacy. This was a dogma that had symbolically collapsed along with the investment bank Lehman Brothers and large parts of the global banking sector.
It is not possible at this point to conclusively evaluate whether those events surrounding the recent banking crisis will really lead to a fundamental and enduring rethink of management culture. A rethink of the general management and leadership culture would nevertheless be desirable. There is certainly room for improvement, above all when it comes to handling risk. The financial crisis clearly demonstrated that the neoclassical school did not help to spread corporate risk but at best helped to obscure it (see Faller and Otte 2011).
Paul Volcker, former Chairman of the Federal Reserve in the USA and a somewhat controversial national hero, was correct when he stated that the “financial markets are not mathematical but rather human creations” (see ibid.). Therefore, it is not possible in any way to predict human behavior using statistical models and economic theories.
This rethink also needs to play a role in the design of compliance management systems. The design process should not focus on standard procedures and formal legal considerations. Instead, it should place the spotlight on people—not as purely economic creatures but first and foremost as social beings. This makes an examination of employees and the corporate culture indispensable to the development of a compliance management system.
4.3.1 Examining Employees and the Corporate Culture
“Deviant behavior” is more than just a mathematical phenomenon and its genesis is strongly shaped by the social environment of those people involved. Therefore, a risk assessment used to provide the foundations for a compliance management system must get right inside the company and put out feelers to identify attitudes and, in a broad sense, the customs found within the corporate culture. In contrast to the process-oriented examination of risk, the focus here must be placed to a much greater extent on management personnel and the whole area of human resources (HR).
What kinds of characters and personalities are there working in the company? How is the market and market behavior determined overall? How high is the turnover of employees? Do employees challenge work directives or do they follow every order without question? How fairly or unfairly does the company remunerate its employees? Is the company active in different cultural circles? If so, have the different cultural values held by employees been adequately integrated into the evaluation of culture as a factor for compliance?
There is currently still a lack of measurement instruments for gaining a clear understanding of the bigger picture at the level of “corporate ethics.” A feasible alternative could be to hold discussions or design questionnaires on, for example, perceptions about leadership styles, working atmosphere, awareness of controls, or the emphasis placed on success—carried out at all company levels and within all of the different cultural circles.
4.3.2 Harmonizing Compliance Objectives and Compliance Communication
In order to avoid unnecessarily isolating the idea of compliance in the company before it has even been born, it is advisable at the very least to compare the compliance objectives with the general business objectives. Designers of compliance management systems will have created a true masterpiece if the compliance objectives are as congruent as possible with the strategic company objectives. After all, conforming to the regulations and achieving business success seem to stand in opposition to each other often enough in real life—consider the whole area of corruption and the dilemma in the examples that have been described here between breaking the rules and achieving success.
The process of defining and formulating the objectives will impact on the cultural components of compliance. The term compliance culture encourages us to imagine that a concept such as culture can be managed. It isn’t possible—at least not directly. However, it is certainly possible to create the conditions in which the compliance culture can exist. This could mean holding discussions internally about the integrity-related principles of the company and deriving elementary behavioral guidelines from them—providing a frame of reference in which a culture of compliance can develop over time.
One aspect is particularly important in such a process. The so-called “tone from the top”—meaning a clear commitment from the management of the company to integrity, observance of the regulations, and the management of compliance with all of its implications. In contrast to other management programs, the acknowledgement and active involvement of the CEO/managing director is not just something that is nice to have. It is an absolute necessity. If this tone from the top is missing then nothing can be achieved in the area of compliance—at least nothing that will prove effective in the long term. Why is this so? Because a lack of credibility and assertiveness will be used as an excuse by every manager to the management board as to why they should not have to stick to the rules. Compliance will remain just a phrase and the measures merely a tempest in a teapot—and in the final reckoning it will all be a waste of money.
If the chairman of the management board can only muster up enough enthusiasm to read out a speech announcing the compliance management system and then endure the rest of the ceremony until he can at last delegate this bothersome subject to the deepest echelons of the company, it will be very plain to every employee just how seriously he is taking it. Yet it could be so easy to have the opposite effect!
The chairman of the management board could credibly convince his board members—the executive level of the company—and all other employees that he is serious about the subject of compliance. By behaving as a role model, his actions will have a knock-on effect in many places, ensuring that the subject can be sustainably positioned within the company and be effectively maintained.
So the decisive factor in this context is the philosophy of “walk the talk,” meaning that all of those at a management level must fulfil the obligations they have themselves made and which they also expect their employees to fulfil. In the worst case of an incident of noncompliance, this means that when applying sanctions, there can be no difference between how white-collar employees and blue-collar employees are handled. In the event of misconduct, even the best horse in the barn must also be liable for punishment. In other words, even top-performing sales employees must be made to leave the company in the event of misconduct.
4.4 From the Risk Assessment, Through the Compliance Program and Compliance Organization to Constant Improvement: The Control Loop for an Effective and Sustainable System
4.4.1 Compliance Risk Assessment
At the heart of every compliance management system is the risk assessment. As already described above, the first step is to identify the significant compliance risks faced by the company. The examination of these risks must be carried out from a number of different perspectives.
1.
“In what regulatory and legislative environment are my business activities conducted?” It is important to take into account here any special features that relate to the specific sector or country.
2.
“Do I want to obligate myself to additional voluntary commitments that go above and beyond these regulations and laws?” For example, the UN Global Compact or voluntary national recommendations relating to corporate compliance.
3.
“Does my company already have management systems in place for the identified regulations, laws, and voluntary commitments that could be described as compliance management systems?”
It is now necessary to carry out a detailed risk assessment for the relevant legal areas and voluntary commitments. A common error at this point is to dispense with a further detailed assessment of the relevant legal areas and to turn to a “one size fits all” solution offered on the market.
This is why many compliance officers often make statements about the subject of corruption such as “we require a whistleblower or ombudsman solution,” “we require guidelines for the issuing and receipt of gifts,” “we require a process for checking business partners,” “we require training,” and so on.
Yet questions about which business areas, employees, and business events are actually exposed to corruption risks often remain unanswered, leaving many follow-up questions also unresolved: How exactly does the problem look on-site? What could be a possible solution? In what form could these manipulations actually occur so that, for example, bribes are not immediately noticed? Relatively little thought is given to all of these issues.
Instead, organizations are loaded with standard solutions whose effectiveness or efficiency has not been satisfactorily evaluated. The consequences are that in difficult and unclear situations, organizations will face a greater burden rather than a lesser one, and employees will start to complain about the rats’ nest that is the compliance system.
It is for this reason that it is absolutely necessary to carry out a risk assessment at the level of the daily activities carried out by vulnerable employees in business areas that are fraught with risk. In the practical example of the fight against corruption, this could mean reproducing step by step the processes carried out by the sales employees.
However, this does not mean that the assessment has to be carried out for all sales employees individually. Groups should be progressively formed based on risk profile, existing decision-making authority, the standardized processes followed, the characteristics of business partners, or the employment of agents.
The completion of an adequate risk assessment is very important. All of the information gained in this process delivers starting points for developing the risk-reducing measures that will become part of the compliance management system. They could be measures in the areas of prevention, detection, and reaction—or the focus could be on the question of which line of defense should be used to define relevant responsibilities.
It is not possible to provide sweeping answers to these questions as the standard solutions offered by many consultancy and compliance system companies attempt to do. These answers need to be individually compiled and tailored to the type of business activity or culture upon which the company is based. Incidentally, there is not just one culture within a company. In international business transactions involving national companies within large corporations, a wide range of different cultures can be encountered with differing practices and behavioral patterns when it comes to the acquisition and processing of orders.
Of course, no company starts with a blank sheet of paper when it comes to a risk assessment. In many cases, it is likely that the critical areas of the company have already been identified. Construction companies will probably place their focus on the area of corruption, while commercial companies will need to provide more protection in the area of cartelization. And those companies that have to manage a lot of company data will focus on the area of data protection and concentrate their activities accordingly. The area of data protection is always also linked to the question of how the works council should be involved. Meanwhile, banks and insurance funds are increasingly confronted with issues of money laundering and transaction integrity. Chemical and energy companies are required to deal with the issues of work safety, environmental protection, and production risks to an ever-greater extent. And a subject that is becoming increasingly relevant, especially for technology companies involved in foreign trade, is global sanctions. Let us briefly look at the example of a company that manufactures metal alloys and operates as a supplier for the aviation or arms industries. The management of the company needs to ensure that their products are not delivered to countries on international sanctions lists or those subject to other restrictions according to the Military Weapons Control Act (Kriegswaffenkontrollgesetz—KrWaffKontrG). As it is an extremely sensitive area, no tolerance is usually shown for negligence. In companies whose business activities involve the manufacture of military weapons, compliance management must thus pay particular attention to the supplier chain and customer network in order to guarantee that their company is not unknowingly arming the dictators of this world with fighter jets or rocket technology.
This example alone demonstrates that a risk assessment must generally encompass much more than just the area of corruption in purchasing and sales. Although these areas have been forced into the center of public attention—to a major extent due to recent large cases of corruption—they only actually account for a small proportion of the risks that a company must identify, evaluate, and cover. The fact that there is constant need for adjustment within a compliance management system is also due in some respects to the current trends in criminal investigations and the increasing level of regulation. For example, the sanctioning of antitrust crimes has become so professional in the last few years that it makes a lot of sense to once again carry out a root and branch review in this area—and to introduce any necessary improvements.
Those who carry out risk assessments naturally find themselves in a state of conflict between acting appropriately or overzealously. How much is enough? When have all of the relevant risks really been covered and sufficiently integrated into the design process for the compliance system? Can some legal regulations be treated as poor relations just because they do not represent a threat to the existence of the company? In this context, it is once again all about the interplay between, and utilization of, those different areas of expertise described above. If a company only commissions a lawyer to collect information on areas of risk in the company then it is possible that he or she will search out hundreds of laws and regulations with which the company should comply—dealing with issues from military weapons through to guard dogs. In cooperation with experienced criminalists and auditors, however, it is then possible to determine which of the many regulations are really relevant and already covered by existing management systems, or which ones still need to be covered by a separate compliance management system.
The key to a really beneficial risk assessment is, therefore, to find the right focus. What is the result of integrating all of the conceivable risks to the same extent into the compliance management system? In the first instance, it will result in lots of duplicated work and unnecessary bureaucracy. This is because the company that is now developing a compliance program did not only start up in business yesterday. Lots of areas that are identified as playing a significant role in terms of compliance in the review of the current situation will already have been dealt with by other organizations within the company. As already mentioned, the tax department at the company will already have looked closely at those regulations relevant to them. The same will also be true for individual areas such as work safety or environmental protection. Thus to inspect all these areas again in order to evaluate them from a compliance perspective at the top decision-making level only makes sense to a limited extent. It is much more important that all of these components are brought together, coordinated, and kept up to date by a—perhaps newly created—specialist compliance department.
The purpose of focusing on risk in this design process is to give the resulting compliance management system a clear direction. This will help avoid searching in vain for a miraculous, oversimplified solution, or attempting to integrate everything possible to an equal degree. The more clearly and precisely top management can identify those really acute areas of risk and secure against them by employing sensible measures, the more understandable and acceptable these measures will be for the employees themselves. A standard solution that can “do everything” will simply be perceived as less urgent and less significant—and will be implemented as such—than a focused solution that starts working precisely where the need for action is the greatest.
The need for action is basically driven by two factors that will give the risk assessment some direction. These two factors are the previous cases of misconduct within the company and the prevailing risk potential. It is worth taking a brief look at other high profile cases either within the sector or which developed across related sectors, in order to develop a feeling for your own risk. When these two factors are examined in relation to one another, the real areas where action in the area of compliance is needed very quickly become apparent. The result will also naturally depend on the level of willingness to honestly evaluate the situation. And this in turn depends on the question of how much emphasis is given to each area. Is it worthwhile investing a lot of work in the development of compliance measures in the area of data protection or money laundering if this type of misconduct has never occurred in the company? At first glance the answer would be “not really”—except if the risk potential is so high that one single case of misconduct would immediately lead to criminal charges, arrests, cover stories, disgorgement settlements, or exclusion from certain markets.
This small example is designed to show that risk, from the perspective of the previous exposure of the company, needs to be balanced against the probability that noncompliance will occur6 together with the possible consequences for the company. There is nothing else that clearly distinguishes a sensible risk assessment from a useless one.
This also explains why the majority of compliance measures implemented in German companies are likely to concentrate on corruption and cartelization. There is a need for action in these areas because the payment of bribes and corruptibility were for a long time routine and were practically part of the business culture. However, these offenses are now forcefully pursued and punished by legislators, crime prosecution authorities, and, not least, the public. The same is also true for the area of cartelization in which fines totaling millions and even billions now appear to be normal. The subject of data protection is a similar burning issue for companies, fuelled by a diverse range of public scandals, for example eavesdropping on employees at Deutsche Bahn or the theft of customer data at Deutsche Telekom.
Viewed in a pragmatic sense, compliance takes two types of risk into account. On the one hand, those risks that are a priority for the company and which result from the direct business activities of the company. There is a real probability that these risks will occur and they are correspondingly sanctioned by legislators. Prevention in the form of compliance management clearly focuses on these risks and is designed to systematically reveal and prevent misconduct in these areas. The compliance organization and top management clearly and precisely identify these risks and handle them as a priority when it comes to the company’s public image.
On the other hand, there are also so-called “secondary risks” that result to a lesser extent from the direct business activities of the company and which could occur in practically every company. A good example of this type of risk is taxation law. Every company is obligated to pay tax and ensure that they do not evade tax or defraud the government. However, focusing the entire compliance program on this subject would only really make sense for a handful of companies—such as banks. This does not mean that companies should simply disregard the secondary risks. The role of the compliance organization and the corresponding compliance management system is less to act as a direct driver of compliant behavior in this area and more to act as an intermediary between existing departments in the company who are already actively involved in these issues.
After looking at the fundamental approaches to the risk assessment and the “plea” for the prioritization of risks, it is now necessary to examine each of the questions that must be asked in the risk assessment. The starting point is the relevant laws. The subject of corruption will be used as an example here because it provides a very tangible and vivid representation of the methodology behind a professional risk assessment. The majority of those compliance management systems that are actually being applied will focus on the area of corruption—which is once again due to the consequences of major corruption cases.
Step 1: Gain an Overview of the Relevant Legislation
As already mentioned, the relevant legislation and the corresponding enforcement of this legislation form both the basis and main driving force behind systematic compliance management systems. Although it is true that compliance management systems often go above and beyond the current legal framework, their fundamental function is nevertheless to establish compliance with the law in the operationally active areas of the company. Therefore, there is generally no way to avoid having to take full stock of all of the legislation relevant to the company. It can usually be expected, however, that any normal legal requirements will already be covered by existing systems.
Step 2: Compare International Standards
The business activities of most companies in Germany are not only limited to Germany. It is therefore necessary in Step 2 to compare the already introduced compliance “guidelines” with international legislation at a state or EU level. Of course in the first instance, this means observing the operative regulations that are in place at a local level. Anybody building a dam in Brazil must naturally ensure that all of the relevant construction regulations and guidelines according to Brazilian law are observed. The greatest areas of risk in this example would probably be work safety and environmental protection.
As every form of business abroad—whether it is the construction of a dam or anything else—now represents a possible gateway for corruption, the examination of the legal regulations valid in the respective country becomes a self-contained step in the risk assessment. The reason for this is that the various legal regulations and provisions, which were already introduced in part in Chap. 1, differ across the world. The question should always be formulated as follows: “What international laws are valid for my business activities and what standards do they impose on the compliance management system that I am establishing?”
Here are a few examples. The most complex law with the greatest level of detail in its requirements is the UK Bribery Act. It is currently the only known law that prescribes concrete due-diligence checks—in other words integrity checks—for business partners. And this is a legal obligation not just a sensible recommendation. In their guidance papers, the authors of the UK Bribery Act, the UK Ministry of Justice, and the UK Serious Fraud Office (SFO), also specify additional elements that must be incorporated into a compliance management system (see Ministry of Justice 2011). These include:
Proportionate procedures—clear and unambiguous guidelines, regulations, and processes dealing with fraud and corruption
Top-level commitment—obligation for the top management level to clearly commit and actively contribute to compliance
Risk assessment—a company-specific risk assessment
The already mentioned due-diligence checks on business partners
Communication and training—sustainable implementation and adequate training of all employees
Monitoring and review—monitoring, auditing, and further development of the compliance program
If the UK Bribery Act is considered not just in terms of the elements dealing with criminal prosecutions, but also in terms of its implications for compliance management, it becomes clear what a hugely significant piece of legislation this is. It leaves those responsible in the company with almost no scope for deciding how to design their own preventative systems, but instead clearly dictates very concrete procedures. Even if existing compliance programs already meet the required standards set by the regulations from the FCPA or IDW PS 980, they could nevertheless still prove insufficient in the eyes of the UK Bribery Act and thus require some adaptation. Therefore, it is necessary to check very carefully whether your own company could fall under the jurisdiction of the UK Bribery Act.
The prerequisite for the application of the UK Bribery Act is proof of “carrying on a business or part of a business ‘in any part of the United Kingdom’”. The country or the affiliated company in which the questionable action took place is irrelevant in this context. As long as the action is considered punishable in Great Britain, it can now also be pursued worldwide under the UK Bribery Act as a punishable offense. This means in practice that it could be possible for British crime enforcement authorities to carry out investigations at German companies in Germany. In accordance with the guidance papers issued by the UK Ministry of Justice, a company is regarded as carrying on a business or part of a business, for example, if:
a German company conducts or has conducted business activities in Great Britain
the employee that carried out the questionable action is a British citizen or is considered to be subject to British law for other reasons
the affected company used British service providers to develop its business activities. This means, for example, maintaining a British bank account, operating a British Internet domain, etc.
In the area of compliance standards, the British with the UK Bribery Act are without doubt setting the pace in the area of global corruption legislation. The Federal Republic of Germany is handling this subject a little differently. German legislation more or less only stipulates that business is to be conducted cleanly. Meanwhile, the interpretation of these laws is being established slowly but surely through court judgments. These developments have also gradually led to standards of a sort. However, these standards do not stipulate actual concrete steps, such as a due-diligence check for business partners or the institutionalization of compliance training.
In American legislation, the situation has developed in almost the reverse order. The precise elements of a compliance system are not formulated very clearly in American law. For example, SOX also only mentions the provision of an “adequate preventative system.” The yardstick for designing compliance management systems according to American standards is instead the US Federal Sentencing Guidelines.7 These guidelines control the sentencing policies used for infringements against American federal laws.
If a company appears in court to answer to a case of corruption, it will generally receive a lighter punishment if it operates a compliance management system. The US Federal Sentencing Guidelines define the components that need to be included in the compliance management system before the mechanism to enable leaner sentencing can take effect: for example, compliance with the regulations is incentivized in the company, whistle-blowing systems have been installed to motivate informants, or regular compliance reviews are carried out. The compliance standards are thus not part of the wording of the law like in Great Britain, but can nevertheless be found by looking a little deeper into the judicature.
In order to fall under the jurisdiction of the American legislature according to the FCPA or SOX, it is simply sufficient—as described in Chap. 1—to have a subsidiary listed on the American stock market or to have paid or received bribes in US dollars. The Americans, in the form of the SEC or the Department of Justice (DOJ), have—to put it mildly—been extremely aggressive when it comes to interpreting their right of jurisdiction. It is possible, for example, that the US authorities will intervene if they become aware of, or feel they have jurisdiction over, a German company with “significant business relationships”8 in the USA that has become embroiled in a case of corruption somewhere else in the world. This could be for the simple reason that they are perturbed by the fact that one of their market participants has apparently not been maintaining clean business practices.
Representatives of the American authorities may then formulate their concerns perhaps so: “We are currently examining whether this case falls under our jurisdiction. In order to avoid any difficulties, it would be helpful if you could answer a few questions about the case for us.” The company in question on the other side of the Atlantic may then respond: “Dear DOJ, you are welcome to check the legal situation but it does not fall under your jurisdiction.” This exchange initially sounds harmless but there is a certain level of threat nevertheless involved: does the company answer the questions or not? After all, the company does not want to sour their relationship with the Americans or possibly be excluded from the American market. If it cannot be demonstrated in such a situation that the American compliance standards in terms of the US Federal Sentencing Guidelines were properly fulfilled, there could remain the threat of fines or subsequent criminal prosecutions.9
Whether and to what extent international standards and jurisdiction apply beyond German borders, and as such should be integrated into the development of a compliance management system, must be checked in each individual case and must subsequently be kept up to date. As part of the evaluation of the current risk, this process should be carried out for all countries in which the company operates and for all countries where there are companies with which business is conducted.
Ideally, a map should be created that illustrates the relevant legal and regulatory situation in all countries. When implementing this first pillar of an effective compliance management system, there are two possible approaches: take either the highest legal standard from across all countries and apply it to all company affairs, or deal with the situation individually for each country. If each country is dealt with individually, there will of course be the risk that at some time or other a regulation or provision may be overlooked. This choice also presents the architects of the compliance management system with a dilemma: the country-specific solution requires more effort as it will involve many different independent cells, which must each be kept up to date. The more comprehensive solution of taking the highest standard can, however, cause a lack of understanding in the national companies. “Why are we now being audited in this area? It is not even relevant to us.” This is the type of statement often heard from employees at middle management levels.
If both approaches are weighed against one another, the solution using an overarching, higher compliance standard implemented across the company appears to be much more feasible and will provide greater security from an organizational and commercial standpoint. In this solution, it will be necessary to make only minor improvements later on, while the key aspects were already defined when the compliance measures were rolled out. In addition, it will reduce the need to diversify the communication of these measures within a large organization, which in turn will help limit the freedom of scope for interpretation and flexibility.
In summary, the first steps of a risk assessment should involve an examination of the relevant legislature together with any international equivalents, and the question of which laws and regulations apply for the company worldwide. In what areas is it absolutely necessary to guarantee compliance everywhere? In the next step, the company and its different areas will be examined in more depth in order to compare legal regulations with day-to-day reality. The goal here will be to develop preventative measures that bring the required and the actual behavior closer together.
Step 3: Identify Concrete Areas of Risk in the Company
Once the legal environment has been clearly defined, the next question covers what areas of the company will be affected by the legislation. To answer this question it is necessary to delve deep into the company processes and find starting points that will help to decide which control or measure will best cover the risks in which areas. As the range of possible risks is simply enormous, there will be a greater focus at this stage on the methodology behind the risk assessment rather than on providing a full list of all imaginable risks faced by the company. We will once again look in more detail here at the example of a risk assessment for corruption. Ultimately, this concluding step in the risk assessment requires fundamental knowledge from the area of criminology relating to the development of white-collar crime. Against the background of the relevant laws and regulations, it is important at this stage to ask the right questions about how misconduct arises. These questions will then be subsequently answered in the next phase of the process, “detection.”
In order to identify critical areas of risk in the company, a number of practical approaches are recommended.
4.4.1.1 Evaluating Previous Cases of Misconduct
No company is keen to delve into its own cases of misconduct from the past. If the people who were involved are still employed at the company or cases of “deviant behavior” were locked away and treated as a taboo subject then a serious reappraisal of the events is particularly difficult. However, an external risk consultant should not make any allowances for these issues. Gathering precise information about the cases of corruption or fraud experienced in the past will help the consultant enormously: What exactly happened back then? Which control measure failed? What was the response to the case? How great was the damage to the company? What motivated the perpetrator? Were the controls subsequently improved? What contribution did leadership and incentivization play in the misconduct?
An experienced criminalist can use any available fraud and corruption reports to identify patterns in, and starting points for, systematic misconduct. The consultant will derive little joy from examining each individual case in detail. However, the consultant will certainly notice if the same patterns of fraud and corruption have reoccurred in different areas of the same company. For example, if engineers have bribed the same construction company in different countries in the same way, or if repeated cases of similar inconsistencies are identified in goods purchasing or stocktaking. It is thus already possible here to recognize any systematic risks and thus go on to examine them in more depth.