With risk and compliance policies in the spotlight, companies and in-house lawyers are finding they can no longer hide from changing attitudes to such issues. Helen Mooney reports on the progress being made

Companies both large and small have had to wake up to the fact that compliance and ethics are an important part of doing business as tightening regulations, political pressure and the potential fallout from bad publicity have forced these issues into the spotlight.

Businesses operating in heavily regulated industries such as oil, gas and pharmaceuticals have traditionally led the way when it comes to risk and compliance issues.

But the world, it seems, has moved on. And, as the issue grows in prominence, many FTSE 100 companies have brought their compliance function firmly in-house, rather than leaving it as an issue for external lawyers and accountants to deal with. 

In many cases, it is the legal teams and GCs who ultimately answer to the board on both compliance and ethical issues.

headinsand1-webShifting focus

There can be no doubt that increasing levels of legislation specifically aimed at compelling ethical behaviour by companies has focused minds. The UK's Bribery Act is one well-publicised recent example, while in the US the Sarbanes-Oxley Act and Foreign Corrupt Practices Act are other more established examples.

According to Jacqueline Barrett, a qualified lawyer and group compliance director at Vodafone, there are a number of drivers which have pushed compliance and ethics up the agenda:

"It is more a global phenomenon of greater regulatory scrutiny and the consequences flowing from that – in particular, the enforcement activities of some of the US regulatory authorities.

"There have been global scandals for some time, but the consequences have become more high-profile. The damage to reputation and the trust of consumers, as well as the fact that it can be costly, intrusive and take a long time to resolve means companies are keen to avoid such situations."

Barrett adds that no company should assume they are immune to corruption and that all organisations need to ensure they are managing compliance effectively. She also believes it is imperative to make sure that the right behaviours are promoted within a company.

"Reputation takes a long time to establish, but no time at all to destroy," she warns, adding that while both EU competition law and the Bribery Act have helped enforce a global trend, a lot of the credit must go to US regulators.

Deborah Allen, managing director for corporate responsibility at BAE Systems, agrees. She explains that in the case of her company, the push to create a solid compliance and ethics function came when the company had a "compelling reason" to make a wholesale change.

In 2010, BAE announced a settlement with the Serious Fraud Office and the US Department of Justice in two long-running investigations.

In the US, BAE paid $400m (£262m) and pleaded guilty to charges that it had conspired to make false statements to the US Government in relation to certain regulatory filings. The settlement also included the appointment of an independent monitor for compliance for up to three years. 

In the UK, BAE paid £30m following a guilty plea over charges it breached its duty to keep accounting records in relation to payments made to a former marketing adviser in Tanzania. 

Allen says that in the early 2000s, the defence industry as a whole went through a series of scandals – much like the banking industry at present – and was forced to prove they were doing the right thing.  

She explains: "We invited Lord Woolf to pronounce on what good standards were for the defence industry. But we also came together as companies across the defence industry to draw up a set of business-wide standards and we created the International Forum on Business Ethical Conduct for the aerospace and defence industry.

"Our real turning point came when we were forced to demonstrate to others that we had got compliance sorted and were doing the best we could. This was driven off the back of not having been in the right place and we had to do something more to prove we were there. We were then fortunate as when the Bribery Act followed, we had already gone through the company with a wire brush."

But for BG Group general counsel Graham Vinter the Bribery Act was his company's real catalyst for change: "Before the Bribery Act, we – in common with many other companies – had compliance systems in place, but they were not really pulled together. When we saw the Bill on the horizon, we looked at the need to take a more holistic approach and decided we needed to do something."

GCs in the frontline

In many organisations, the compliance and ethics function has been taken on directly by the GC or by a compliance team reporting to the GC.

Figures from the Deloitte Global General Counsel Report 2011 show that in the UK, employed lawyers are taking an increasing responsibility for ethics and whistle-blowing, with 56% leading the way in this area today compared to 25% five years ago. 

The results also highlight how companies now turn in the first instance more often to their GCs rather than external counsel for advice on serious legal or regulatory risks.

But although it is frequently the in-house legal department that worries itself with ethics and compliance issues, this goes against calls from US enforcement agencies to separate legal and compliance roles.

Vinter says at BG Group the compliance and ethics functions sit under the GC: "In the US, there is the argument to say that this approach is wrong because it does not give the necessary visibility to the team within in a company. But I think if the ethics team reported to the chief executive this would reduce their position.

"I am the overall champion and sponsor for the ethics and compliance team, and I think if the general counsel is properly positioned within a company and not buried, then this works."

jacqueline-barrett-vodafone-cutout-webBarrett (pictured) believes that compliance and ethics is a function that could report into either the GC or the CFO: "At Vodafone, the GC is also the company secretary and attends board meetings. I don't think it is the function per se that matters, since both legal and finance functions should be familiar with risk management.

"For me, it is about access to the board and the executive committee, the persona of either the GC or CFO, and whether they are the right person to help progress the compliance agenda."

Barrett does acknowledge, however, that some big companies – particularly in the US banking sector – have recently changed the reporting lines of their chief compliance officers who now report directly to their chief executives.

"It could be a trend that takes off – only time will tell. But for me, it basically comes down to ensuring that you and your key stakeholders appreciate the independence of your role," she says.

Chris Vaughan, GC and company secretary at construction company Balfour Beatty, agrees: "The reporting line is not the most important issue. It is more about the profile you have as head of ethics and compliance and the access you have to the chief executive and the executive committee.

"You don't have to put the function into legal, but it is one area that it arguably fits into. The role of the legal function has changed and is more about managing legal risk and identifying problems before they hit. Ethics and compliance is very similar to that."

Vaughan also believes, however, that it depends on the personality of the GC as to whether the ethics and compliance function naturally fits in with legal: "If the GC is more focused on processes and the technical aspects of the law rather than on business aspects, that might be an issue. But I would argue that the modern GC should be business-focused in any case."

But at BAE Systems, things are done differently. The compliance and ethics function reports directly to the board and the chief executive. Allen explains: "As managing director for corporate responsibility, ethics sits with me and I report directly into the board and the non-executive committee of the board, which is responsible for compliance and ethics."

However, she says that although they are separate, her team does have very strong links with the company's legal department.

"Compliance and ethics is not all about legal. Lawyers tend to come at it from the point of view of what the law says. Whereas it is also about interpreting it for human beings, you need to look at – and think about – how people do things and give them a moral compass."

Leo Martin, a director at the Good Corporation, a company which advises companies on responsible business management, also argues that the function of compliance and ethics should be separated out from the legal domain.

"The job of compliance and ethics professionals is about checking behaviours and promoting good behaviours. That should be independent and be reported to the CEO directly – not least because if it is not, it confuses the lawyers about what the job is."  

But if compliance does fall into in-house lawyers remit it is not necessarily all bad, Martin argues: "This might be a good place to start and, as the role and the teams evolve, they will hopefully become seen as being as important as legal within organisations.

"Ultimately wherever it sits, no matter how many policies, processes and procedures are in place, it is about empowering people and developing the values and compliance stuff so it gets built into the hearts and minds of the company and the staff within it."

————————————————————————————————————————————————

WHAT DOES A GOOD COMPLIANCE POLICY LOOK LIKE?

A compliance policy should set out the organisation's view on compliance from the board and organisational governance, compliance and risk tolerances and expectations. It will include:

• A comprehensive legal risk assessment review to ensure that a compliance system is dealing with the right legal risks;

• Appropriate documentation describing how the system works, who has responsibility for which compliance obligations and controls applicable to the organisation and who is operating the compliance system and how the system is to be kept relevant and current;

• What control mechanisms are in place to ensure that people are acting in accordance with the compliance system, including reporting, monitoring and supervision;

• Operational processes and procedures assisting frontline staff on an operational basis;

• General training and back up education to assist all organisation members in understanding both the 'how' and 'why' of compliance; and

• Vitally, the structural relationship between compliance and the other key functions of the organisation such as governance, risk, audit, legal counsel and HR function and personnel/contractor incentive systems.