Millions around the world are taken with House of Cards, its onscreen plots and antiheroes. However, this infatuation with political glamour is independent of the increasingly rigorous view of the business world, and of customers’ growing expectations of ethical behaviour and sustainable business practices.
Proof of this enduring market trend is ubiquitous. From the seven per cent drop in US market share experienced by Uber following recent investigations into the company’s conduct, to stock prices’ carousel ride during the 2016 American elections, business is facing a different type of scrutiny. Consumers and activist investors alike are concerned with the behaviour displayed by large organisations across all industries. As a result, the ethical bar is set higher than ever, and regulators’ attention is focused on the conduct of companies and executives, as well as on their overall risk and compliance culture.
ASIC has incorporated consideration of a firm’s culture into the risk-based surveillance reviews of the entities it regulates, as outlined in the regulator’s four-year corporate plan. As a conduct and disclosure regulator, ASIC is not only taking a keen interest in companies’ risk cultures; it is also fostering a broader change in board members’ and executives’ perception of the importance of organisational culture.
Social media is enhancing the effect of this trend. Consumer praise and complaints are now aired in real time, as are employees’ occasionally unfiltered opinions of their organisations. Furthermore, certain regulators have taken to using social media in order to use brand reputational damage as a leverage tool and enhance the public pressure upon companies under investigation. For example, ASIC and the Fair Work Ombudsman both maintain active social media accounts with sizeable followings that issue warnings and share updates relating to ongoing legal proceedings and investigations.
How can companies identify and manage conduct risk in this evolving global landscape?
Conduct risk is multi-faceted, determined by factors ranging from strategic imperatives to remuneration schemes, and intrinsically connected to organisational culture. The consequences of misconduct are just as varied, and carry a potentially hefty price tag: from long-tail reputational damage and its financial impact to regulatory fines and penalties, as well as litigation and in some jurisdictions such as Australia and the US, a high likelihood of class action suits.
When detecting, quantifying and mitigating conduct risk, it is critical to apply a strategic and holistic mindset: conduct risk extends across geographies and business operations, and blurs the lines between areas of risk and areas of the law. A robust, sustainable and risk-based framework of controls is now a prerequisite for organisations, not only to maintain compliance with regulatory obligations, but to ensure that emerging risks are identified and assessed with appropriate mitigation actions being taken.
Our experience advising global organisations with regard to detecting and mitigating conduct risk has shaped our conviction that most successful organisations have a well-defined and embedded culture, underpinned by clearly defined accountabilities and control frameworks, as outlined below.
The culture of risk management and compliance has traditionally been viewed as a pre-emptive monitoring function. However, when confronted with complex, evolving risks such as conduct, a culture of compliance is a measurable advantage for organisations which embed it in the planning, implementation and monitoring of their business strategies.
Regulators are focusing more heavily on corporate culture, and on the implications of organisational change on the overall risk profiles of companies. Examples abound.
Uber is currently facing a US federal investigation, in addition to the independent reviews the technology firm has undertaken of its own accord. While the tech company, hailed for its disruptive model until recently, has been fielding criticism of its corporate culture, the current probe is related to the controversial Greyball tool, which has also been targeted by the European Commission for a potential investigation.
As exemplified above, while conduct risk can manifest as a single exposure (i.e. investigations), it is more often than not a systemic risk with multiple repercussions throughout company layers and across geographies.
Having a strong culture of compliance is critical for any organisation and it is important not only to ensure that the tone from the top of the organisation is positive, but that operational practices and compliance arrangements embed the right behaviours. Continued regulatory focus and the surge of issues caused by poor behaviour means that firms need to continue to place significant focus on this topic.
The US Department of Justice, in collaboration with Swiss and Brazilian authorities, recently issued the largest fine in its history of extra-territorial investigations: US$3.5 billion, a bill that will be footed by oil giant Odebrecht following one of the largest bribery scandals in recent history.
Acknowledged as a great success in combating corruption worldwide, this matter also underlines the increasing cross-border cooperation between regulators. We expect this trend to intensify and have a direct impact on the importance of ensuring regulatory compliance across a business’ operations and supply chains. To do this, companies must establish effective governance, and continuously monitor regulatory developments relevant to their industries and locations.
Effective governance means that front line businesses, compliance functions and audit teams are working in alignment, with clearly defined accountabilities and an articulated risk tolerance.
In order to preserve their growth and brand equity businesses must navigate an increasingly complex regulatory landscape coupled with consumer expectations of ethical and sustainable behaviour. Identifying and managing conduct risk smartly will be critical to long-term success. Click here to find out more about smart risk management.