In-house counsel and other compliance professionals often lament the difficulty they have in securing the headcount and resources they need to maintain effective compliance programs. Too many CFOs, they say, still see compliance as just another law department cost center.
The cautionary tale can only take them so far. No matter how many companies are publicly humiliated by high-profile investigations, financial penalties and individual prison terms, criminal liability can remain an abstraction to business executives until it happens to them. Horror stories may get their attention, but don’t really speak their language: numbers. To really get the business side on board and actively engaged, counsel must demonstrate the impact of compliance and fraud detection on the bottom line.
“It’s one thing for the doctor to say you should quit smoking and stop eating fatty foods,” says T. Markus Funk, a partner at Perkins Coie. “People may do it for a month or so, but then tend to go back to their old habits. However, having the doc sit down, show you x-rays and blood work results, and suggest integrated lifestyle changes has a far greater chance of producing long-term changes.”
Fortunately, there’s a growing volume of data available on the quantifiable impact of fraud on companies. More ambitious in-house counsel are even hiring third-parties to perform audits that provide data on their companies’ compliance performance—hard numbers that give them the leverage they need in their ongoing budget battle.
There’s power in numbers, and sometimes the simpler they are, the better. For example, according to Kroll Inc.’s latest Global Fraud Report, companies on average lose a week’s earnings to fraud every year.
“On average, the companies we surveyed lost 2.1 percent of their earnings over the past 12 months to fraud,” says Rich Plansky, a Kroll senior managing director. “That’s basically everybody working for a week for free to support fraudsters.”
That percentage, it should be noted, is just fraud losses—it doesn’t account for any legal fees, investigation expense, government penalties or damage to the company’s reputation as a result of violations.
“This is not just a mere annoyance.This is a threat to the financial health and, in some cases, the viability of a business,” Plansky says.
Significantly, the survey reports an inverse correlation between investment in antifraud measures and fraud losses. Among survey respondents (more than 1,200 executives worldwide) 18 percent reported annual fraud losses of more than 4 percent of revenues. Almost a quarter of that group lost more than 10 percent of revenues to fraud. These 53 hardest-hit companies shared some risk factors, such as industry and geography, but their greatest commonality was their lower level of investment in preventing and detecting fraud.
In each and every one of 10 categories of anti-fraud measures surveyed, these 53 companies invested less than the average sum. In categories such as staff for training or whistleblower hotlines, or “reputation” (media monitoring, controls and legal review), the investment gap was 50 percent or more. The lesson is clear:
“Many companies still view compliance and anti-fraud measures as a cost center, but they should view it as mission-critical,” Plansky says. “That 2.1 percent or 4 percent or 10 percent comes right off the bottom line. Making investments in things like financial controls, information security, vetting partners, clients and vendors pays real dividends. If you’re talking about a cost center, it’s a whole lot more expensive to deal with the aftermath of an [Foreign Corrupt Practices Act] violation than it is to make investments in financial controls.”
If global surveys or industry information are not enough to spur additional compliance investment, counsel may have to find custom-tailored data. A small but growing number of companies are conducting independent third-party audits of their compliance programs or subjective risk factors.
Usually, these audits happen after the fact. A company gets nabbed for a violation, and is required by a deferred prosecution agreement to maintain an effective compliance program going forward. Absent any guidance on the definition of “effective,” in-house counsel reach out to law firms or consultants for an unbiased assessment they can lean on if the government calls again. Increasingly, however, companies are proactively conducting compliance audits, before problems crop up.
“Compliance audits provide an efficient and direct way to figure out where the high-risk problem areas are, and to come up with an integrated strategy for plugging identified holes and shortfalls,” Funk says.
Law enforcement authorities at home and abroad take a particularly dim view of paper-only, half-hearted compliance regimens these days. Audits affirm the company’s commitment, and can bolster a rogue-actor defense in the event of a violation.
That said, requesting audits can sometimes create an awkward political situation for corporate counsel. They want to draw attention and resources to compliance gaps, but don’t want to look like they’re not doing their jobs.
“There is some tension there,” Funk says, “but responsible in-house counsel will recognize that the risk potential is far greater from saying everything is fine and risking down-stream problems with the government or through large fraud losses.”
More Than Vegetables
There is one caveat anytime counsel start turning over stones: They must be prepared to deal with whatever creepy things they find.
“Some companies might not want to have their compliance problems put in writing, because if they fail to acton them, they have potentially worse problems,” says Solomon Wisenberg, co-chair of the white-collar defense group at Barnes & Thornburg. “Down the line, some prosecutor or regulator can say, ‘wait a minute, you had an audit that raised this issue and you didn’t do anything about it.’ Prosecutors love to see that companies ignored the recommendations of a compliance audit.”
There’s no denying that a see-no-evil dynamic remains a significant part of the compliance cost-benefit analysis at many companies.
“Most companies still look at compliance as eating your vegetables,” Plansky says. “You have to do it, but nobody really wants to do it.”
Such attitudes will persist as long as companies see compliance in terms of potential penalties, instead of ongoing financial impact. As the Kroll report makes clear, without effective controls, fraud presents a steady bleed on the bottom line.