As more businesses focus on multinational operations and move into the global economy, accompanying regulatory compliance rules are forcing changes in how U.S. companies approach GRC initiatives.
Compliance rules as stipulated under the Foreign Corrupt Practices Act,
I think what makes a difference in terms of avoiding problems is to develop a genuine corporate culture where it's important to people that they comply.
first assistant U.S. Attorney (Mass.)
"It's a huge issue, and companies have gotten ahead of it in terms of ensuring they are doing their integrity-related due diligence," said Darren J. Tapp, a U.S. partner in PricewaterhouseCoopers' Forensic Services practice. "They're actually entering into contracts with their agents; they're setting up appropriate fee structures; they are getting those consultants and agents reviewed by compliance in advance of contracting."
Tapp was part of a roundtable panel discussion about compliance and enforcement in various industries held last month at the Harvard Club in Boston. The roundtable, organized by The Directors Roundtable, was designed to help boards of directors understand how organizations should handle a corporate crisis stemming from regulatory compliance enforcement.
The bribery and corruption risks stemming from working with third parties -- including business partners, agents and consultants -- has created a trend where multinationals exercise audit rights in contracts, panelists said. When conducting business overseas, more businesses are incorporating anti-bribery and corruption clauses that clearly prohibit facilitation payments, as well as clauses that allow audits of the third party to ensure they are following the rules.
"If you're a big multinational and you are not exercising audit rights of your third parties, it's something you want to consider as an extension of your compliance program," Tapp said. "As a consequence of multinationals' efforts to control the use of the business partners, we're seeing more and more [are going] out and [conducting] these audits of third parties."
Conducting these audits is not always easy, however -- especially when conducting business in developing countries. Business books and records are not always in traditional form, and collecting detailed information from disparate places can be difficult to find, if it exists at all. Most important is to be able to audit the reason behind a payment, panelists said. For example, if a payment was made for travel and entertainment, the third parties should be able to prove it.
In addition, businesses can help avoid regulatory compliance violations by instilling in employees and business contacts the importance of following rules, said Roundtable panel member Jack Pirozzolo, first Assistant U.S. Attorney (Mass.).
"I think what makes a difference in terms of avoiding problems is to develop a genuine corporate culture where it's important to people that they comply," Pirozzolo said.
Adapt to global compliance trends
A global economy forces companies to re-examine risk processes in the face of trade secret theft, as well. Earlier this year, a report alleged a Chinese military unit within the People's Liberation Army hacked confidential data from at least 141 organizations across multiple industries.
To offset these risks, the Economic Espionage Act was expanded in 2012 in an effort to protect trade secrets for U.S. companies. While these laws can help, companies themselves are the first line of defense when it comes to information security, panelists said.
"What you need to do is assume there is going to be penetration of your environment either by a former employee, by a Web attack, a whatever -- then evaluate your business model in light of that assumed risk," said Roundtable panelist Peter Acton, senior counsel for global compliance at IT storage hardware solutions provider EMC Corp.
More on global regulatory compliance
How Wal-Mart de Mexico triggered FCPA violations
The Foreign Corrupt Practices Act evolution
As with many governance, risk and compliance processes, understanding your business environment and what the threats are is very important. For example, panelists recommended that when conducting business in a jurisdiction with limited enforcement mechanisms, evaluate what products are marketed within that jurisdiction and avoid the potential disclosure of trade secrets in that market.
Companies should also be proactive about risks impacting them on a daily basis, and adjust security protocols and procedures in real time as those threats emerge and change. This includes implementing what panelists called "guerilla tactics" when it comes to ongoing employee risk training. For example, companies can send an employee an email embedded with malware to see if they are actually following the company's security protocols. If they aren't, companies should educate them on the spot, show them what the situation was, how it arose and how they should react in the future.
"I think there are real opportunities for companies to do things a little out of the box that [will] get employees actually using the procedure, the processes and the controls you have in place," Acton said.
Organizations can also use penetration tests and risk analysis processes to determine vulnerabilities. Roundtable speakers were adamant that -- from a data security standpoint -- businesses need to determine exactly what data they have, where it is stored and whether they need to keep it in order to determine proper security processes.
By figuring out exactly what the threat is and where it stems from, businesses can attack these risks proactively through internal policies and procedures, panelists said. This proactive stance can also help on the back end when authorities have to get involved during a legal crisis.
"It's of great value to us, and it's greatly appreciated when we do have a company that has taken its responsibility as a corporate citizen seriously and has investigated and provided information to the department," Pirozzolo said. "It's really important to us because the company is often the first to know if there has been some kind of a breach or theft."