Recent years, especially in Serbia and the region, seem to have brought an increasing interest of the business community for matters like compliance, ethics, and more widely, business integrity. Areas like anti-bribery, anti-money-laundering, antitrust and conflict of interest have been in focus, representing more standard areas of a company’s compliance policy aimed at addressing purely legal risks.
Although COVID-19 related topics dominated in 2020, one relatively novel international topic gained a fair amount of attention last year – sustainability, both environmental and social. Companies’ attention and reporting procedures are, as it seems, now increasingly covering a wide spectrum of environmental, social and governance matters (ESG), thus expanding the attention from purely legal risks to more reputational ones as well. The common root of environmental, social and governance topics is ethics. The breadth of companies’ attention for different topics depends on the way companies perceive, define and implement ethical principles in their day-to-day business.
Probably the most common way of explaining ethics is by referring to it as a system of principles that guide how people make decisions and lead their lives. More profoundly, ethics can be defined as “the attempt to arrive at an understanding of the nature of human values, of how we ought to live, and of what constitutes right conduct”. (Norman, 1998).
Integrity is understood as a consistent application of ethical principles in life and everyday situations, i.e. “consistency between beliefs, decisions and actions, and continued adherence to values and principles“. (Visser et al., 2007). Ethics, therefore, consist of principles that correspond to basic moral values that guide behavior, while integrity assumes that we should indeed carry out ethical principles in our daily lives and activities. Business integrity consequently assumes adherence to ethical principles in business and day-to-day activities of a company.
The law encapsulates in a strict written form basic rules of behavior that are to a great extent based on moral and ethical values. Although the law and ethics overlap, they are not the same thing. Something that is unethical may be legal, like for example refusing to help another person in danger. Rules of law are enforced by the state and the breaches are sanctioned, which is not the case with ethical principles. One could say that ethics contains a broader set of rules than law. Only such behavior that is regarded by society as breaching the most important ethical values is prohibited by law.
Having briefly revisited the relationship between ethics, integrity and law, it becomes obvious that compliance policies aimed at addressing legal requirements alone do not say much about the values of a company i.e, the values the management and employees should be sharing and observing in their daily activities. Such policies therefore only partially reflect what should have been the ethical principles of the company. As Richard Breeden, former chairman of the US Securities and Exchange Commission, noted, “It is not an adequate ethical standard to aspire to get through the day without being indicted.” (Paine, 1994).
A strategy incorporating also ethical principles and integrity holds companies to a higher standard. (Ibid, 2005). While compliance is typically rooted in avoiding legal sanctions, a company’s integrity is based on the concept of self-governance in accordance with a set of guiding principles and values and an environment that supports ethically sound behavior and instills a sense of shared accountability among employees.
This need for a more strategic, holistic and integrated approach is becoming evident. While some still fail to see any immediate financial benefits of a broader environmental and social awareness and incorporation of the corresponding values into the overall compliance perspective of a company, research and metrics are demonstrating the quantitative and qualitative impact: for example, reputation risk – which is to some extent embedded in every type of compliance risk – is increasingly recognized by C-suites and boards as a key strategic risk because it attaches itself to other kinds of risk and acts as an “amplifier risk”. (Bonime-Blanc, 2014).
From a purely practical and short-term perspective, lack of a proper compliance function in place may have many consequences, the financial one being only one of them. First of all, companies face immense reputational risk towards business partners, customers and the wider public. That can easily have a very detrimental impact on the brand, perception in the public and finally sales.
Secondly, companies risk legal enforcement, which assumes lengthy investigations that disrupt normal day-to-day business activities, requires either reallocation of existing resources to deal with the investigation or outsourcing these requirements to external consultants and potentially also triggers invalidity of existing commercial arrangements.
Finally, there is a financial element i.e, fines, damages and all sorts of different costs companies with compliance issues have to count with, including but not limited to legal costs of properly tackling the investigation and the compliance issue, and organisational costs of having to rearrange the previous way of doing business.
From a purely practical and short-term perspective, lack of a proper compliance function in place may have many consequences, the financial one being only one of them.
To give one example of a very basic compliance case where purely legal issues were at play: a fast-growing local company with around 1,000 customers, the agreements with which were renegotiated on an annual basis and following the standard, 10-year old company template, was caught with more than 300 customer agreements containing a very simple but prohibited anti competitive clause. This clause could have been easily spotted and eliminated, had there been a compliance function in place. The management was however completely unaware of the existence and the meaning of this provision.
As a consequence, as soon as the news about the investigation of the competition regulator broke, the company was faced with numerous press articles and accusations from different sides, customers threatened with contract termination and sales dropped. Finally, after a two-year long investigation, the company also had to pay a significant monetary fine. This could have all been easily avoided, had someone identified the prohibited clause and reported it to the management.
Another, more complex, example is an international one involving Danske Bank (2018) in one of the largest money-laundering scandals ever. During a nine-year period from 2007 until 2016, due to a series of major deficiencies in its governance and control systems, Denmark’s biggest bank failed to spot that billions of euros of illicit funds from countries including Azerbaijan, Moldova, and Russia were being laundered through its Estonian branch. The investigation also found that the compliance and risk functions of the Estonian branch did not have a satisfactory degree of independence, that the IT platform of the Estonian branch was not covered by the same customer systems and transaction and risk monitoring as the rest of the bank and that the branch operated with its own culture and systems and too independently from the rest of the group without adequate control or management focus.
Danske bank received a tip from a whistleblower in 2013, but despite follow-ups by internal audit and compliance, management failed to take quick and decisive action. As a consequence, Danske’s then-CEO was charged by the Danish prosecutors for his involvement in the illicit practices, the bank is subject to ongoing criminal and regulatory investigations in Denmark, Estonia, France and the United States, it is facing 276 separate legal actions in Denmark brought by individuals and groups of investors worth around USD 1 billion while an additional legal action estimated to be worth around USD 420 million was initiated against the former CEO by 72 institutional investors in 2020. (Hodge, 2020)
The only way to run the business is the ethical way. This ensures long-term viability of business operations, limits the risk and ensures value. Compliance starts at the top. It will be most effective in organisations that emphasize standards of honesty and integrity and where top management leads by example.
Compliance should be a part of the culture of the organization – through different trainings, guides and other measures it must be delivered to each employee and inspire each and every function. To this end, a written compliance policy, regular trainings and checks and regular reporting requirements must be in place.