Promoting compliance awareness throughout the company is one of the top priorities today. It is too late once a serious compliance violation has occurred. Therefore, you may need to think about such as the following questions; "Where are risks lurking inside the company?", "How should risk management be implemented?", "What should be done before it develops into big managerial problems?"
The term compliance means "to align with laws and regulations rightfully." However, even if a company complies with laws and regulations, it may still be criticized in public if the company has done something wrong. This is when a company betrays the expectations of people. Expectations include safety, security, high quality, fairness, or others that are fundamental to the entity's purpose. The company must face the expectations of its various stakeholders; consumers, employees, business partners, shareholders, society, etc. Regarding that, the true meaning of compliance for a company can be said: "meeting the expectations of stakeholders." Laws and regulations are the minimum requirements that people and companies must follow to avoid legal penalties for violations, while true compliance for companies is broader and more challenging.
In recent years, the number of compliance-related issues seems to be increasing and the range of problems is also becoming broader, from harassment to information leakage and false reporting. There are several reasons likely behind this.
First, both society and rules are changing rapidly. With globalization, rules are amended toward global standards, and "local customs and practices" are becoming no longer acceptable. Despite this shift, there are still many managers and employees who are unaware of the changes and unable to keep up with them, making wrong decisions and giving incorrect instructions. In addition, an old-style results-oriented perspective may also be behind (or maybe even the root cause of) the problematic behavior.
Second, while new technologies are pushing businesses to advance, they are also creating security risks and new problems such as data leakage. Individuals can transmit personal information easily via social media or such. Companies can no longer deal with those risks only through their internal risk management as they did in the past.
Third, the definition and the scope of misconduct to be covered are unclear and changing, such as the risks of infringement of stakeholders' interests by the actions of companies and their executives or the misconduct against the social role required by financial institutions. Many companies are lost and perplexed in determining the extent of risks to be handled.
Lastly, today, companies are required to take in CSR (Corporate Social Responsibility) and ESG (Environment, Society, Governance), not only within themselves but extending across their supply chain, from suppliers of raw materials and parts to sales agents. Now they are even expected to have initiatives regarding the SDGs (Sustainable Development Goals).
There is a global movement, like the "Modern Slavery Act," where companies must look after labor conditions throughout their supply chains. Harsh working conditions, low wages, and long working hours are issues that are up close. We are now in an era where global standards are applied, as well as aligned with local laws.
Business customs and practices that were not a problem in the past, can turn into compliance issues resulting in a significant amount of fines.
The pressure of having zero faults is growing stronger and stronger, where the range of compliance to be covered has become broad, and fraudulent incidents due to lack of awareness will instantly be apparent and spread quickly.
When a violation is discovered, an immediate response is required, including preservation of evidence, formation of an investigation team, control of sharing information, reporting to the authorities, and consideration of what and when to disclose. The establishment of a third-party committee will follow for conducting a full-scale investigation. If there are victims, they must also be dealt with promptly. In a violation investigation, it is important not only to confirm the facts that have been discovered but also to investigate whether there are any other infringements (extended investigation). Since a person who has committed fraud may underreport the crime or conceal additional crimes, it is necessary to comprehensively investigate whether or not there are any other than those that surfaced. For this purpose, it is necessary to conduct thorough investigations in a short time, including interviews with relevant persons, data analysis, and digital forensics. In addition, information must be frequently disseminated to shareholders, business partners, and other stakeholders through press conferences, press releases, third-party committee reports, and other means to reduce uneasiness or distrust. Reporting should be given openly, not only to the media but also to employees, transparently without concealment. In the unlikely event that another violation is discovered, the company will lose credibility. It is also important to take preventive measures so that such incidents will not occur again. The response to a compliance violation is vast and various where you must act quickly.
For example, when a harassment case is taken to court, the settlement amount could cost more than 10 million yen. In 1991, an employee at Dentsu Inc. committed suicide, due to alleged overwork and the company's fault for failing to keep employees safe. Dentsu was filed to pay 168 million yen in compensation to the bereaved family. The average total cost (amount of damage) for the 524 cases of information leakage in Japan between August 2019 and April 2020 was 400 million yen (according to IBM Japan's "Report on the Cost of Information Leakage"). This is only the cost of direct losses, where we can easily imagine the impact of "damage to corporate brand image" in these problems will be outrageous.
Why do violations occur? According to the "Fraud Triangle" proposed by the American criminologist Donald Cressey, people commit fraud when the three factors of "motivation, opportunity, and rationalization" are combined. "Motivation" is a subjective circumstance that causes fraud, such as an employee's financial difficulties. "Opportunity" refers to the objective environment that enables the wrongdoing, for example, a workplace where money handling is not monitored. "Rationalization" refers to the subjective circumstances that actively endorse the fraud, with the embezzler's desire such as "I am only borrowing it temporarily." A company should consider that every person is vulnerable and is likely to commit fraud when the "fraud triangle" is formed. We must reside on the theory as "everyone is weak" when planning preventive measures. A "work environment" that deters the commission of fraudulent acts and keeps the organization healthy is very important for promoting compliance. Recent large-scale corporate frauds in Japan that come to light tend to be committed by the entire organization under the justification of "it is the act for the sake of the company" with an underlying environment of "excessive pressure in achieving business results" and "lack of compliance awareness." Thus the organization's culture has driven employees to commit fraud.
In June 2022, the revised Whistleblower Protection Act came into effect in Japan. New requirements such as guaranteeing anonymity and protecting whistleblowers were added. Most companies do implement various measures, such as helplines over the phone and online, but those corporate systems will not function efficiently unless there is trust toward the company and the employee feels safe. Dispelling fears and assumptions is difficult in reality — "Will I be treated badly if I speak out?" "I don't trust the company's system." "There is the company culture, a silent pressure, where using hotlines is discouraged."
In often cases, supervisors may be the offenders, so a functional internal reporting system where employees can notify without interference is important for risk management. Besides the internal reporting system, if risks can be identified by employees reporting to supervisors or other managerial roles, that will be a healthy shape for the company as well.
Companies today are expected to have sustainable management with thorough compliance. For this, it is necessary to change the organization's culture, which is the soil of risks, rather than responding to each like whack-a-mole.
First, you shall need to know the current level of your company's compliance awareness. Surveys are an effective way to understand the employees' awareness and behavior and gather workplace risk information directly. Through an awareness survey, detailed opinions not raised at the hotlines can be collected.
To detect violations through compliance surveys, it is important to have an environment where employees feel they can answer the questions safely and securely without any disadvantages. An external independent entity should be appointed and announced widely for conducting the survey, to ensure the anonymity of respondents.
We see more and more companies using the results of awareness surveys for training purposes. It is important residing to the employees' awareness and encourage them to proactively engage in compliance promotion activities.
The department in charge of compliance should function as a headlight that beams the road ahead as in a car, rather than as a brake that is hit only after a problem occurs. If the responsible department identifies future risks and takes proactive steps beforehand, other departments in the field can step on the pedal. The compliance department should point out potential risks of the company, detect problems in the early stage, and prevent compliance violations to happen. Compliance awareness surveys are extremely effective for this subject.
Compliance surveys by Nikkei Research can identify high-priority issues and reveal high-risk departments. You can also compare the results with our global benchmark. Unlike hotlines, which just "wait" and "receive" reports, surveys are an effective way for companies to proactively ask employees: "Is there anything wrong?" The company can then derive actionable solutions from the survey results.