Communicating risk to foster compliance

Merely having a compliance policy is not enough, staff should also be made aware of the policy otherwise companies risk punishment for employee misdemeanours

Companies must not only create compliance policies for employees but also ensure that they take the necessary steps to give staff the appropriate training if organisations are to avoid sanctions when things go wrong, attendees at an Iberian Lawyer event heard.
Speaking at the Iberian Lawyer Global Compliance Club event in Lisbon, Red Flag Group vice president Andrew Henderson said creating compliance policies was a necessary, but not sufficient, step in order to foster a culture of compliance.
“You´ve got to go further than just writing policies,” Henderson said. “If you go to court or a regulator and you don´t have policies then you´re in a bad way, but if you just have policies and you´ve shown no inclination to train anyone, or show that you´ve made an effort to tell them about them, you´re not much better off than having no policies at all.”
Henderson also highlighted the importance of taking the time to do a full, in-depth risk assessment. “The point of risk assessments is to focus resources where they are most useful – there have been laws here [in Portugal] as there have been other countries, they don´t enforce them but it doesn´t mean the laws weren´t there, the risks were always there,” he says. “People just tend to focus on the risks that have happened to them or to people they know rather than a broader set of risks that exist – that´s why it´s crucial to do a proper risk assessment on a regular basis because the environment does change, it changes everywhere.”
According to Henderson, it is vital that companies understand the changing nature of their business as well as changes in the regulatory environment. “Don´t just focus on things that have been done before, that´s often what happens in a company – if you do a risk assessment internally, you´re asking about the risks that they [staff] see and the risks that most people see are the risks that happened to them last week rather than the broader risks that are out there in the world.”
Attendees at the event – entitled ´Corruption has no boundaries: Who are the guardians of your company´s ethics?´ – also heard that while companies discuss the issue of risk assessment and risk management, they do not always take the crucial steps of firstly devising a strategy for properly identifying risks, and then identifying what risks need to be tackled. Companies often disregard such steps as insignificant, attendees were told. Consequently, the event heard that it was important employees are trained in how to identify and prioritise risks.

Meanwhile, another issue raised at the event was that of communicating risk to managers in companies. Attendees heard that in some companies, problems arose in communicating risks to management as well as attaching the right level of priority to risk. Companies should put in place processes to manage and assess risks, the event was told.
The event also heard that it is important that compliance policies do not remain “static” and that they should be reviewed on a daily basis as new risks can be found frequently. Meanwhile, it was pointed out that the guardians of a company´s ethics are its employees – they should have the consequences of non-compliance fully explained to them. That is, they need to know that they could personally suffer if they do not follow the company´s rules.
João Maricoto Monteiro, of counsel at SRS Advogados, said that companies in Portugal need to be aware that Portuguese regulatory authorities are retrospectively applying laws that were introduced back in 2001-02. Consequently, all companies may have made mistakes. “It means all companies may have some wrongdoing, in that all companies may have employees that have done something wrong.”
He added: “The problem is nowadays with criminal law, whenever an employee does something wrong the company may be affected, in fact the company may also be condemned.”
Maricoto Monteiro said that companies need to be aware that problems may exist and set up some guidance and some written rules that clearly state what is and what is not permitted in the company. “That´s the way that later on in court they can avoid being condemned,” he added. “If there is a body of rules and the employee acted against that body of rules then the employee will be condemned, but the company will not.”
Maricoto Monteiro continued: “If the body of rules does not exist, what the judge will look at is if the employee acted in the interest of the company and if it was in the interest of the company, the company may be condemned as well.”