Kroll and Ethisphere released their annual anti-bribery report today, a survey of what anti-corruption risks companies say they face, and the compliance efforts they use to tame those risks. If you’re looking for a good benchmarking report to read over lunch or on your commute home, this is one.
The headline number: 57 percent of the survey’s 388 participants said they expect their corruption risks to stay steady this year, while only 35 percent expect their risks to increase. In past years many more people would say they expect their risks to rise. (Disclosure: I worked with Kroll years ago to develop the predecessor to this survey.)
People who expect their risks to fall say the primary reason was more investment in compliance programs. Those who expect their risks to rise cite more third party relationships and more enforcement risk.
The bigger idea worth pondering in this year’s report is right there in the title—“Beyond Regulatory Enforcement: The Rise of Reputational Risk.”
That idea has been on my mind lately. Yes, effective regulatory compliance is a crucial part of any company’s survival strategy; but from a larger perspective, how does it really help? If a company’s stakeholders perceive some action or relationship to be untoward, the company has a reputation risk problem that needs attention. And the reputation risk doesn’t care whether it’s in compliance or not.
Talking About Reputation & Risk
At least, that’s how board directors will worry about things, because a tarnished reputation undermines future value in all sorts of ways. Recruiting and keeping employees becomes more difficult. Business partners might end relationships. Consumers take their dollars elsewhere. And as future value falls, so does the stock price. Which generally leads to board directors hitting the curb.
Compliance officers can back into that conversation by explaining how effective controls and policies, especially for management of your third parties, help to reduce those reputation risks.
The Kroll report found that more companies (particularly those on the World’s Most Ethical Companies list, which Ethisphere announced yesterday) now include a briefing about anti-corruption programs when they talk to the board or audit committee about compliance and risk management efforts. That’s good news no matter what. Putting anti-bribery efforts into the larger picture of a company’s ethics and public reputation never hurts.
Still, I’m a bit skeptical that anti-bribery risks specifically are the big driver of heightened attention to reputation risks. To my observation, boards worry much more about the reputation harm that stems from cybersecurity risks and supply chain misconduct. They’re cousins to anti-bribery risk, but to board directors, they’re the bigger and meaner cousins.
For example, Walmart suffered a huge publicity black eye over the announcement of possible corruption in its Latin America operations in 2012—but here we are, five years later, with no FCPA settlement yet. Walmart’s share price is up and its operations are fine. Teva Pharmaceuticals forked over $519 million in FPCA penalties in December, but its stock price had been slinking downward for all of 2016 and is near where it had been (the low $30s) after a price bubble in 2015. Teva’s 2016 sales were its best in five years.
Meanwhile, look at Yahoo for the disaster that can come from cybersecurity failures. Yahoo’s ham-handed disclosure of numerous breaches led Verizon to cut its acquisition offer by 8 percent earlier this year. And it’s not like Yahoo could walk away, because, frankly, what else was the board going to do with the company?
Reputation risk is related to another subject I recently discussed over at the blog run by Navex Global: organizational trust. The better a company is at demonstrating trustworthiness to its stakeholders, the lower its reputation risk will be. Organizational trust and reputational risk are inversely proportionate: the more you have of one, the less you have of the other. Maintaining an effective compliance program, and high standards of ethical culture, are the cornerstones of building that trust and cutting that risk.
Anyway, we’re splitting hairs. The Kroll survey drew a connection between anti-bribery risk and reputation harm because it was a survey of anti-bribery risks. Any survey exploring the connection between cybersecurity, supply chain, or just about any other type of risk would reach the same conclusion: boards now see compliance risk as a component of the reputation harm they want to avoid at all costs. The premise (and title) of the Kroll report is 100 percent correct.
The rest of the Kroll report provides useful data on all the other anti-bribery headaches that compliance officers worry about: monitoring third parties, securing budget and other resources, performing sufficient due diligence on merger targets. Boards don’t just want to panic about reputation risk; occasionally, they want to give compliance officers the support you need to do your job well. The data here is useful ammunition to have that conversation, so dive in.