Welcome to 2018, everyone! Now that we’re done returning Christmas presents, watching college football, and prepaying this year’s property taxes, our thoughts turn to how the corporate compliance landscape might evolve in the coming year.
Without further delay, then, my annual list of compliance issues that should be worth watching in 2018. In no particular order…
SEC guidance on cybersecurity. The Securities and Exchange Commission struggled with cybersecurity in 2017. Chairman Jay Clayton understands that investors are upset with cybersecurity lapses, and that companies need more help to understand what to disclose about cybersecurity risks and events.
It doesn’t necessarily follow, however, that the SEC knows what better cybersecurity disclosure should look like. A Form 8-K filing for every material breach? An audit of data security controls? A separate board committee for cybersecurity? Do we even know what a “material” cybersecurity event is?
The SEC claims its new guidance will focus more about internal escalation procedures and controls to prevent insider trading ahead of disclosure. How useful such guidance might be, is anyone’s guess.
The new standard on revenue recognition. The new accounting standard for revenue recognition went into effect on Dec. 15, 2017. Throughout this year, then, we’ll see more and more companies file their first financial statements according to the new standard.
Most companies won’t see their revenue numbers change by any material amount. But the standard also has profound implications for how sales contracts are structured and recorded — which, in turn, has implications for a company’s internal control over financial reporting, compensation schemes, and even fraud risk.
We’ll want to see how companies manage those consequences: new accounting policies, new procedures for auditors, new assessments of internal control, and even changes to business practices and disclosures in quarterly filings.
Supreme Court decision on whistleblower protection. Digital Realty Trust v. Somers, heard in November, centers on whether whistleblower protections under the Dodd-Frank Act extend to employees who only report misconduct internally. The plaintiffs say the statute defines a whistleblower as someone supplying information to the SEC; therefore, people who don’t report to the SEC aren’t protected.
Numerous justices seemed sympathetic to the plaintiffs’ arguments, even while admitting that their logic meant more retaliation risk for employees speaking up about misconduct.
I see few productive outcomes for compliance officers. If the court rules for the plaintiffs, that will give whistleblowers more reason to approach the SEC first. Employee cynicism will rise. Ambulance-chasing law firms will advertise, “Do you see something wrong at your company? Don’t tell them, they’re not on your side! Let us take your complaint to the SEC.”
The FCPA Corporate Enforcement Policy. The Justice Department debuted its new policy for FCPA enforcement in November. The goal is to encourage companies to disclose violations, with the presumption that the Justice Department will decline to prosecute — if you self-report, and cooperate in any investigation, and remediate underlying weaknesses that allowed the violation to happen. No “aggravating circumstances,” either.
In 2018, we’ll see how this policy works in practice. For example, how bad must aggravating circumstances be (recidivist offenses, for example, or senior executives involved in the misconduct), for a company still to suffer harsh penalties? How vigorous must your investigation and cooperation be? How effective your compliance program?
The logic of the new policy is sound. The devil of it is in the details, so let’s get into them this year.
Changes to anti-harassment programs. The surprise compliance and governance issue of 2017 was, clearly, sexual harassment. Women are right to be frustrated; companies have spent boatloads of time and money on harassment training, yet men up and down the corporate ladder still engage in stupid, inexcusable behavior.
Hence I say we’ll see changes to anti-harassment programs, rather than anti-harassment training. Training men on proper conduct isn’t enough. Compliance and HR departments will need to work together to encourage a broader speak-up culture, where employees are encouraged to report harassment they see, even when it doesn’t affect them directly.
Whistleblower hotlines will be valuable tools to confront this problem. So will policy management and investigation protocols. We may also need policy changes, such as requiring managers who hear about harassment to alert HR.
Maturity of vendor risk management. As Corporate America keeps integrating cloud-based services into its operations, we’re seeing a new appreciation of just how dangerous vendor risks can be. The foremost examples are cybersecurity lapses, but vendors can pose other operational, compliance, and reputation risks, too.
This isn’t news to compliance officers; you’ve battled sales agents and other intermediaries causing FCPA trouble for years. For the whole enterprise, however, vendor risk is growing more serious because vendors have moved from assisting with transactions to performing services. They now bring more risk to the enterprise, in more ways.
Financial regulators already worry about cybersecurity risks posed by vendors to the banking system. Compliance and audit executives have worried about slices of vendor risk, too. How will audit, risk, and compliance functions work together to tame vendor risk in a more systematic, intelligent way in 2018? We’ll see.
A bustling GRC vendor world. If risks to the large enterprise are undergoing a digital transformation (they are; see vendor risk, above), so too are the tools and systems enterprises use to manage those risks. So I’m curious to see how the GRC software vendors will respond to it.
For example, last month ACL and Convercent announced new rounds of venture funding. In September, defense contractor Huntington Ingalls did a deal with Ivis Technologies to market a new compliance management product. 2017 saw mergers, new products, and other action among all those software companies leaving sales pitches on your voicemail.
All signs suggest that 2018 will be another robust economic year, with plenty of capital available for deals, expansion, and new products. So I wouldn’t be surprised if we see more acquisitions, products, and sales pitches on your voicemail starting this month.
SOX compliance ‘reform.’ SEC chairman Jay Clayton’s top priority is to increase the number of companies going public on U.S. markets. Really, however, that’s code for rolling back investor protections established by the Sarbanes-Oxley Act — above all, the requirement under Section 404(b) for an annual audit of internal control over financial reporting.
Nevermind that filers compliant with Section 404(b) have seen a remarkable decline in financial restatements since 2003. Or that SOX compliance leads to lower costs of capital for firms. Or that research says most companies today stay private because they hate predatory hedge funds wresting control from them; and because they can, thanks to ample private equity demand.
Whether Clayton takes a run at weakening SOX compliance directly, or pushes the PCAOB to address the issue with audit firms, we’ll likely see some new attempt in 2018.
Those are (only a few!) items on my radar screen as we all gear up for 2018. Let me know what you think, or what this list is missing! Drop me a line at [email protected] any time.