It’s no secret that European organisations must adhere to strict rules and regulations when it comes to key ethics and compliance issues such as anti-corruption, data privacy, and risk management.
Yet, certain compliance risks will be more prevalent for European operations than in other regions. Programme managers must be aware of such risks and the threats they pose to the business in order to ensure they are not overlooked. Tailoring your ethics and compliance programme to the organisation’s unique risk profile will help mitigate such risks.
Based on insights from primary research undertaken by NAVEX Global, who questioned 130 ethics and compliance professionals in Europe, here are five essential programme insights that European businesses need to be aware of in 2021:
1) Focus on the key compliance concerns
No organisation has unlimited resources to eradicate every potential risk it faces, but regulators still expect you to protect against the biggest risks – no matter how small your business is.
Data privacy, cyber security and GDPR have shot to the top of the list of compliance concerns, both in Europe and worldwide, in recent years. Major data breaches at European-based businesses have generated news headlines and heightened awareness across the globe.
Research conducted by law firm DLA Piper in 2020 highlights that since the introduction of GDPR more than 160,000 data breaches have been reported across the EU. At the time of writing, 481 fines and penalties have been imposed under the regulation costing European firms €273m.
Dr. Tobias Schelinski, partner at global law firm Taylor Wessing, adds that, “in the European Union, we will see many more consumers making use of their data protection rights granted under the GDPR and local data protection laws. This will include an increase in damage compensation claims. You could say that privacy law will be the new consumer protection law.”
With the mass shift to home working triggered by the coronavirus pandemic, and the likely poor cyber hygiene of staff using devices away from the office, the risks of a data breach, and the misuse of personal information, will only increase in 2021.
Another key area of concern for European compliance professionals is abiding by anti-bribery and corruption (ABC) legislation. Despite the EU sitting atop Transparency International’s Corruption Perceptions Index, there is a long-held scepticism towards the efficacy of existing anti-corruption policies among Europeans, with 71 per cent of individuals believing that corruption is already present in national institutions, according to the latest Eurobarometer report on corruption. Further concerns are rooted in a lack of transparency around both the expenditure of public money and the close relationship between business and politics.
Our research also highlights that European organisations need to place a greater emphasis on mitigating harassment and discrimination risks. Too few are acknowledging that these risks exiswithin the workplace - especially compared to North American businesses – despite a 2019 report by the French Institute for Public Opinion (IFOP) that found 60 per cent of European women had experienced workplace sexual harassment or violence.
Additional insights from NAVEX Global’s annual whistleblowing report also shows that there is a higher percentage of whistleblower reports categorised as harassment and discrimination at European organisations than in US organisations. Clearly, harassment and discrimination is a compliance gap that European firms need to act upon.
Many firms are helping to address such concerns through employee training. In Europe, Navex Global’s research shows that the four most common compliance training topics are data privacy (83 per cent), bribery and corruption (79 per cent), conflicts of interest (70 per cent) and cybersecurity (69 per cent). However, key training gaps remain, such as sexual harassment (54 per cent), discrimination (53 per cent) and diversity and inclusion (49 per cent).
2) Use employee feedback to identify gaps
Business leaders should keep in mind that the end-users of an ethics and compliance programme are their employees. Gathering employee feedback is crucial for an effective programme. Perceptions of management may be a nice-to-have, but it is the employee view that offers the best insight into the efficacy of the programme’s activities. Yet there seems to be a disconnect between employees and management when it comes to the perception of compliance programmes.
While 50 per cent of European managers see their risk and compliance programme as a strategic investment, only 28 per cent of employees feel the same. In fact, a third of employees say they view compliance as ‘a necessary evil required by the regulators’. Therefore, it is crucial to gather and act upon employee feedback to ensure the programme serves them correctly and delivers activities that best foster a more ethical and compliant culture.
It is one of the reasons why the upcoming EU Whistleblower Directive, which will be introduced in December 2021, should be welcomed – because whistleblowing reports are arguably the best form of employee feedback and compliance information. This primary data is invaluable to drive transparency, expose potential issues before they become critical, and provide real time insights into the effectiveness of the compliance programme.
“It is in the interests [of business leaders] to know whether anything bad is happening within their company, and encourage whistleblowers to engage with them,” says Jan Tadeusz Stappers, senior manager of partnerships at NAVEX Global.
Yet Europe has the lowest number of whistleblowing reports submitted per employee – on average in 2019 five whistleblowing reports were made for every 1,000 employees at European organisations, compared with 15 reports per 1,000 employees from North American organisations1. Compliance programmes in Europe must work harder than for other regions to encourage employees to speak up about their concerns.
Look to establish mechanisms to capture employee feedback in your programme. But not only from whistleblowing reports. Exit interviews and culture surveys can also help you gain the insight of your employees and better understand what gaps - or inefficiencies - you may have.
3) Embrace the role of the audit and risk functions
Risk assessments are crucial to developing any compliance plan, especially in Europe, where supply chains are more complex and trading across multiple jurisdictions is common. As such, it’s no surprise that NAVEX Global’s research finds that 82 per cent of European organisations are prioritising compliance risk assessments as part of their programme. Executive teams are increasingly asking for a more holistic approach to compliance analysis and reporting to better understand where the risks lie across the business. For larger firms, the compliance function should form close partnerships and collaborate with audit and risk teams while also leveraging the input of internal risk experts and stakeholders. For smaller businesses, learning how to undertake regular ethics and compliance risk assessments is key to developing an effective programme.
In addition, as a function that has a comprehensive view of an organisation, internal audits can play a crucial role in evaluating compliance. With an urgent need to ensure compliance activity keeps pace with current regulations - and with so many regulatory territories to deal with in Europe – auditing the compliance function can be a bigger challenge in Europe than elsewhere.
They can go further too. This is particularly important for European organisations, where the compliance audit should also review external risks to ensure the appropriate due diligence is being applied throughout the organisation’s supply chain.
4) Establish a proactive approach to policy management
Our research shows a majority (93 per cent) of European organisations focus their programme on regulatory compliance and base their decisions around not falling foul of related laws. Yet NAVEX Global’s findings suggest European organisations are those most likely to fall short in both distributing risk and compliance policies and providing adequate policy training – without which firms will struggle to develop a programme that adequately protects against regulatory risks.
Given the complex regulatory landscape in Europe, policy management, and the customisation and communication of policies across regions and languages, can be challenging and is often a compliance gap. It may be worthwhile in certain circumstances for European organisations to simplify such complexity by defaulting to the strictest version of a particular regulation, or company policy, and adhering to that interpretation globally.
Proactively reviewing policies rather than waiting for changes to happen, and ensuring easier access to up-to-date policies for employees – another area European companies can struggle with - not only makes it easier to stay on the right side of new legislation but can provide a strong legal defence for potential investigations when non-compliance does occur.
However, simply developing your programme as an insurance policy against regulatory infractions may not be enough in the long-term. Progressive organisations must look beyond compliance regulations. This requires a mindset shift from business leaders who need to refocus on building a value-based programme strategy that will improve employee culture and behaviour. Doing so, and embedding an ethical culture, will make employees more likely to do the right thing and make the right decisions in any given situation.
5) Protect against reputational risks
Trust takes years to build, seconds to break, and forever to repair. Organisations fined for failing to comply with regulations will confirm that a tarnished reputation can be more costly to an organisation’s bottom line than most financial penalties. According to the Volkov Law Group, organisations typically underestimate the long-term impact of reputational damage, which on average costs the company more than four times the regulatory fine imposed.
A rigorous ethics and compliance programme can help to protect your company reputation against inappropriate employee behaviour. Establishing a clear Code of Conduct with your employees and stakeholders, and keeping it fresh and relevant, helps to define the ethical values that your employees are being asked to live and breathe on a daily basis. However, only 42% of European organisations stated that they plan to update their Code of Conduct over the next 12 months.
Our research suggests there is still further work to be done. Employees in this region report less confidence in the ethical values of their company compared to elsewhere – only 1-in-4 European employees say their business is compliant ‘all of the time’ compared to 38 per cent of employees in North America. Compliance leaders must ensure that the compliance programme fosters ethical behaviour throughout the organisation 24/7/365. Being ethical ‘some of the time’ simply doesn’t cut it – it takes only one mistake or bad decision to ruin the reputation of a company.
Conclusion
Ultimately, every organisation needs an ethics and compliance programme – and any such programme must be tailored towards the specific risks of the business. Firms should also pay attention to what others are doing within their region. Benchmarking can help to shape and underpin the programme’s goals.
To be effective, executive leadership teams must play an active role, not just to improve board oversight of the programme, but to establish a top-down culture of engagement among employees, and to align and drive the objectives of the programme with the objectives of the business.
“Healthy compliance practices are good for business,” points out Dyann Heward-Mills, Chief Executive and Founder of UK-based data protection consultants HewardMills. “You need to empower people. Having ethics and compliance champions in a business attracts not only customers and better employees, but it also, in turn, attracts investors and facilitates innovation.”
Download NAVEX Global’s comprehensive guide to learn everything you need to design and develop an effective ethics and compliance programme - from gaining board buy-in, to planning and implementing your activities.