Editor: Over the last few years, we have seen an increased emphasis and focus by companies on corporate governance, risk management, and compliance. What do you attribute this to?
Girgenti: I believe that the corporate financial reporting frauds in the early 2000s were a wake-up call that corporations and those responsible for the integrity of the capital markets were not getting the job done and that more needed to be done. Since then, we have seen a renewed focus on effective risk management, compliance, and governance. More and more corporations realize that having an effective compliance program is no longer an option or nice thing to do. It is a business imperative. We have also seen a fundamental change in the relationship between government and business and the way that government enforcement and regulators strive to shape corporate behavior. At the same time, we are experiencing increased globalization, occurring at a remarkable pace, as businesses seek to find new markets, new sources of supplies, and reduce costs by outsourcing and off-shoring functions that were once performed domestically. This has created new risks and challenges that many companies find themselves ill-prepared to address.
Editor: Are you saying that companies are taking corporate governance, risk management, and compliance more seriously recently than in the past?
Girgenti: Absolutely. When I first joined KPMG in 1995, most of my time was spent assisting companies in conducting investigations. It was very difficult to get many companies to focus on, and invest in, preventing and detecting fraud and misconduct. I suppose, in this respect, what we were trying to do was no different from a physician trying to get his patients to eat right and exercise as a way of preventing disease.
Editor: What changed?
Girgenti: With the financial reporting crisis of the early 2000s, two of the driving forces that were largely responsible for changing executives' and boards' sense of their responsibility for corporate integrity were the passage of the Sarbanes-Oxley Act in 2002 and the amendment of the Organizational Sentencing Guidelines in 2004.
Sarbanes-Oxley was a unique piece of legislation that put together, at a single point in time, a number of practical ideas that incorporate fundamental governance principles and best practices about financial reporting. Among its important aspects, S-Ox included the recognition of the importance of the "tone at the top" of the corporate environment, the vesting in an independent audit committee direct oversight responsibility for financial reporting, a new system of executive certifications and responsibility for the integrity of the company's financial reporting, and a code of ethics for senior financial executives. It also mandated the communications and upward flow of bad news by requiring audit committees to put in place a system for the confidential, anonymous submission by employees of suspicions of misconduct.
As S-Ox did in the area of financial reporting, the Organizational Sentencing Guidelines as enhanced in 2004 fundamentally changed not only the corporate focus on governance, risk management, and compliance, but it also reshaped and drove executive and board behaviors and accountability. The original guidelines were intended to drive the behavior of organizations by "rewarding," with more lenient sentences, corporate offenders who, at the time of an offense, had implemented an "effective compliance and ethics program." The thinking was that organizations, fearing harsher penalties, would adopt such programs as a precautionary measure. This led to many companies implementing compliance programs for the first time, but left open the question of whether these programs were making a difference. The revised guidelines place squarely on the shoulders of executives and boards the responsibility for ensuring that programs are designed and operating effectively, and are tailored based on the most significant risks a company faces.
Editor: Earlier you mentioned that you have also seen a fundamental change in the relationship between government and business and the way that government enforcement and regulators seek to change corporate behavior. What where you referring to?
Girgenti: I think the most vivid example of this change is the way in which prosecutors and regulators view their responsibilities for the investigation and prosecution of corporate wrongdoing. Twenty years ago, when I was still prosecuting criminal cases, the focus of most prosecutors was on conducting an investigation and bringing criminal charges that would result in a conviction by plea or trial. Often, prosecutors and defense attorneys took the view that a criminal charge and plea by a company was a bargaining chip to exchange for dropping or reducing charges against a company's officers or employees. Corporate fines at that time were generally capped at several hundred thousand dollars or less. But things are dramatically different now.
Today, prosecutors and regulators are not just interested in investigating and prosecuting corporate criminal conduct, they are striving to shape corporate behavior. They are increasingly making use of such devices as non- or deferred-prosecution agreements and monitorships. After the financial reporting fraud cases of the early 2000s, legislation was passed that increased the potential fines on a company to the point that the government's ability to seek and impose criminal fines appears limited only by the net worth of the company.
The ability and manner in which corporations defend and insulate themselves from criminal prosecutions, as a result, also has fundamentally changed. Companies, attempting to avoid the consequences of an indictment or criminal conviction that, in some instances, could result in going out of business from government debarment or the loss of the license to do business, are now acting more proactively to ensure that they have effective compliance programs to prevent and detect fraud and misconduct and to mitigate the consequences of such conduct should it occur. They are now under increasing pressure to agree to structural changes, new business practices, and in many instances, the appointment of independent monitors - de facto corporate boards.
Editor: What impact has the added element of globalization had on companies seeking to build effective compliance programs?
Girgenti: As businesses seek to compete globally, they face unfamiliar business practices and must confront new business risks in the new environments in which they seek to operate. These risks run from extended supply and customer chains that reduce visibility and control over the flow and quality of goods, information, and labor to new and unfamiliar business partners with whom they must rely.
Unfortunately, the harsh reality is that corruption is rampant in many of the poorest countries, and companies and regulators are increasingly challenged to deal with this problem. For many years, the Foreign Corrupt Practices Act (FCPA), created to counteract the bribery of public officials, was infrequently enforced. If you look at the public records, you'll see that, as recently as 2003, there were only two bribery cases filed by the Department of Justice (DOJ) and none by the Securities and Exchange Commission (SEC). In 2007, there were 15 bribery prosecutions brought by the DOJ and 16 enforcement actions by the SEC - double from the previous year.In 2008, the number of prosecutions is expected to exceed that of last year. In addition, we have also observed that numerous companies have recently disclosed in their SEC filings that they are under investigation by both the SEC and the DOJ for potential FCPA violations.
Editor: In working with companies today, what do you advise them to do?
Girgenti: We advise companies to begin with foundations of good governance that enable business leaders to operate with the seasoned ability and unquestioned integrity required in today's market. This starts with a board that is committed to driving the values and standards that they expect all aspects of the company to embrace.The board should apply these values as a filter to influence all of its decisions - from selecting the CEO, to shaping strategic goals, to evaluating management performance. Applying this filter also helps avoid unhealthy compensation practices, such as those that judge managers solely on results, without regard to the means used to achieve them.
While the board helps set the right tone, management oversight responsibility must be assigned to a chief compliance officer with the requisite authority, objectivity, and resources to fulfill the mandate of an effective ethics and compliance program. The chief compliance officer will need to work with others in leadership positions to address key challenges and questions in order to try to ensure the organization has an effective ethics and compliance program. This program, which can help manage risk in a manner that is consistent with regulatory requirements as well as the organization's business needs and marketplace expectations, requires an approach that has five key aspects - comprehensive risk assessment, program design and implementation that effectively addresses the risks identified, continuous auditing and monitoring, program evaluation, and continuous improvement.
Editor: Can you explain this more specifically?
Girgenti: Let me briefly explain what I mean by posing some of the questions that need to be asked and answered in each of these areas: When addressing the risk-assessment phase, one must begin by asking how compliance risk is defined. An organization then must determine: What are its biggest compliance risk areas based on likelihood and significance of occurrence? How does its compliance risk profile shift across different business segments, or across geographic borders? In a global company, does the risk assessment consider all key flows of material and information? Are sales and marketing activities being conducted in geographies with high corruption risk? Are existing controls around the biggest risk areas adequate?
In the design phase, an organization must ask: What should the elements of its compliance program look like? What do enforcement mandates such as the sentencing guidelines require? What approaches have other companies in its industry typically found to be effective? How does it avoid unnecessary red tape and bureaucracy? What elements of its program are likely to fall under scrutiny?
At the implementation phase, the organization must ask: What is a practical course of action for rolling out a program? What are the resource requirements? How does it clarify roles and responsibilities? What is the role of line management versus internal audit? Will it need to assign compliance managers in each major business segment or geography? Where will HR fit in?
A program of continuous auditing and monitoring requires that a company embed early warning systems into its technology to help avoid being in the dark until it's too late. A company should consider whether it is leveraging all the information that is available from internal data. How can technology be used to help flag suspicious transactions? How can the company evolve from fewer manual controls to more automated controls?
Finally, when in the evaluation phase, one must ask: Is the compliance program effective? Is the program influencing employee perceptions and behaviors? Are the elements of the compliance program operating as intended? Is the company achieving compliance with its standards? What's working? What still needs to be done?
In the end, diligent boards and management teams will find that building integrity is no easy task, nor just another nice thing to think about. The ability to demonstrate persuasively that your organization has an effective ethics and compliance program has become a business imperative - a condition of survival. Increasingly, your shareholders expect it, your customers are asking about it, your employees count on it, and the government demands it.
Editor: What is next for corporate compliance?
Girgenti: The compliance program of tomorrow will be shaped increasingly by market expectations. I think this will require compliance programs in the future to take on new and different challenges. For instance, from a policy perspective, compliance programs will be increasingly challenged to move along a continuum to address voluntary standards that exceed minimum legal requirements in areas such as fair trade, labor practices, environmental stewardship, and management diversity. Likewise, compliance programs will be challenged to fulfill a business mandate that includes both value preservation (e.g., how the business minimizes fines) and value creation (e.g., how the business attracts new capital). It is here where compliance programs will increasingly find themselves at the nexus between business practices and business performance. In a competitive global market, this will create opportunities for companies to distinguish their brands based on how well they are able to demonstrate responsible and well-governed business practices.
Published June 1, 2008.