Don’t Let Communication Water Down Your Integrity Risk Management Efforts

My title may sound provocative, and you might think I’m undermining the importance of the role communications teams play in many companies, but that’s not true. Give me moment to explain.

Imagine integrity risk management as a human body. Communications is the windpipe of that body. No matter how sophisticated and developed your existing systems and organisations are, poor internal and external communications alone can pull the rug out from under all your past achievements.

You can see this in the daily life of many companies, which have become more and more vigilant as to their reputation. In fact, reputation risk is by far the undisputed number 1 strategic risk companies face today based on recent surveys.

Managing your integrity risk and ensuring your compliance are the most effective ways of saving your company from bad press. I find it disconcerting how companies fail to prioritise and value the quality of their integrity risk communications.

All Year Round

Many companies invest a lot of money and management time in building up their compliance systems. However, the practicalities and implementation of these systems are most often delegated to group legal or internal control teams.

communication_compliance_800Often at best, every employee has to participate in annual e-learning programmes, which for some reason are always scheduled to occur in the middle of the most hectic budgeting season. Meanwhile other communication techniques and methods are ignored.

In order to make your integrity risk management efforts fly, focus on phased behavioural changes instead of a heavy duty e-learning torrent once a year. This is also where communications teams should show their claws.

Talk Like a Person

In order to achieve lasting results, employees need incentives to make many small commitments. Your company’s values and behavioural expectations need to be widely known in your organisation.

I don’t believe in lists of do’s and don’ts. They can easily puzzle the individual. Unstructured threats don’t pay off in the long run.

When communicating compliance issues to employees, use positive and inclusive language and use a style they’re familiar with. Short and repetitive bulletins are much more effective than a one-off torrent of opaque legalese.

Why not also challenge the almighty role of e-mail? Try using electronic bulletin boards, town hall-meetings, newsletters and blogs, Q&A pages, sales booths in meetings, voice casting or any number of novel methods. Good integrity risk communications should emphasise the pleasure related to change and the pain related to old habits.

Make Sure Middle Management Is On Board

Ideally the whole organisation should support the communication of integrity risk issues. Especially the mood-in-the-middle should be beefed up.

The role of middle management in compliance communications is vital. If you don’t get them on board, the message will erode before it reaches the lower levels of your organisation.

Although communications strategy is managed on a c-suite level, integrity risk communications cannot be delegated and siloed in the organisation if you want results. Don’t just focus on existence and volume of integrity risk communications, focus on its quality and make sure you colleagues understand you core messages.

Sami Lindström


Case Volkswagen – Could the Pelican Have Avoided Ploughing into the Turbine?

Case Volkswagen has been in the news for the past couple of days. According to the company, it installed software that falsified emissions tests in 11 million diesel cars, meaning that its vehicles actually spewed more pollutants than allowed.

The company’s market cap dropped by almost 40%. The CEO had to resign. The provisions in the books were raised to 6.5 billion euros.

The congestion of class action suits is about to start, and in all likelihood some directors will end up behind bars. Case Volkswagen is just one example in the world of miscalculated integrity risks.

Every day, we see a steady flow of news regarding suspected fraud, corruption, human rights abuses and falsification of accounts. How can companies avoid becoming part of this kind of news flow? Is there something the management or the board could do better despite their existing compliance programs and global control frameworks? The answer is … absolutely!

Let’s look at the three fundamental factors determining whether a company’s reputation risk management is efficient or not: reputation-reality gap, changing expectations and unity.

Mind the Gap

Volkswagen has always had a good public reputation topped off with high integrity. The Volkswagen brand has almost become a synonym for reliability. Why did this perception collapse overnight?

Volkswagen has a global compliance program and organisation in place, so in this regard everything should have been under control. Contrary to the public perception, is it possible that the company didn’t in reality have the means to exercise its integrity risk management properly? Despite express obligations of integrity in their code of conduct, for some reason the implementation failed.

Tools in Place but not Maintained?

The second explanation could be that the company did not challenge and monitor its existing risk management system. Did Volkswagen regularly acid test the functioning of its whistle-blower communications channels? Did the compliance organisation have direct and independent access to the board, or was it subject to the interests of the operative management?shutterstock_11433679

Had the workability of the existing system and the independence of compliance administration been secured, the problem might never have occurred. At least it would have come to the attention of the board much earlier, allowing sufficient time to take corrective measures before it was too late.

Maybe communications channels existed, but the fear of disclosing the problem and retaliation kept mouths shut?

Walk the Talk?

The third explanation could be that the company was ultimately unable to jointly ‘walk the talk’. Was this due to a fragmented organisation, siloed decision making, fear or sub-optimisation resulting from eccentric incentivisation? Based on the latest allegations in the news, some directors were warned, but the problem was quickly polished over by ignorance. Nevertheless, the existence of flawless internal communications and internal trust can be questioned.

Reputation Risk Management 2.0

Failures in compliance always occur when a complex company structure is managed without effective risk management tools. Compliance management is not a stand-alone exercise. Instead it should be integrated into every company’s global risk management processes.

Despite existing codes of conduct, internal instructions and policies, companies should understand the essence of taking their compliance systems to the next level. Otherwise, their businesses can easily fall into ostrich management principles, i.e. putting their heads in the sand and hoping that their problems go away.

To switch back to my original bird metaphor, compliance 2.0 is absolutely crucial if you want to keep your pelicans out of the turbine.

Sami Lindström

What Connects Airplanes, Straws and Corporate Responsibility?

Corporate responsibility may be trendy right now, but I regularly hear people talking about it as mere greenwashing, making a company’s actions look shiny and pretty without real content. Sadly, corporate responsibility is not really glitz and glamour – it is human rights abuses in the palm oil plants in Asia, collapsed garment factories in Bangladesh, oil spills in the ocean, corruption or overly aggressive tax planning that disrupts competition. Fair? No.shutterstock_186036554

Corporate responsibility covers a wide variety of topics, as the examples above show. So what are we actually talking about when we say corporate responsibility?

You can easily find several definitions by googling, but I am a simple girl so I give you a simple definition: Corporate responsibility is balancing between people, planet and profit in the corporate world. This means that companies should respect the environment and treat the people around them fairly, while also operating in a financially sustainable way.

Why should companies care?

Let’s have a more detailed look at why. Why does corporate responsibility matter to companies and to us corporate lawyers?

Well, the obvious answer is public image. Any scandal in operations near or far will lead to a damaged reputation. There are also other reasons than brand image for companies to embrace corporate responsibility, such as cost savings, and employee and customer engagement (see more arguments in the Forbes’ article). Last but not least, we can ask ourselves the fundamental question: Why should corporations behave differently than individuals? Why would we give corporations the right to misbehave behind the corporate façade while we don’t approve of similar behaviour from our fellow citizens?

Something good hidden here?

If the above arguments do not convince you about the benefits of corporate responsibility, let me talk a little bit about airplanes and straws. Airbus has recently developed an airplane (A350) that brings more comfort to passengers with less fuel burn, emissions and noise – attractive and responsible business for both Airbus and airline companies. Another example is LifeStraw which is a straw that makes water drinkable in developing countries, preventing many diseases from spreading – good business that saves lives.

Both examples show that we can actually have the cake and eat it too – generate profits and do good for the world. How does this sound? Do you have an A350 or a LifeStraw for your company already in mind?

Anne Vanhala

Sanctions—As the Dust Settles

The activity surrounding the Ukraine crisis during the past several months has shown that sanctions can be imposed rapidly in response to changes in the political climate. However, that flurry of sanctions activity has slowed during the past month, providing a good opportunity to assess how your business landscape has changed because of the sanctions—and what you can do to adapt to those changes.

1. Be Aware of Sanctions Relevant for Your Business

The Ukraine sanctions have had a noticeable impact in many sectors of the Finnish market, however, it is good to remember that other sanctions programmes also exist and can have a real-life impact. The penalties for violating any of sanction can be significant, and there are many more sanctions programmes in force than just those concerning Ukraine. The EU and the US each have approximately 30 separate sanctions programmes in force at the present time.

You may be caught by surprise of the range of business transactions that are restricted or forbidden by sanctions under various circumstances. Sanctions touch on a wide variety of activity. Although prohibitions against doing business with specific individuals or companies have been well-publicised during the Ukraine escalation, other restrictions on certain types of business activity (such as providing services or certain goods even if the counterparty is not sanctioned), tend to receive less attention in the media.

Older sanctions programmes, such as those concerning Iran and activities linked to terrorist organisations in various countries around the world, have a broad reaching effect but receive little if any press attention. Importantly, enforcement actions by EU Member States and the US authorities include an investigation of whether the violator knew or should have known that their conduct violated sanctions laws.

Also, it is good to keep in mind, that other countries (such as Canada, Australia and Switzerland) have also imposed their own sanctions. Although EU and US sanctions may be for many Finnish enterprises the most likely applicable sanctions programmes, it is good to be aware that other authorities can and do impose sanctions of their own.

2. Determine if Planned Business is Affected by Sanctions

If you believe that a business transaction that you have planned could be affected by sanctions, there are some steps you can take to protect yourself against liability—both in case of a sanctions-triggered dispute with your counterparty, as well should an official investigation occur.

  • Identify as many of the personnel involved in the transaction as is reasonably possible, including both your own and those of your counterparties. Whether you are required to comply with any particular sanctions programme depends upon a number of factors, including where you and your counterparty are performing your obligations under the contract, where your decision-makers for that transaction are located while making decisions for that transaction, and the citizenship and residency rights of personnel involved in the transaction.

    In addition, involvement by individuals or entities listed as sanctioned on the official lists, or because of the application of the 50% ownership rule, and the involvement of certain goods or services, can all affect whether a particular transaction will be affected by sanctions laws. Looking for the moment only at the background of the personnel involved, it is important to know that even a company that is registered and headquartered in Finland and that has no connection to the US, could in some circumstances be required to comply with US sanctions laws if a particular business transaction has a connection to the US.

    The US authorities have a history of threatening civil or even criminal prosecution against foreign companies when those companies are believed to have caused US persons to violate US sanctions laws. Knowing as much as possible about the connections of personnel and companies involved in your transactions will improve your ability to determine whether your business plans might need to comply with EU or US sanctions, or perhaps on some occasions with both.

  • Identify your counterparties and determine if they are sanctioned. Official lists of every individual and company specifically sanctioned by the EU or the US (or sometimes by both) can be found and searched online. However, be aware of the 50% ownership rule—a company may be sanctioned, even if it is not listed on the official lists, if that company is owned 50% or more by one or more sanctioned persons.

    Try to obtain as much information as is reasonably possible about your counterparties, including their full names, official registration numbers, office locations and (if possible) the identities of their major shareholders.This information will help you perform a thorough due diligence review of potentially applicable sanctions programmes to determine if the transaction is at risk for a sanctions violation.Your current business should also be examined to rule out potential problems if you become aware that one or more sanctions programmes could potentially be applied to that business.

  • Examine your business transactions to determine if they could trigger any industry-specific, or goods or services-specific sanctions violations. Remember that certain types of business transactions could be restricted or prohibited by sanctions laws even if none of the parties involved are sanctioned. Check the types of goods involved; the export, import or transfer through of certain goods is restricted or forbidden when certain geographic locations or sanctioned parties are involved. Pay attention also to goods assembled from parts manufactured in different locations—parts manufactured in certain countries could in some cases be subject to sanctions restrictions which could impact the distribution of the final products. Be aware also that the export, import or transfer through of certain goods may be forbidden if the final destination of those goods is a restricted industry, or a restricted geographic location or is connected to particular companies or individuals.

    Service contracts may also be subject to restrictions or prohibitions when certain industries, citizens of certain countries or particular geographic locations are involved. Exactly what business activities are allowed and which require prior approval from the authorities, as well as which activities are forbidden, depends upon all the facts of a particular business transaction.

3. Prepare Your Strategy to Prevent Violations and Get the Deal Done

Prepare a plan of action to address the risks and to protect yourself against liability. Documenting your efforts to perform an appropriate due diligence sanctions check may prove useful in the future should the need arise to demonstrate that you performed the level of due diligence which the circumstances called for, e.g. in case of an official investigation. It may also be helpful to prepare internal training and education programmes to ensure that your employees are able to identify and address possible sanctions issues.

Depending upon the nature of particular situations, it may be beneficial to seek an official clarification or approval of business activities from the authorities. It is also possible in some cases to apply to the authorities for a special license to conduct business which may otherwise be prevented by sanctions restrictions.

You may also wish to review your transaction agreements to ensure that they contain language which offers you the maximum protection in the event that the restrictions imposed by existing sanctions, or new sanctions which could be imposed in the future, restrict or prevent the performance of those transactions.

Kristina Rutsky