Breaking Silos of Legal and Regulatory Risks to Outperform Traditional Compliance Approaches

Abstract

The ever-evolving legal and regulatory landscape and resulting pressure on organizations to adapt and comply is just one of many factors that have turned compliance management into a crucial yet increasingly complicated activity. In recent years, numerous compliance challenges have been reported on and traditional approaches for managing legal and regulatory risks are increasingly being scrutinized. This paper provides an overview of the main challenges faced by commercial organizations and goes on to focus on what is referred to as a holistic, integrated approach to managing compliance. It explores the key characteristics and suggested benefits of the approach, as well as some factual and more substantive arguments in support of its claims and underlying logic. Borrowing from criminological theory, it further argues that despite the potential benefits of a holistic view of compliance, there equally remains room for caution.

This is a preview of subscription content, access via your institution.

Notes

  1. 1.

    In order to illustrate the emerging convergence in these guidance materials, four documents in the area of anti-corruption compliance and one related to trade compliance were analysed and compared. The guidance documents relevant to anti-corruption compliance have been selected due to their prominence in the field, the extra-territorial reach and business impact of the underlying legal documents (e.g. the U.S. FCPA and UK Bribery Act) and/or the level of detail provided on how to design and implement a risk based compliance programme. The EU Commission guidance on internal compliance programmes for dual-use trade controls was included to illustrate commonalities in programme features across compliance domains.

  2. 2.

    On a more positive note, consensus appears to be growing on what constitutes a strong and effective compliance programme (see infra); and knowledge and notions derived from behavioural science, criminology and other established disciplines are slowly but surely finding their way to compliance literature and daily practice (see also Haugh 2017b; Soltes 2018).

  3. 3.

    As is often the case in the guidance materials issued by governments and regulators on the design and implementation of internal compliance programmes (see infra), and in line with the so-called ‘Three Lines of Defense’ model (IIA 2013), implementation problems and monitoring and reporting problems have been captured under separate headings. Examples of monitoring and reporting problems include a struggle to oversee business operations, and difficulties encountered with understanding reporting requirements and with meeting reporting deadlines.

  4. 4.

    Situational crime prevention is an approach in environmental criminology that aims to identify ways to modify the immediate setting in which crime takes place in order to affect assessments made by potential offenders about the risks, costs and benefits associated with committing particular offences (Clarke 1997: 5; Sidebottom 2010: 6). In its current representation, twenty-five situational techniques have been identified, listed under five basic strategies (see Clarke 2005: 46–47 for a comprehensive overview of techniques).

  5. 5.

    Diffusion of benefits, according to Johnson et al. (2012: 338), is the phenomenon ‘whereby the positive effects of an intervention extend beyond the operational range of intervention’.

References

  1. Abdurakhmonov, M., Bolton, J. F., & Ridge, J. W. (2019). When the cat’s away, the mice will play: a model of corporate regulatory compliance. Journal of Managerial Issues, XXX(1), 7–27.

    Google Scholar 

  2. Adams, B. (2017). Compliance challenges: the importance of contract compliance during regulatory change. Contract Pharma Magazine. https://www.contractpharma.com/issues/2017-01-01/view_Back-page/compliance-challenges/. Accessed 1 November 2019.

  3. AFA - Agence Française Anticorruption (2017). Guidelines to help private and public sector entities prevent and detect corruption, influence peddling, extortion by public officials, unlawful taking of interest, misappropriation of public funds and favouritism. https://www.agence-francaise-anticorruption.gouv.fr/files/2018-10/French_Anticorruption_Agency_Guidelines.pdf. Accessed 11 March 2020.

  4. Al-Shabandar, R., Lightbody, G., Browne, F., Haiying Wang, J. L., & Zheng, H. (2019). The application of artificial intelligence in financial compliance management. In Proceedings of the 2019 International Conference on Artificial Intelligence and Advanced Manufacturing (AIAM 2019) (8th ed., pp. 1–6). New York: Association for Computing Machinery. https://doi.org/10.1145/3358331.3358339.

    Google Scholar 

  5. Apollon, G. (2017). FCPA compliance should not cost an arm and leg: assessing the potential for enhanced cost-efficiency and effectiveness for an anti-corruption compliance program with the implementation of an enterprise legal risk management framework. Penn State Journal of Law and International Affairs, 5(2), 486–537.

    Google Scholar 

  6. Armerding, T. (2019). Awash in regulations, companies struggle with compliance. Software Integrity Blog. https://www.synopsys.com/blogs/software-security/regulatory-compliance-challenges/. Accessed 15 November 2019.

  7. Armstrong, N.. (2019). Addressing the five biggest corporate challenges in compliance. https://gdpr.report/news/2019/02/18/addressing-the-five-biggest-corporate-challenges-in-compliance/. Accessed 20 November 2019.

  8. Banks, T.. (2015). Challenges of successful corporate compliance. https://complianceconsultants.com/challenges-successful-corporate-compliance/. Accessed 5 April 2020.

  9. Banks, A. (2019). The push for corporate human trafficking compliance under the trends of global legislation. Penn State Journal of Law and International Affairs, 7(2), 577–610.

    Google Scholar 

  10. Barta, G. (2018). Challenges in the compliance with the General Data Protection Regulation: anonymization of personally identifiable information and related information security concerns. In P. Ulman & P. Wołoszyn (Eds.), Knowledge – economy – society: business, finance and technology as protection and support for society (pp. 115–121). Cracow: Foundation of the Cracow University of Economics.

  11. Basten, F., van Bekkum, E., & Kuilman, S. (2015). Soft controls: IT General Controls 2.0. Compact, 1, 14–20.

    Google Scholar 

  12. Baurichter, R., & Polman, J. (2019). In mijn complianceteam zou ik geen enkele advocaat zetten: interview with Hui Chen. Het Financieele Dagblad, 2019, 20.

    Google Scholar 

  13. Bell, S. L. (2017). Meeting the challenges of customs compliance in a post TFTEA and reinvigorated trade enforcement environment. Global Trade and Customs Journal, 12(5), 190–195.

    Google Scholar 

  14. Braun, T. (2019). Impact of differences in legal risk assessment on compliance norms in multinational corporations. Ius Novum, 13(2), 225–249. https://doi.org/10.26399/iusnovum.v13.2.2019.24/t.braun.

    Article  Google Scholar 

  15. Chtioui, T., & Thiéry-Dubuisson, S. (2011). Hard and soft controls: mind the gap! International Journal of Business, 16(3), 289–302.

    Google Scholar 

  16. Clarke, R. V. (1997). Introduction. In R. V. Clarke (Ed.), Situational crime prevention. Successful case studies (2nd ed., pp. 1–44). New York: Harrow and Heston.

    Google Scholar 

  17. Clarke, R. V. (2005). Seven misconceptions of situational crime prevention. In N. Tilley (Ed.), Handbook of crime prevention and community safety (pp. 39–70). Devon: Willan Publishing.

    Google Scholar 

  18. Clarke, J.. (2019). Simplifying compliance with an inside-out security mode. https://www.corporatecomplianceinsights.com/simplifying-compliance-inside-out-security/. Accessed 20 November 2019.

  19. Cornish, D. B., & Smith, M. J. (2012). On being crime specific. In N. Tilley & G. Farrell (Eds.), The reasoning criminologist. Essays in honour of Ronald V. Clarke (pp. 30–45). Abingdon: Routledge.

    Google Scholar 

  20. CSC (2018). Top 5 corporate compliance challenges of 2018: how to move forward to a more compliant 2019. https://www.cscglobal.com/cscglobal/pdfs/Top_5_Corporate_Compliance_Challenges_2018.pdf. Accessed 17 November 2019.

  21. David-Barrett, E., Yakis-Douglas, B., Moss-Cowan, A., & Nguyen, Y. (2017). A bitter pill? Institutional corruption and the challenge of antibribery compliance in the pharmaceutical sector. Journal of Management Inquiry, 26(3), 326–347.

    Google Scholar 

  22. De Kiewit, M. A. (2009). Soft Controls. Course materials ‘Management van Compliance en Integriteit (6th ed.). Eindhoven: Euroforum Uitgeverij.

    Google Scholar 

  23. DeLoach, J. (2015). Think holistically when managing risk. https://www.corporatecomplianceinsights.com/think-holistically-when-managing-risk/. Accessed 24 March 2020.

  24. Deloitte (2015). The changing role of compliance. https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Financial-Services/gx-financial-changing-role-compliance.pdf. Accessed 1 June 2019.

  25. Dey, D. (2017). Growing importance of machine learning in compliance and regulatory reporting. European Journal of Multidisciplinary Studies, 2(7), 255–258.

    Google Scholar 

  26. Dodd, V. (2019). Top 5 compliance challenges in 2019 and beyond. https://www.skillcast.com/blog/top-5-compliance-challenges-2019. Accessed 15 November 2019.

  27. Duden, C. (2018). Holistic risk and compliance management. https://www.360factors.com/blog/holistic-risk-and-compliance-management/. Accessed 24 March 2020.

  28. Duncan, B. (2019). EU General Data Protection Regulation compliance challenges for cloud users. In Duncan, B., Lee, Y.W., Westerlund, M. & Aßmuth, A. (Eds.), Cloud computing 2019: the tenth International Conference on Cloud Computing, GRIDs, and Virtualization, 25–30.

  29. Duncan, B. & Zhao, Y. (2018). Risk management for cloud compliance with the EU General Data Protection Regulation. 2018 International Conference on High Performance Computing & Simulation (HPCS). Orleans, 664–671.

  30. Ehret, T. (2019). Top 10 concerns for U.S. compliance officers in 2019. https://blogs.thomsonreuters.com/answerson/top-10-concerns-for-u-s-compliance-officers-in-2019/. Accessed 17 November 2019.

  31. Eisenach, J. A. (2010). The role of independent contractors in the U.S. economy. https://www.iccoalition.org/wp-content/uploads/2014/07/Role-of-Independent-Contractors-December-2010-Final.pdf. Accessed 11 Sept 2020.

  32. English, S. & Hammond, S. (2019). Cost of compliance 2019: 10 years of regulatory change. Thomson Reuters Regulatory Intelligence Cost of Compliance Report. http://financial-risk-solutions.thomsonreuters.info/Cost-of-Compliance-2019. Accessed 5 April 2020.

  33. European Commission (2019). Commission Recommendation (EU) 2019/1318 of 30 July 2019 on internal compliance programmes for dual-use trade controls under Council Regulation (EC) No 428/2009. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32019H1318. Accessed 13 March 2020.

  34. Famulare, J. (2017). Compliance challenges for a global industry. Pharmaceutical Engineering, 37(2), 12–16.

    Google Scholar 

  35. Flynn, A. (2019). Determinants of corporate compliance with modern slavery reporting. Supply Chain Management: An International Journal, 25(1), 1–16.

    Google Scholar 

  36. Foorthuis, R.M. (2012). Project Compliance with Enterprise Architecture. Doctoral Thesis. Utrecht: Utrecht University Department of Information and Computing Sciences, Organization and Information.

  37. Garben, S. (2019). The regulatory challenge of occupational safety and health in the online platform economy. International Social Security Review, 72(3), 95–112.

    Google Scholar 

  38. Gomez, L., Grimmer, T. & Murray, G. (n.d.). Holistic compliance: a more effective and efficient solution. http://awa2018.concurrences.com/articles-awards/business-articles-awards/article/holistic-compliance-a-more-effective-and-efficient-solution. Accessed 26 November 2019.

  39. Grimm, J. H., Hofstetter, J. S., & Sarkis, J. (2018). Interrelationships amongst factors for sub-supplier corporate sustainability standards compliance: an exploratory field study. Journal of Cleaner Production, 203, 240–259.

    Google Scholar 

  40. Haelterman, H. (2019). Hard, soft or situational controls? Bridging the gap between security, compliance and internal control. Security Journal. https://doi.org/10.1057/s41284-019-00208-3.

  41. Haelterman, H., Callens, M. & Vander Beken, T. (2012). Controlling access to pick-up and delivery vans: the cost of alternative measures. European Journal on Criminal Policy and Research, 18(2), 163–182.

  42. Haney, B. S. (2018-2019). Calculating corporate compliance & the Foreign Corrupt Practices Act. Pittsburgh Journal of Technology Law and Policy, 19, 1–34.

    Google Scholar 

  43. Hashmi, A., Ranjan, A., & Anand, A. (2018a). Security and compliance management in cloud computing. International Journal of Advanced Studies in Computer Science and Engineering, 7(1), 47–54.

    Google Scholar 

  44. Hashmi, M., Governatori, G., Lam, H.-P., & Wynn, M. T. (2018b). Are we done with business process compliance: state of the art and challenges ahead. Knowledge and Information Systems, 57, 79–133.

    Google Scholar 

  45. Haugh, T. (2017a). Nudging corporate compliance. American Business Law Journal, 54(4), 683–741.

    Google Scholar 

  46. Haugh, T. (2017b). The trouble with corporate compliance programs. MIT Sloan Management Review, 59(1), 55–62.

    Google Scholar 

  47. Hofstetter, K., Soltes, E.F. & Kraakman, R.H. (2018). Compliance, compensation and corporate wrongdoing. Conclusions from a Roundtable at Harvard Law School. Available at SSRN: https://ssrn.com/abstract=3373718 or https://doi.org/10.2139/ssrn.3373718.

  48. IIA (2013). The Three Lines of Defense in Effective Risk Management and Control. IIA Position Paper. https://na.theiia.org/standards-guidance/Public%20Documents/PP%20The%20Three%20Lines%20of%20Defense%20in%20Effective%20Risk%20Management%20and%20Control.pdf. Accessed 21 May 2019.

  49. IIA Netherlands (2015). Discussion paper soft controls. What are the starting points for the internal auditor? https://www.nba.nl/Documents/Publicaties-downloads/2016/IIA_Bro_A4_Soft_Contr ols_03.pdf. Accessed 29 January 2017.

  50. Johnson, S. D., Guerette, R. T., & Bowers, K. J. (2012). Crime displacement and diffusion of benefits. In B. C. Welsh & D. P. Farrington (Eds.), The Oxford handbook of crime prevention (pp. 337–353). New York: Oxford University Press.

    Google Scholar 

  51. Kaptein, M. & Vink, H-J. (2014). The soft side of hard controls: a control coding theory. https://ssrn.com/abstract=2378437. Accessed 30 March 2019.

  52. Koetter, F., Kintz, M., Kochanowski, M., Wiriyarattanakul, T., Fehling, C., Gildein, P., Wagner, S., Leymann, F. & Weisbecker, A. (2017). An universal approach for compliance management using compliance descriptors. In M. Helfert, D. Ferguson, V. Méndez Muñoz & J. Cardoso (Eds.), Cloud computing and services science. CLOSER 2016. Communications in Computer and Information Science, 740, 209–231.

  53. Lane, S. (n.d.). Why a holistic approach to compliance pays dividends. https://insights.redflaggroup.com/articles/why-holistic-approach-to-compliance-pays-dividends. Accessed 5 April 2020.

  54. Ludlam, J., Gomez, L. & Grimmer, T. (2018). Connected compliance: the business case for compliance integration. https://www.bakermckenzie.com/-/media/files/insight/publications/2018/connected_compliance_report.pdf?la=en. Accessed 25 March 2020.

  55. Magalhaes, M. (2019). Solving common compliance challenges with an effective compliance plan. http://techgenix.com/effective-compliance-plan/. Accessed 17 November 2019.

  56. Martin, C. (2019). Integrity pacts and corporate compliance programmes: contrary or complementary? Emerging evidence from a pilot project in the EU. European Procurement & Public Private Partnership Law Review, 14(1), 16–29.

    Google Scholar 

  57. Matsuo, A.S. (2019). Regulatory and compliance transformation: building an innovative compliance risk management program for tomorrow requires an investment today. https://advisory.kpmg.us/services/risk-strategy-compliance/operations-and-compliance-risk/compliance-transformation.html. Accessed August 9, 2019.

  58. McAllister, B. J. (2017). The impact of the Dodd-Frank whistleblower provisions on FCPA enforcement and modern corporate compliance programs. Berkeley Business Law Journal, 14, 45–86.

    Google Scholar 

  59. Merton, R.K. (1957). Social theory and social structure. New York: Free Press.

  60. Moreto, W.D. & Clarke, R.V. (2014). Script analysis of the transnational illegal market in endangered species. In B. Leclerc & R. Wortley (Eds.), Cognition and crime. Offender decision making and script analyses (pp. 209–220). New York: Routledge.

  61. Muthuri, R., Boella, G., Hulstijn, J., Capecchi, S., & Humphreys, L. (2017). Compliance patterns: harnessing value modeling and legal interpretation to manage regulatory conversations. In Proceedings of the 16th edition of the International Conference on Artificial Intelligence and Law, 139–148.

  62. Naranjo, J.L. (2018). Holistic business approach for the protection of sensitive data: study of legal requirements and regulatory compliance at international level to define and implement data protection measures using encryption techniques. Master Thesis. Universitat Oberta de Catalunya. http://openaccess.uoc.edu/webapps/o2/handle/10609/90727. Accessed 28 February 2020.

  63. Nottage, C. (2018). Compliance strategies to reduce the risks of money laundering and terrorist financing. Doctoral thesis. Walden University College of Management and Technology.

  64. OECD - Organisation for Economic Co-operation and Development (2010). Good practice guidance on internal controls, ethics, and compliance. Adopted 18 February 2010. http://www.oecd.org/daf/anti-bribery/44884389.pdf. Accessed 3 March 2019.

  65. Osborne, C. (2018). Global compliance: a holistic approach to managing risk. https://www.youtube.com/watch?v=1h_uxdEMhYk. Accessed 5 April 2020.

  66. Pieth, M. (2018). Corporate compliance and human rights. Criminal Law Forum, 29, 595–601.

    Google Scholar 

  67. Polidoro, L. (2017). MIFID II key reforms, opportunities and limitations: from a compliance to a business challenge. In M. Tofan, A. Roman & I. Bilan (Eds.), EUFIRE 2017: The proceedings of the International Conference on European Financial Regulation (pp. 123-140). http://eufire.uaic.ro/wp-content/uploads/2017/08/volum_EUFIRE_2017_docx.pdf#page=123. Accessed 27 November 2019.

  68. PwC (2018). Staying ahead of change: real-time compliance management. 2018 State of Compliance Study. https://www.pwc.co.uk/audit-assurance/assets/pdf/2018-state-of-compliance-study.pdf. Accessed 11 December 2019.

  69. PwC (2019). Compliance on the forefront: setting the pace for innovation. 2019 State of Compliance Study. https://www.pwc.com/us/en/services/risk-assurance/library/assets/pwc-2019-state-of-compliance-study-final-secured.pdf. Accessed 13 December 2019.

  70. Reynolds, M., Laskin, A., & Eftekharpour, A. (2018). The difficult position: PIPEDA, PC(ML)TFA, and the challenges of dual compliance. Banking & Finance Law Review, 33(2), 213–225.

    Google Scholar 

  71. Saita, F. (2017). The digital bank and the challenge to compliance, risk management and internal audit. Bancaria, 1, 2–10.

    Google Scholar 

  72. Sharpe, N. (2019). Prioritizing process: empowering the corporate ethics and compliance function. University of Illinois Law Review, 4, 1321–1352.

    Google Scholar 

  73. Sidebottom, A.. (2010). Enriching corruption: some suggestions on how situational crime prevention can inform the analysis and prevention of corruption, http://corruptionresearchnetwork.org/marketplace/resources/Sidebottom%202010%20Enriching%20Corruption%20in%20the%20Health%20Sector.pdf/. Accessed 22 September 2017.

  74. Silva, K. (2017). Anti-money laundering and counter terrorism financing compliance challenges in community banks. Dissertation. Utica College.

  75. Soltes, E. (2018). Evaluating the effectiveness of corporate compliance programs: establishing model for prosecutors, courts, and firms. New York University Journal of Law and Business, 14(3), 965–1012.

    Google Scholar 

  76. Son-Turan, S. (2017). Compliance and reporting trends: essential strategies. In Dinçer, H. & Hacioğlu, Ü. (Eds.), Risk management, strategic thinking and leadership in the financial services industry. Contributions to management science (pp. 287–296). Springer, Cham.

  77. Tranfield, D., Denyer, D., & Smart, P. (2003). Towards a methodology for developing evidence-informed management knowledge by means of systematic review. British Journal of Management, 14, 207–222.

    Google Scholar 

  78. Turetken, O., Elgammal, A., van den Heuvel, W.J., & Papazoglou, M. (2011). Enforcing compliance on business processes through the use of patterns. http://aisel.aisnet.org/ecis2011/5. Accessed 11 Sept 2020.

  79. U.S. DOJ and U.S. SEC (2012). A resource guide to the U.S. Foreign Corrupt Practices Act. Version November 14, 2012. https://www.sec.gov/spotlight/fcpa/fcpa-resource-guide.pdf. Accessed 27 February 2019.

  80. UK Ministry of Justice (2011). The Bribery Act 2010: guidance about procedures which relevant commercial organisations can put into place to prevent persons associated with them from bribing. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/832011/bribery-act-2010-guidance.pdf. Accessed 11 March 2020.

  81. van den Broek, T., & van Veenstra, A. F. (2018). Governance of big data collaborations: how to balance regulatory compliance and disruptive innovation. Technological Forecasting and Social Change, 129, 330–338.

    Google Scholar 

  82. Victor, L. (2008). Systematic reviewing. Social Research Update (54). University of Surrey. http://sru.soc.surrey.ac.uk/SRU54.pdf. Accessed 31 January 2020.

  83. Vige, S.. (n.d.). Five challenges facing governance, risk, compliance. https://www.marklogic.com/blog/challenges-facing-governance-risk-compliance/. Accessed 5 April 2020.

  84. Voglmaier, M. (2018). Compliance with the EU FMD Directive. Pharmazeutische Industrie, 80(5), 612–616.

    Google Scholar 

  85. Wade, C. L. (2018). Corporate compliance that advances racial diversity and justice and why business deregulation does not matter. Loyola University Chicago Law Journal, 49(3), 611–636.

    Google Scholar 

  86. Walsh, J. H. (2017). Compliance in the age of connectivity. Rutgers University Law Review, 69(2), 533–562.

    Google Scholar 

  87. Weldon, M. (2017). Corporate governance, compliance, social responsibility, and enterprise risk management in the Trump/Pence era. Transactions: The Tennessee Journal of Business Law, 19(1), 275–306.

    Google Scholar 

  88. Wipp Ekman, L. & Billgren, P. (2017). Compliance challenges with the General Data Protection Regulation. Master Thesis Lund University School of Economics and Management. http://lup.lub.lu.se/student-papers/record/8911983. Accessed 3 November 2019.

Download references

Author information

Affiliations

Authors

Corresponding author

Correspondence to Harald Haelterman.

Ethics declarations

Conflict of Interest

The author declares that there is no conflict of interest.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Annex A: Review Protocol

Annex A: Review Protocol

Research question

  • What challenges do commercial organizations face while trying to achieve or maintain legal and regulatory compliance?

Review stages

  • Initial search to identify candidate publications

  • Further (in-depth) review and identification of compliance challenges

  • Analysis, coding and clustering of compliance challenges

Search criteria (initial search)

  • Initial search conducted on title and abstract (where available), using the following key words and search strings: ‘compliance + challenge(s)’, ‘compliance + innovation’, ‘compliance + management’, ‘compliance + managing’, ‘compliance + strategy’, ‘compliance + strategies’, ‘corporate + compliance’, ‘legal + compliance’, ‘regulatory + challenges’, ‘regulatory + compliance’

  • Searches conducted in Web of Science, Scopus and Google Scholar

Inclusion criteria

  • Dealing with challenges faced by commercial organizations

  • Published in 2017, 2018 or 2019

  • Published in English

Further processing and coding

  • Following the initial search, candidate publications were uploaded in an academic literature database and repetitive entries were removed

  • Following an in-depth review, detail was stored on those publications withheld as containing relevant information to answer the research question

  • Compliance challenges were listed, coded and clustered

Reporting

  • Review findings are reported on in Part Two of the paper

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Haelterman, H. Breaking Silos of Legal and Regulatory Risks to Outperform Traditional Compliance Approaches. Eur J Crim Policy Res (2020). https://doi.org/10.1007/s10610-020-09468-x

Download citation

Keywords

  • Legal and regulatory compliance
  • Corporate compliance
  • Compliance challenges
  • Holistic compliance
  • Compliance integration