The VW "defeat devices" story that broke this week is (another) reminder of how badly wrong things can go for businesses that do not effectively map and manage their regulatory risks. There can often be a "practicality disconnect" between business executives understanding the regulatory framework within which they operate (for example, engineers and compliance managers understanding in detail the environmental, health and safety, data management, antitrust, chemical/food/biotech/medical device, etc. rules with which they must comply) and what they must do on a day-to-day basis to mitigate the risks of a material breach of those rules occurring.
In seeking to understand what to do, it is helpful to consider why things go wrong: why did VW (or certain executives at VW) fit the "defeat devices" into millions of vehicles and think they could get away with it? There are usually three reasons why such failures occur:
First, the business or certain executives within the business decide that breaking the rules is worth the risk because the potential rewards are great and the risk of getting caught is small. Regulatory agencies are continuously trying to tip the balance in favour of compliance by increasing the penalties for non-compliance: prison; very substantial personal and corporate fines. In terms of effective business compliance, we would recommend reviewing the incentives and training within your business: do employment contracts and promotion/appraisal criteria incentivise unwanted risk-taking; do sales targets compromise (the desired level of) compliance?
Second, a small number of executives embark on a non-compliant path as a temporary solution to a problem, but the situation spirals out of control. This is where the early warning systems within your business are critical: who within your business is alerted when, e.g. business units materially under or over perform.
Third, non-compliant behaviour is standard practice for the business or the sector. In this scenario, the business and its executives may genuinely believe (and genuinely have had reason to believe) that the regulatory authorities were content to allow non-compliant behaviour. This is often very difficult to address because the prevailing view within the business and beyond may be that non-compliance is the "new normal". Dealing with the risks in this situation often requires an external shock or event (for example, your business or another business in the same sector becomes subject to a regulatory investigation). It means having an effective action plan of what to do if and when certain trigger events occur: who will be responsible for ensuring specific actions are taken; will you need to review your key contracts; what, if anything, will you tell customers and employees; should you self-report to the relevant regulatory authorities; do you need to suspend any staff; and will you need to review IT systems and document retention policy to ensure that evidence is not compromised.