Andras Mohacsi is the Head of Competition Law and Sanctions at British American Tobacco, where he is responsible for designing, rolling out, and coordinating the implementation of the company’s global competition law and sanctions compliance programs, as well as overseeing the management of any related proceedings against any group company. He first joined BAT in Hungary in 1998. Before that, he worked as Head of Legal of Daewoo Bank Hungary.
CEELM: What would you say is the critical first step towards building a compliance culture?
ANDRAS: It’s obviously hugely important that what the compliance culture consists of in a company is defined and expressed – following the principle of a top-down funnel. The key principles and beliefs should be incorporated in a very important policy document and articulated in a very clear manner in a form that is signed off on by the board of the highest decision-making body of the organization and clearly communicated throughout the organization.
In our case, we have a document called “The Standards of Business Conduct” – and I know many other companies have a similar document. It might sound simple and formalistic, but I don’t believe you can talk about a culture without clearly articulating the clear principles and the clear boundaries everyone needs to respect. This is ideally done per area, since that’s how it becomes tangible for the people working in an organization.
This document, supported by the board, needs to set out precisely what the very clear high level dos and donts for the organization are, and these should be clearly articulated on everything from how we deal with sanctions, to competition matters, and bribery, and so on.
It is important that this be taken seriously. It has to be supported by a “speak up” line that people can use to raise their concerns and register incidents if they believe those principles are not followed. Equally, it is critical that any concern or incident that is raised is actually followed-up on, is properly reviewed and if necessary investigated, and, where necessary, that the appropriate and proportional sanction is applied.
Again, one could argue this is a slightly formalistic approach – and that may be true – but I find it fundamental in as far as the “hard side” of compliance is concerned.
CEELM: What’s the “soft” side of it?
ANDRAS: The “soft side” is how this is supported by communication, by the remuneration structure of the organization, and how compliance topics are addressed at corporate events, functions, and sessions. How these principles actually find their way into the business activities.
One of the most useful signs that you have a true compliance in place is when you see its principles being implemented irrespective of how attractive a deal might look from a commercial perspective. When we are called in to carry out a due diligence project – whether related to a bribery concern, or AML, or anything else – we know people are really engaged with our compliance principles. It is important to be able to point to a track record of, at times, wanting to enter into a deal but, after checking to make sure all these areas were adequately considered, saying “no.” Of course, no one is saying we have to say no all the time, but that is the biggest sign that the compliance culture you are fostering has spread throughout the organization: when its principles find themselves applied in every decision.
CEELM: You mentioned that, in the process of defining your principles in that high-level document, they would ideally be broken down into areas. What are the most important ones, in your mind?
ANDRAS: Typically, a modern standard business conduct document would address all compliance areas which are relevant for the business model of an organization. When you have a global organization like BAT, obviously it would cover a very broad range of areas, but I don’t think there is a defined list of compliance areas which have to be incorporated into this kind of document for every single company. For example, if you are not on the stock exchange there is no need for a chapter on insider trading, and if you are a very small company, lighter concerns about competition law exist. Arguably, there are some key areas: competition law, bribery and corruption, AML, illicit trade, and tax evasion. Those are also some of the main ones that I deal with on a daily basis – but there are other areas covered within my company such as insider trading and books and records, and a few others that are not directly covered by my department.
CEELM: But is a large compliance manual actually something that people digest?
ANDRAS: It really shouldn’t be a long document. In terms of size, I think the ideal scenario is that you have a “chapter” per area (such as competition law) but that it is not longer than what you’d include on a power point slide, or maybe two. That is more than enough to include the absolute critical policy messages you wish to convey. You want to think of these as constitutional messages rather than a manual for all to use.
Obviously, beneath that document you may need some procedures that take into consideration how these high-level commands or principles can best fit into the business model of the organization. That’s particularly important since we shouldn’t forget that one organization may have various different businesses. Think of GE and how many different businesses they may have. I think the absolute key is that you need to consider the actual business environment and business model of the organization: who are your suppliers, what’s your growth model, the size of organization, and so on. It is from that starting point that you can then identify how can certain risks feature in the context of the various aspects of your model. What could be a typical bribery scenario vis-à-vis your suppliers? What could be the typical bribery temptation scenarios for your employee groups? Once you map those out you have what we call “achieving a risk” or “temptation assessment” in the context of the business.
Depending on the risks, you need to figure out what are the most practical procedures that would fit under that high-level policy document. The role of these procedures is to give guidance to the users as to how you are expected to comply with the high-level policy statements. It would, for example, tell the person in our procurement department, “this is your supplier due diligence process to ensure compliance.” From this point, of course, you need to start looking into the very important pillar of trainings but these too need to be based on who does what and why – it cannot be abstract, and it has to be meaningful for the type of person and his/her type of role in the organization. Only then you can say that your approach is risk-based – based on the actual risk that, at least in theory, can happen in that specific situation.
CEELM: This all feels like it’s still more organizational set-up than the soft side of things.
ANDRAS: It is, but when you talk about culture you want to talk about the soft things. I am personally very much a believer that you can talk about the soft stuff only once you have laid a very very solid foundation when it comes to the hard elements – when you have done your risk assessment, you have your policy statement, you have your procedures, you have your training programs, you employ forms of control on a regular basis. On that last one, for example, we have a system in place where everyone reports once a year and declares themselves as either compliant or partially compliant (these reports are then signed off by a senior person who carries out the due diligence on a statistical basis). If you declare yourself only partially compliant, you need to put forward a justification and a remediation plan. Furthermore, once every few years we carry out an internal audit, where people go on the ground and carry out a solid assessment to see how all of this works out in real life.
CEELM: Earlier you mentioned your “speak up” line as a good indicator of an existing compliance culture. Since we are still talking about hard aspects, what processes have you set up to facilitate it?
ANDRAS: Indeed, “speak up” is enormously important. It is so because if people use this tool, then you know people within your company understand what the potential issues are, and that they think seriously about it and take it seriously enough to talk about potential problems if they come up. It is also important that employees are protected when they speak up and that it is seen as something constructive and positive. It reflects that people care and feel ownership.
It is important to enhance this feeling by following up, as I mentioned earlier, but also by setting up a reporting process. We pull stats together based on it and report them internally – sometimes this is done to an internal auditing committee: “Last year we had 2000 incidents raised based on our ‘speak up’ line, 25% were related to HR complaints and so on.” These stats are also an opportunity to demonstrate to the auditing committee, and the broader organization, that you have followed those up, investigated, and, ultimately, taken action when justified. If anyone has breached the standards of business conduct you need to show real and serious consequences. Such consequences can vary and we need to show to everyone that, if proportional, a staff member was fired, or we terminated a supplier or customer despite commercial benefits. These are real, palpable demonstrations to help further our compliance culture.
CEELM: Since we spoke a great deal about policy-setting, how does your team move from dictating “this needs to be done this way,” which may cause friction, towards engaging your other business functions in a collegial manner?
ANDRAS: Indeed, while we have many areas where the messages we convey are easy, there are others where there is actual resistance and the level of resistance can actually differ from mild to rather strong. There are a number of factors behind this resistance. Sometimes, especially in cases pertaining to competition law matters, the pressure is very high commercially because people just want to make their numbers. In other cases, such as when we want to roll out a third party due diligence project: the resistance doesn’t come from the fact they do not buy into the need to do it, but from the fact that it is enormously burdensome.
This leads to one of the key aspects of a successful compliance function: we need to remember that we are working with a business and make an effort to understand where push-back is coming from. Sometimes it’s a simple matter of sitting down with our colleagues to spend some time convincing them to engage. Sometimes we need to realize that we are placing unnecessary burdens on our colleagues. The key message is that while we need to design and roll out robust compliance procedures that are based on the actual risks the organization is facing, we need to listen to our business colleagues and work with them to simplify the compliance procedures, to make them more effective.
This Article was originally published in Issue 6.3 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.