Skip to content


Compliance Risk: Reputation vs. Penalties

By Matt Kelly (Updated )

2018 has turned into a summer of discontent for corporations’ stakeholders. That, in turn, has left corporations themselves enduring a summer of discomfort — and lots of it.

One company after another has suffered through employees, investors, business partners, or simply the public at large unhappy with some action the company has undertaken. Sharing personal data with third parties, working with unsavory political figures, employees caught on video engaging in racists or sexist behavior; the list of offenses is long.

The ethics and compliance conundrum for companies, however, is that regardless of whether those offenses are illegal — and some clearly aren’t — stakeholders find them objectionable nevertheless.

Which raises a difficult strategic question for compliance leaders: How do you balance worries about compliance risk with worries about reputation risk?

Certainly, a company can’t ignore compliance obligations; they’re required by law or regulation. But let’s not kid ourselves, either: a compliance risk gone wrong usually leads to an investigation, a negotiated settlement, and perhaps a corporate penalty.

A reputation risk gone wrong, however — that gets senior executives fired. Or it punishes the stock price and leads to lawsuits. Or it sparks a social media campaign that punishes the stock price and gets senior executives fired.

Above all, in our modern world soaked in social media and brimming with distrust in organizations, reputation risk is what scares the board.

So compliance officers must figure that fact of corporate life into the programs you run. Boards will appreciate it, and in many instances, reputation risk is the bigger potential threat to your organization anyway.

The Bulwarks Against Reputation Risk

The peril of reputation risk is its unpredictability. It strikes quickly, and often unexpectedly. Stakeholders (especially customers and the public) gloss over the process and focus on outcomes. Someone decided to work with that tainted third party. Someone decided to pay too much money to that former government official.

First, that unpredictability means that compliance training must spend time on a company’s core ethical values and priorities — because your program won’t be able to anticipate every misconduct risk that might harm the company’s reputation. At some point, employees will need to exercise their best judgment. So, ensure that they know what the company’s values truly are, and how important ethical conduct is relative to other business objectives.

Second, due diligence programs must give more attention to reputation risk — perhaps, for example, by screening out third parties based on qualitative ethical criteria, rather than by screening only against lists of politically exposed persons or adverse media reports. That step, however, presupposes that your organization already has clear ethical requirements and puts a high value on them. So articulating those standards is just as important for due diligence as it is for training.

Third, design internal controls so that they address reputation risk effectively. Internally, that might mean a refresh of policies in the employee handbook, so everyone is clear about what types of misconduct off-hours might get them fired. Among third parties, it might mean expanding contract language to specify behavior that could trigger a separation.

Strong anti-bribery controls, after all, won’t matter much if your third party is polluting its local environment or harassing minorities. But if your organization is accused of ignoring that unethical behavior — well, stakeholders might demand the head of whoever let that misconduct creep into your enterprise.

If the clamor is loud enough, the board might give them one. Be sure it’s not yours.

compliance technology

Related reading

Join the E&C Community

Get the latest news from GAN Integrity in your inbox.