UK regulators are adopting an equally aggressive approach to that of their US counterparts.

Neil Gerrard emphasises the need to manage regulatory risk effectively

The string of corporate scandals over the past 18 months has severely damaged confidence in US business. Ever since the true extent of Enron's overstating of accounts became apparent in November 2001, there have been calls from the American media, public and politicians to get tough with business. Further revelations at WorldCom and Tyco have only hardened the resolve of US politicians of all hues to be, and to be seen to be, tough on corporate chiefs who break the law.

The centrepiece of the US response to the corporate crisis took the form of the Sarbanes-Oxley Act. Signed by President George W Bush in July 2002, the majority of its provisions apply to most companies listed on the New York Stock Exchange or the NASDAQ. Most significantly, the Act imposes stringent requirements for signing off company financial statements, and carries a maximum penalty for making false financial statements of a $5m fine or imprisonment for up to 20 years.

These legislative developments are matched by increasingly aggressive regulatory enforcement. Last year, the antitrust division of the Federal Trade Commission levied over $280m in criminal fines, with the average corporate fine topping $18m. The division has obtained over $2bn in criminal fines in the last five years. This includes nearly $1bn of fines levied during an investigation into an international vitamin cartel. The division uncovered cartel activity in 12 different vitamin markets, leading to the prosecution of 11 companies and 13 individuals, and the incarceration of 11 executives, including six foreign nationals. On 1 April 2003, the Environmental Protection Agency announced that a major distributor of petroleum products would pay $34m, the largest civil penalty paid to the EPA, for violating the Clean Water Act. In July 2002, President Bush called on the Securities and Exchange Commission (SEC) to step up enforcement and disqualification actions, supported a 20% increase in the SEC budget, and announced the creation of a new corporate fraud task force. Maximum prison sentences for those frauds most often associated with corporate wrongdoing are also to be doubled.

There is strong evidence that the UK is drifting towards a regulatory framework characterised by the same kind of aggression which is commonplace in the US. This drift has been precipitated by a number of factors, including the burst of the '' bubble, high profile corporate scandals, such as Marconi and Equitable Life, growing shareholder activism and intense media interest.

UK regulators are increasingly willing to flex their muscles. For example, in May 2002, the Office of Fair Trading's director of competition enforcement, Margaret Bloom, stated that the act of perpetuating a cartel was, 'equivalent to theft', adding that 'effective deterrence is very important.' Moreover, this trend is backed by the regulators' political masters. The Deputy Prime Minister, John Prescott, has declared that health and safety must be a priority for top managers 'who must be prepared to face the consequences of ignoring the law. In future that could well mean prison'.

These pronouncements are being matched by the actions of the regulators. Activity, including prosecutions, is on the increase. The Information Commissioner, for example, prosecuted three times as many offences in 2002 as in 2001. Similarly, over 10,000 directors have been disqualified since the Company Directors Disqualification Act 1986. Over 50% of these disqualifications have occurred since May 1997.

At the same time, the severity of penalties is being ratcheted up. The average level of fines levied by the Health and Safety Executive increased by 39% between 2001 and 2002. As part of its Pensions Review, the Financial Services Authority has fined 345 firms a total of £9.5m. In 2001, the Office of Fair Trading issued 1,040 notices demanding the production of specific documents and obtained warrants to enter and search 37 premises.

Criminalising corporate life
The trend is especially significant given the sweeping powers wielded by the UK regulators. Most have powers of entry, search and seizure. Some also have the power to hold compulsion interviews, where there is no legal right to silence.

What is more, regulatory breaches carry heavy penalties. There are 23 criminal offences under the Financial Services and Markets Act 2000, carrying a maximum sentence of seven years' imprisonment and/or an unlimited fine. The new Enterprise Act introduces a criminal offence for individuals who dishonestly engage in cartel agreements.

This tendency to give regulators sweeping powers looks set to continue. Withholding information from auditors could become a criminal offence, carrying a sentence of up to two years' imprisonment under the Companies Bill. As Competition Minister Melanie Johnson has noted, 'This is the first time that failure to offer information will be a criminal offence'.

Moreover, regulators and politicians alike are keen to personalise responsibility for regulatory breaches. Bill Callaghan, chair of the Health and Safety Commission, has stated that, "Now, more than ever, there is no excuse for those at the top to be ignorant of their responsibilities… Inspectors must consider carefully the role of individual managers and directors when serious failures do occur". These sentiments have been echoed by Carol Sergeant, managing director of the Financial Services Authority, who has said that her organisation "will hold senior managers of regulated firms personally accountable for the way they run their businesses".

Rethinking regulatory risk
In the light of these trends, my own firm commissioned the London School of Economics to undertake research* into company directors' awareness of the regulatory risks and liabilities they face. Based on 50 in-depth interviews with senior staff from FTSE 250 or equivalent-sized companies, its findings make worrying reading.

The overwhelming perception of those interviewed is that regulatory risks are definitely growing. 96% of company directors interviewed were of the opinion that regulatory risks are increasing and 94% believed that directors will face increasing personal exposure in the future.

There is little doubt that these risks matter. 94% of those interviewed believed that managing regulatory risks is important. Furthermore, 82% thought institutional shareholders regarded the management of these regulatory risks as very or somewhat important. One City analyst interviewed for the report remarked, "In the bull market, nobody cared much about risk. Now, risk is the first thing investors focus on. Railtrack and Andersen have highlighted regulatory risk as being as important as financial risk."

Those who have experienced a regulatory intervention are well aware of the possible consequences. Around 48% of respondents have direct experience of their company or its employees being sanctioned, and 71% of those respondents stated that this experience had impacted very strongly on their management of regulatory risks.

Current practices
Despite the survey respondents' awareness of growing regulatory aggression in the UK, British companies are woefully unprepared to deal with it. First, there is an alarming lack of confidence in those who manage regulatory risk. Less than one in five respondents felt able to say that they were 'very confident' that their organisation has an effective regulatory risk management system.

There is also much confusion about responsibility for regulatory risk management. One in eight respondents was unable to say where it lay. Over a third of respondents said that regulatory risks were not discussed in detail at board level.

One in four companies admitted to having no crisis management plans to deal with regulatory intervention. What is more, two-fifths of respondents have not reviewed their crisis management plans in the last year; one fifth have never reviewed them. This failure represents a shocking degree of complacency.

Low awareness at board level is potentially depriving many companies of a sufficient focus on regulatory risk management. Cultural problems may, in part, flow from long-established tendencies to focus attention on bottom-line issues – in the words of one respondent: "Regulatory risk management is not considered a sexy subject – nobody is interested in it until it happens."

The survey revealed a particularly acute inability to monitor and shape new regulations. More than nine out of ten respondents did not feel that they were 'very effective' in influencing new regulations. Moreover, nearly seven out of ten of those interviewed do not feel they are 'very effective' in monitoring new regulatory policy developments. This weakness is leaving companies seriously exposed.

In the light of growing regulatory risk in the UK, companies need to do more to manage it effectively. Not surprisingly, many companies turn to outsiders for help. Yet companies in the first instance turn to their auditors or accountants, rather than take advice from specialists in regulatory risk.

Proactive approach
Companies wishing to keep ahead of their competitors need to acknowledge that prevention is better than cure, adopting a proactive approach to managing regulatory risk. Regulatory risk management is not just about crisis management, but about being involved at every stage of the process. Companies need to be active throughout the 'regulatory cycle', from monitoring future policy developments, through to influencing new regulations, to drawing up and implementing compliance programmes, and finally by calling on corporate defence experts and instigating crisis management plans in the event of a regulatory breach.

The risks arising from increased regulatory aggression should be managed like any other business risks, as part of a systematic programme. Once in place, this should form part of a continuous cycle to ensure that risk management and compliance activity keep ahead of the regulator.

Finally, remember that regulation affects all businesses. Regulatory risk should therefore be seen as an opportunity, not a burden. Companies can gain a competitive advantage over their competitors by managing regulatory risk effectively.

Neil Gerrard is head of the regulatory group at international law firm DLA, E-mail:

*The report can be viewed in full at

Manage regulation risk

  • Comply with the basic legal requirements Identify and understand the relevant laws and regulations that affect your business, and ensure that you comply with them – and re-assess your position in relation to the regulators on a regular basis. The regulatory environment is constantly changing; what your business did very well yesterday may not be good enough in the light of the latest EU directive or UK regulation.
  • Plug any gaps – If gaps do exist in your regulatory compliance programme, you need to plug them. Rather than merely bolting on compliance arrangements, you should gear solutions towards integrating a compliance culture into line management. Every unit of the company – from legal to financial, human resources to logistics – should be involved.
  • Understand the regulator – Once you have ensured compliance with basic legal requirements, you need to get smart. Regulators publish their enforcement policies and have political priorities, but have only finite resources. Not every failing can be pursued. Regulators need to prioritise and exercise a discretion. Business can be relatively confident as to what the regulator will be interested in at any given time and how and when this might change. Deploying resources to these areas means that companies can satisfy regulatory interest at the first encounter.