Jonathan Pickworth introduces a survey which suggests that many companies are too complacent about regulatory risk

Global regulation has developed at a rapid pace over the last ten years, often in reaction to high profile scandals and company failures. With reputations, brand, market position, individual livelihoods and personal liberty at risk, effective management of global regulatory risk has become critical.

Regulators are armed with extensive investigatory powers, and investigations can lead to criminal or quasi-criminal sanctions being imposed on businesses and senior managers. Liabilities have been criminalised, responsibilities are personalised to individual directors, and blame is being apportioned when things go wrong.

A recent survey of 250 senior decision makers in the largest European companies by DLA Piper produced some striking results. Senior managers are clearly feeling the threat of regulation: 57% think that their industry is likely to be investigated in the next year; 40% think that an investigation into their company in the next year is likely and 76% believe that the risk of criminal penalties for regulatory breaches will grow over the next five years.

Prosecutions and high profile enforcement actions are hitting the headlines, and undoubtedly have devastating consequences for the individuals and businesses involved. The successful UK Serious Fraud Office prosecution of three former senior officials of Independent Insurance serves as a timely reminder of the high cost to be paid. Independent Insurance went into liquidation and jobs were lost. Michael Bright (former chief executive and founder), Philip Condon (former deputy managing director) and Dennis Lomas (former finance director) received prison sentences ranging from three to seven years, and have also been disqualified from holding company directorships for up to 12 years.

The disgraced trio will also have to face up to the possibility that they will lose personal assets in confiscation proceedings. In another recently concluded SFO case, Gerald Smith (Izodia) was ordered to pay nearly £41m by way of confiscation. If he fails to pay within 12 months he faces a default sentence of a further eight years' imprisonment (consecutive to the eight year sentence he is already serving for fraud). This is the largest confiscation order made in criminal proceedings to date.

But these are not the only risks. Whatever the eventual outcome, the mere fact that an investigation is taking place can lead to financial and reputational damage. Many businesses grossly underestimate the impact of an investigation. The Southern Water case is a good example.

Although there was insufficient evidence to bring a prosecution, the publicity given to the criminal investigation and the investigation by the water regulator Ofwat has seriously damaged the company's reputation. Furthermore, shareholders will bear the burden of paying a £20.3m fine for misreporting and manipulation of information. Even though Ofwat took into account the fact that the company instigated its own investigation, reported the situation to the relevant authorities and co-operated fully, it still imposed the biggest fine since it was given the power to do so two years ago.

Many may be aware of the key regulations affecting their core business. Some areas of business, like the financial services industry, are highly regulated and compliance driven. The FSA requires firms and individuals to have systems and procedures in place and follow strict rules of conduct in order to retain their authorisation. The rules on money laundering are clear and prescriptive. In many other areas, however, the compliance regime is less structured and businesses may not be sure how to assess the risk, let alone know how to remain compliant. The DLA Piper survey showed that many businesses are unaware of the powers of the different regulators and may not even have considered the potential for intervention. Just over half were correctly aware of the investigative powers of regulators; 62% of respondents thought that an investigation by their financial regulator would be 'not at all damaging' or 'merely inconvenient'. In countries where health, safety and environment regulators have the right to search, over 55% were unaware of this power. Businesses must look beyond national boundaries and recognise that regulation is becoming more international. There is an increased political will to deal with worldwide issues such as bribery and corruption, cartels and tax avoidance.

Individuals are at greater risk of extradition to the US for white collar offences, as the 'NatWest Three' and others have found out to their cost. The 2003 Extradition Act has also made extradition between EU member states easier and speedier under the European Arrest Warrant procedure. Businesses clearly need to be aware of the regulatory risks in every country in which they operate.

The US is the main focus for international regulatory issues, since it has made tackling corruption a high priority for both the Department of Justice and the Securities and Exchange Commission. The DOJ has increased the number of staff dealing with Foreign and Corrupt Practices Act enforcement, and the SEC is making increased efforts to obtain enforcement assistance abroad. There has been a sharp increase in prosecutions and fines over the past three years using the FCPA.

The fact that another country has already taken action under its own anti-bribery legislation has not dissuaded the US authorities from imposing additional penalties. In 2004, Statoil, a Norwegian corporation listed on the New York Stock Exchange, was fined $3m by criminal law enforcement authorities in Norway for making improper payments to an Iranian official. In 2006 the US brought charges under the FCPA in connection with the same payments.

Statoil had to enter into a deferred prosecution agreement under which it had to admit responsibility, accept monitoring of its compliance programme for three years and pay a further $18m in fines and disgorgement.

The SEC has also had a major impact on businesses outside the US with its monitoring of Sarbanes-Oxley legislation. Our survey revealed that the SEC is now seen as one of Europe's most important and feared regulators – 37% of respondents said that any enforcement action by the SEC would be 'damaging' or 'very damaging' to business. Perhaps most striking is the fact that the respondents rated the SEC as a greater threat than their own authorities.

It can be difficult for businesses to keep up to date with the volume of law and guidance relating to local, let alone global regulation, but ignorance is no defence when the regulator comes knocking at the door. Despite the risks, many businesses and their senior personnel remain complacent. Many businesses are unaware of the powers of the regulators and are therefore ill-equipped to deal with a regulatory intervention.

The survey found that although many businesses feared the US regulators, 61% were unaware of the existence of the FCPA. Yet this is the legislation which underpins most of the DOJ and SEC enforcement actions against overseas companies and individuals. Closer to home there is also a surprising level of ignorance about the powers of local regulators to search premises, seize documents or ban senior level executives.

Where local competition authorities have the power to enter premises by force, 67% were unaware of this power. Where financial services regulators have the power to remove documents or conduct compulsory interviews, only 46% and 51% respectively were aware of these powers. These are worrying statistics. Unless businesses understand the powers of the regulators they cannot properly assess the risks or put proper controls in place.

Businesses must be proactive about assessing and managing the whole range of regulatory risk before the damage occurs. There are four key areas to managing regulatory risk:

1 dedicated teams and specialists (in-house and external regulatory specialists)

2 compliance (a structured and dynamic compliance programme)

3 procedures to deal with investigations

4 crisis management procedures.

It is clear from the survey that many are not sure how to manage these key areas. Less than one in five respondents had all four elements in place and 9% had none. Although effective forward planning is crucial in managing risk, 51% of those surveyed did not have a crisis management plan and only 43% carried out regular reviews of their plans. Although 36% of respondents claimed to have a highly structured compliance plan, 40% do not review it more than every six months. Interestingly, companies located in the US, and those listed or secondarily listed in the US, appear to be better at managing regulatory risk. The stricter US regulatory environment has seemingly kickstarted a more effective compliance regime.

Regulatory risk, like all other risks in life, can never be eradicated completely. However, it can be managed. The benefits of proper risk management are twofold: the likelihood of a regulatory breach taking place can be minimised and in the event of a breach, the regulators can usually be persuaded to look more favourably on a company that has made an effort to manage its risk.

So how should businesses manage their regulatory risk? Firstly, they should take a risk-based approach – as do many of the regulators. Secondly, they should take a holistic approach to risk management.

A holistic approach looks at every stage in the regulatory cycle and assesses the threats posed by the many different regulators at home and abroad.

This requires a three step plan:

Step 1 Consider the different areas of regulation which might affect your business:

Step 2 Consider the geographical scope of the regulatory risks to your business

Step 3 Consider all the stages in the regulatory cycle

Regulatory specialists can assist in addressing the three aspects of risk management. They are able to provide a more comprehensive approach than the usual corporate advisor – monitoring proposed legislation and lobbying for change, increasing awareness of the different regulators and their powers, devising and reviewing risk management strategies based on global risk assessment, preparing crisis management plans for raids or other interventions, training staff how to deal with raids and interviews and even providing 24 hour worldwide legal advice.

Comprehensive global D&O insurance should be an essential part of the risk management plan. The level and scope of the cover provided should also be reviewed regularly. Are you allowed to seek emergency legal advice without prior authorisation from the insurer? Are your investigation costs covered? Are worldwide extradition defence costs covered? Are the assets of individuals protected? The global regulatory environment is fast moving and constantly changing. Prevention is always better than cure.