Governments all around the world are regulating business. Some regulations are well documented and very clear – they have a distinct obligation and compliance is either met or not met. In these simpler regulatory situations, governments place a regulator in place to observe the requirement and, at least in theory, regulate compliance. In other cases, there is no regulator except for the standard fallback: the government prosecutorial service, which may or may not regulate these issues based on their own focus, workloads and capacity. We see this second category of law-making in countries like the United Kingdom and Australia, where primary prosecutions are left with the prosecutorial service even if there is a ‘regulator’ that is overseeing a piece of legislation. This sometimes means that failures to achieve compliance are not the subject of prosecution.
What is becoming increasingly common is governments trying to regulate areas using ‘soft regulations’, where laws are more akin to policies with obligations to report compliance. The government doesn’t actually regulate the law, nor does it actively prosecute non-compliance. Rather, it will draft the law so that ‘everyone can easily report compliance’ and then leave identifying non-compliant companies to the media and the community. We have seen this in areas like sustainability and human-trafficking laws, which include requirements for companies to issue annual reports that explain their compliance with stated laws.
Unfortunately, ‘report on your website’-based compliance initiatives may not actually move the dial substantially towards true compliance. Website-based compliance reports are often aspirational – carefully drafted to show that ‘compliance is ongoing’ and very cautious about making predictions as to when full compliance might be achieved. Some are just a paragraph doing the absolute minimum to ‘tick a box’ of compliance.
Occasionally a smart reporter might identify a weakness in a report and kick off a story that leads to a form of ‘trial by media’, so companies need to make sure each report is clear, understood by the media and the community (i.e. the principal audience) and says enough without saying too much.
For anyone looking to draft such a statement, here are the top 15 things to think about.
1. Plain English
As lawyers, we tend to make things more complicated. The best reports are written by laypeople for laypeople. Use your marketing team to write the report in language that everyone can understand. While a regulator might read it, the primary audience will be the media, customers and potential customers, and the community.
3. Explain the business in simple terms to give people context
In many cases the particular law that you need to report on probably doesn’t really apply to your business directly. Now is your chance to explain your business in a clear way: link it to the activities of the law and show that ‘there isn’t much to see here’. Obviously, the report needs to accurately reflect the business and what it does, but try to draft it in the simplest terms.
4. Blend compliance into your values and mission statements
If you are looking to comply with a particular obligation or regulation, then blend this compliance into your values, mission and ESG goals. Talk about your overall approach to ethics, integrity and standards, and then discuss this topic as a part of that. You want to give the message that this is a part of your overall programme to be a company of great integrity with a strong set of ESG values. The message should not be ‘we are giving as little information possible to meet this requirement and it annoys us that we need to write this much’.
5. Do not just summarise your policy
Many companies think that listing the fact that they have a policy on the issue should meet the requirements of most laws. That is like listing a policy on human trafficking and saying ‘We have a policy, all good, nothing to see here!’ when we all know that complying with a topic like human trafficking or modern-day slavery requires a comprehensive compliance programme, preferably following a recognised compliance framework like ISO 37003.
6. Talk about the team
Successful reports include details about the team that is putting the programme or initiative together, including outside stakeholders. This shows that the issues are real, that they are being actively managed with real people, and that there is an ‘owner’ for these initiatives.
7. Explain the obligations of the law in simple terms
Not everyone knows the obligations of the law. In fact, there may be expectations that the laws are much broader than they actually are. Some of your stakeholders might need a lesson on what is included in the law to give some perspective to your report.
8. Focus on the risk assessment and explain how the issue affects your company
It is important to show that you have done a solid risk assessment on each issue and how it applies to your company. For example, a bank that only deals with certain large and very limited suppliers will have a pretty low risk of human trafficking in its supply chain. Make it very clear which areas are low risk so readers understand why you will not be spending lots of time on those risk areas. Likewise, it is important to show which risks are high and make it clear what you are doing in those areas. Your risk assessment is your defence when someone (and there will be someone) says you failed to address a risk. It will be important to show the way you did the risk assessment, what you considered as risks and how you ranked them. It is also important to show that the risk assessment is assessed at least annually and that issues are reconsidered if things change.
10. Discuss the steps that you have taken
People want to see progress. They want to see that this is not a ‘tick-the-box’ exercise, but that there is real traction on meeting regulatory compliance requirements. Do not be afraid to give examples of things you have actioned following a risk assessment. Make sure to describe the concrete steps that you are taking, rather than just offering a broad answer like ‘we will do due diligence on suppliers’ or ‘we will include clauses in our contracts with suppliers’.
11. Share timelines and a ‘good to great’ message
Like most things, compliance is a progressive initiative. Be honest about that and show the areas where you think things are good as well as those where you have made things great. The concept of ‘good to great’ is a well-worn path and is understood by most people. You are not saying that things are bad, but you are admitting that you have room for improvement – there is a fine line between admissions of failure and leveraging improvement.
12. Prove observations through audit results
The most impressive reports clearly follow a compliance framework that requires monitoring and testing of the controls that are in place. People want to see that what you are saying you are doing actually works. Saying that you have contractual language with suppliers around human trafficking is great, but give some numbers, something like, ‘A routine review of our contracts highlighted that, as of June 2021, 86% of contracts contain the language, and we have plans to reach 95% by the end of 2021.’ This shows that you are tracking, checking and validating the steps that you say you are taking. Another example could be around audits: ‘This year we audited eight of our key suppliers, reviewing their systems and compliance programmes and meeting with their executives. The majority of these audits were highly successful with strong engagement, and remedial matters have been documented and placed in a timeline for follow up.’
13. Include graphs that show year-on-year changes in key areas
Annual reports are great, but they are even better if they show the differences between years. Have the key metrics improved? Key metric graphs that show year-on-year changes will be easy to understand and will provide great value for the reader.
14. Incorporate details about compliance reporting
Include reports around whistleblower reports and investigations, showing the outcomes if possible. While this might be a little tough if investigations are ongoing, the fact that you are open to showing gaps or issues is a strong indicator that your programme is working.
15. Talk about the areas of focus for the coming year
Give future-looking statements to show that the report is just a snapshot of an entire compliance programme and that you are continually investing in meeting and improving compliance of the obligations. Looking forward and giving direction into focus areas is a great start.