Compliance breaches and regulatory investigations are impacting a wide variety of businesses in Asia, Control Risks expert tells StrategicRISK

Recent regulatory enforcement trends show that “no multinational company, regardless of the robustness of its compliance program, is invulnerable to investigation for the misconduct of its employees and agents”, says Control Risks’ senior managing director of compliance, intelligence, investigations and technology for Greater China and North Asia, Mavis Tan.

This is especially the case “where it operates in emerging markets like China”, adds Tan, who has specialised in forensic accounting, litigation support and insolvency for more than a decade.

“Responsible corporations should anticipate compliance breaches and take proactive steps to prepare for the possibility of a regulatory investigation,” Tan advises.

“If unprepared, the consequences can be dire, including massive financial penalties, costly and drawn-out investigations, management distraction and harm to a company’s reputation.”

Tan, who recently joined Control Risks as part of the firm’s expansion of its capabilities in the financial investigations, litigation support and compliance area, says that the firms most at risk include those operating in highly regulated industries such as pharmaceuticals, medical devices, telecommunications and construction.

“[Also impacted are] those whose business models involve extensive use of third parties, either in the generation of sales or in the provision of services in emerging markets such as China, India, South Korea and Indonesia,” she says.

The use of forensic accounting experts in litigation is becoming more common, Tan says, and they “can be of tremendous added value to the case”.

“This applies not only in corporate/commercial disputes, but also in high net worth family disputes, a unique occurrence in Asia due to the scale of assets, often involving substantial ownership interests in some of Asia’s largest listed entities that are still essentially family controlled and run,” she says.

Preparing for investigations

Tan believes that risk managers can play a major role in preparing for the possibility of a forensic investigations resulting from a regulatory inquiry. The first thing they can do, she says, is to check that their firm has document retention policies in place and that these policies are being followed.

“When a company is notified that an investigation has been commenced, it is likely to be required to retain large volumes of documents that relate to the investigation,” says Tan.

“To avoid creating the appearance of hiding or destroying evidence, companies should be consistent in reminding employees of the importance of following document retention policies.”

Tan also advises risk managers to be aware of the various data protection laws in different jurisdictions.

“Many countries have data protection rules restricting the use of certain data, for example state secret rules in China and data protection rules in Macau, which prohibit the unsanctioned transfer of personal data to other jurisdictions,” she says.

“Companies should obtain advice on how data in the different jurisdictions they operate in should be stored and processed, and/or the requirements to notify or obtain consent of authorities, employees and others prior to using that data. This should be done before an investigation arises.”

Companies should also have robust policies and procedures in place for detecting and reacting to allegations of misconduct, Tan advises.

“These controls might include, among others, a code of business ethics and conduct, an anticorruption compliance policy, employee screening procedures, third-party screening and management procedures, limitations on provision of business courtesies, training to educate employees and agents about applicable laws and regulations, incident-reporting hotlines, and procedures for investigating allegations and disciplining wrongdoers,” she says.

“Having these controls in place is persuasive to a regulator that a company is committed to ethical business practices and that any misconduct is a one-off by a rogue employee. This may help in limiting the inquiries to the specific operation and not involving a review of other operating units or geographic locations.”

In addition to having the right controls in place, Tan says it is important to document compliance efforts.

“This will help convince a regulator that the company’s controls are both appropriate and working as intended, and that the misconduct is an anomaly which occurred despite the company’s best efforts to guard against it,” she says.

These controls need to be periodically reviewed and adjusted via risk assessments, Tan adds.

“Again, such monitoring and resulting remediation activities need to be documented to demonstrate the company’s efforts to maintain a best practices compliance programme,” she says.

“Similarly, the details of every internal investigation should be memorialised in writing, regardless of the findings, including a detailed description of the allegation, the steps taken to investigate it, factual findings and legal conclusions, and any resultant disciplinary or remedial actions.

Benefits of cooperation

Tan says regulators often seek to induce investigated companies to cooperate.

“The benefits of cooperation include prospects for future leniency with charging decisions, settlement offers or sentencing recommendations,” she says.

“It gives companies credibility and facilitates negotiation for reasonable limitation of the scope of the investigation. Cooperation typically entails provision of requested information, accepting the regulator’s suggestions on the direction and scope of the company’s internal investigations and sharing the results of those investigations. However, cooperation is not without risk.”

Tan adds a word of caution here, saying that it is critical that any information provided is accurate and complete.

“Companies should take steps to ensure that there is a review process in place prior to the provision of any information to the regulator,” she says.

“Companies should also designate a single point of contact for provision of information to regulators. This is usually [done via] external counsel. You do not want to risk providing inconsistent information via multiple parties.”


Tan says the government may also request privileged materials or work products, and providing such information likely waives any applicable protection.

“This could mean, for example, that an otherwise privileged and potentially damaging investigation report provided to the government could be discoverable in subsequent lawsuits filed by a company’s stakeholders,” she says.

“Accordingly, companies must have procedures in place to carefully consider whether to withhold or provide protected materials. A balance should be struck between demonstrating the company’s commitment to cooperation and the risk of waiver of privilege.”


Trusted advisers

Risk managers would be well advised to have a list of trusted advisers with whom they can work in the event of an investigation, Tan says. They might include external counsel, forensic accountants and communications specialists.

“Investigations are usually time-critical,” she says. “Evidence may be destroyed or the problem may escalate in days. It removes a lot of stress if you have trusted advisers you can call.

Finally, Tan says there must be a set of policies and procedures in place that govern communications with external parties in case it becomes publicly known that the company is under investigation.

“Appropriate messaging on how the company is handling the matter and what the outcome might be is critical is to minimise damage to a company’s reputation,” she says.

“Establishing a protocol for responding to inquiries and engaging external stakeholders before a crisis arises go a long way to demonstrate that the company is dealing with the issue responsibly and has the investigation under control.”

Tan stresses that high-profile investigations usually trigger media inquiries.

“As with communicating with regulators, external communications should be funnelled through a single point of contact, such as a member of senior management or a company spokesperson to ensure that the message is consistent,” she says.

“Counsel familiar with the investigation should always be consulted to ensure that all information is accurate and that no privileged information or work product is inadvertently disclosed to third parties.”

Tan adds it is not uncommon to have external crisis communications experts familiar with legal implications on a retainer to deal with such crisis situations.