What do we currently understand by the term compliance?
The simplest way to describe compliance is as a system of following rules. These rules can come in different forms, ranging from legislative, regulatory, organizational, to customer-oriented, which are imposed on companies from the outside. However, it is often overlooked that a company's behavior should not only comply with external requirements, but also with the values it adopts for itself. That's where everything starts.
Is there any area that is often overlooked in this regard? What should companies be careful about but often fail to do so?
Unfortunately, the need to manage compliance is often overlooked. In the Czech Republic, the prevailing approach is still "I implement compliance because I have to" or even worse, "because I've already been burned." Companies that implement compliance because they realize the benefits are as rare as saffron. It can improve the atmosphere within the company, enhance customer perception, and of course, save money by avoiding fines, sanctions, or even criminal prosecution.
What are the most common mistakes that companies make?
The most common mistake is implementing rigid paper-based compliance. This is the "because I have to" approach, where companies formalize the requirements placed on them and tick off what they have implemented - an ethical code, check, reporting line, check... However, this is a system that is enforced, not lived, and its implementation will not protect you from, for example, the criminal prosecution of a legal person. The key is the tone from the top and how the company truly lives by the rules, communicates them, educates, evaluates, and continuously improves them.
On the other hand, there is usually no problem.
The area where companies usually don't have a problem is regulatory compliance. This refers to compliance with requirements in sectors that are closely monitored by strict regulators and where entrepreneurs face high sanctions. This typically includes banking or pharmaceuticals.
Did this environment change in relation to GDPR?
Yes, both negatively and positively. Many companies realized for the first time that they were subject to regulation. They often took their first look inside and found a mess, not just with personal data. A number of companies also introduced compliance manager positions for the first time. Overall, this education of the market has certainly been beneficial. On the other hand, there was a huge aversion to compliance because GDPR was sold through fear. Many advisors and lawyers who wanted to latch onto corporate budgets built a short-term business on GDPR. They threatened with high fines, and many people were unnecessarily disgusted by it. Today, companies are exhausted, have invested a lot of time and money, and those fines are not coming. So they feel like they were just being exploited.
If we are talking about criminal liability of legal entities, how do you evaluate the related methodology of the Supreme State Prosecutor's Office?
The fact that the Supreme Public Prosecutor's Office has issued such a methodology is a very positive sign in itself. Although the methodology is not primarily intended for companies, but for public prosecutors, it provides the market with a fairly clear signal of what and how the public prosecutor's office will assess. So companies suddenly have something to compare their current approach to, and that is undoubtedly good. I consider the message that the prosecutors' methodology condemns formalism and the introduction of compliance "on paper" to be particularly significant. On the contrary, it requires proof that the company has actually implemented, manages, and communicates compliance. That it lives by it. However, we will see how those who actually follow it will fare in the future.
Do we need further methodologies from state prosecutors and other similar authorities or offices?
No, here too, sometimes less is more. We do not need another methodology, we just need to improve the existing one. It would help, for example, to clarify how to evaluate the quality or functionality of compliance systems in practice. So that prosecutors can assess a company's liability consistently and measure everyone with the same yardstick. However, it is questionable whether this part of the methodology should be public, as a formalistic approach in the form of a checklist could be a risk. I would also not oppose a certain degree of self-regulation. That is, if the market itself defined good practice and agreed on which standards should be followed. Large corporations, for example, could contribute to this by starting to demand certain behavioral models from their suppliers and setting the bar for the market. Why not consider factors such as supplier transparency, values, corporate culture, or social responsibility alongside price?
Do you follow trends in the world? What could we be inspired by?
I'll answer a bit differently. Compliance should be inspired by the HR field, which has undergone dramatic changes in recent years. It's no longer just a boring human resources management consisting of collecting resumes, conducting job interviews, and managing labor law agendas. Companies have to fight for candidates, so they spend a lot more time considering what they can offer to candidates and how to communicate with them.
They don't just sell the position and salary, but the company and what it represents. This has created a whole new segment of services called "employer branding." This is also closely related to corporate social responsibility, which starts with fulfilling corporate values and adhering to their own principles. And here we are back to compliance. By the way, this trend is evident not only among job seekers but also among customers. More and more of them are watching whether the company from which they are buying goods or services is behaving fairly.
What is the demand for your services?
In compliance, there is currently a demand for the implementation of comprehensive turnkey management. And it's not just large international corporations, there is an increase in demand, for example, from family-owned companies or rapidly growing technology start-ups, which increase their value for investors through this. There is also a growing demand for services that I would colloquially call "knowing who I'm sleeping with". That is, managing risks associated with business partners (knowing who I'm doing business with) and with our own employees (knowing who I'm working with).
But where we currently feel strongest is in providing a comprehensive risk management and business resilience system. We function as an integrator and clients find in us a partner with whom they can successfully manage personnel, business, compliance, security, cyber, or reputation risks.
Recently, you and your brother Michal founded Compliance Academy. Why did you establish it outside of Screening Solutions?
We wanted to support education and networking in the "very boring" compliance market. It was actually missing here, so we just filled the gap. But I think we managed to stir up the stagnant waters here with our approach (laughs). The Academy is separate from our business because we didn't want to sell just our own ideas and truths. It was out of the question for us to approach it like most of our competition, who usually organize closed events for their clients. This approach allows us to involve the best experts from all fields across the market, regardless of who they are currently working for. However, Screening Solutions supports the Academy and financially contributes to its operations. We are open to other partners and sponsors as well.
What activities do you plan to undertake?
We want to gradually help educate a new generation of compliance managers. Our interest is to work with people in the long term, to accompany them throughout their career, from beginner to expert. To introduce them to the community, to be their advisor and guide. Therefore, our activities have several lines. The first is informing about current topics and sharing news. LinkedIn has proven to be the most suitable platform so far, where we quickly filled a gap and today our #czechcompliance community has almost 500 supporters and is still growing rapidly. Whenever I come to any company today, I find out that they have already registered us and usually appreciate our activity very much.
The second significant pillar is networking. We try to organize at least one opportunity every month to put aside our jackets and meet in person, for example over wine or beer. And then there is, of course, the main direction, which is education.
What are the educational plans of Compliance Academy?
This year, we plan a series of events called CA Forum where we open up and discuss various current topics. The next one will be on whistleblowing on September 30th. In addition, we plan several professional seminars and workshops. We would like to make them very interactive, so they will be for smaller groups of participants that we would like to involve as much as possible. Like escape games for companies (laughter). No boring lectures.
And we are also preparing short-term and long-term certified courses that we would like to launch during the next year. There's no need to reinvent the wheel, so we are discussing them with several significant international institutions that we would like to bring to the Czech Republic.
Currently, you are sending out a large Compliance 360° survey in partnership with INFO.CZ. How will it work and what should it show?
It should be completely unique not only in its focus but also in its scope. We want to map the overall level of compliance in the Czech market as well as in its individual segments. We are primarily interested in the general level of awareness of compliance, the prevailing motivations for implementing compliance programs, practical experiences of companies, the most commonly used tools, as well as opinions on the work of domestic regulators. Data collection will take place during September and October, and we would like to evaluate the questionnaires in November. We plan to publish the survey results symbolically on December 9, which is International Anti-Corruption Day.
How many companies do you plan to reach out to?
We have teamed up not only with your editorial team, but also with the University of Economics and several professional organizations. Along with them, we plan to reach out to companies from all major industrial sectors. We expect to actively involve at least 100 entities from at least ten significant segments.
In the questionnaire, you also ask respondents about their opinion on the level of compliance in the Czech Republic. What is your opinion on this?
I see it positively (laughs). The reasons for my optimism lie in several factors that I have already mentioned. It is contributed by the methodical work of the Supreme State Prosecutor's Office, the positive impacts of GDPR, and the significant role played by the influence of prominent foreign organizations that require a higher standard of behavior from their Czech subsidiaries and suppliers. Last but not least, I see hope in the new generation of Czech entrepreneurs who focus more on values and corporate culture in their business, compared to the past.
