You try to do the right thing as a board of directors. Your company operates a sophisticated risk register which identifies industry- and sector-specific risks as well as those relating to your business.
You review it and update it regularly. You attempt to bring it to life by calling, from time to time, for more detailed investigations and for the implementation of periodic improvements to systems and controls.
As part of this process you are perhaps persuaded to retain and pay for the services of one of the many specialised consultants, analysts, and other industry experts to prepare a more detailed report.
As for the nature of the risks themselves, I’m willing to bet that featuring close to the top of the risk registers for many large companies are the risks of fraud related losses, bribery and corruption and of competition law infringement. All of these topics receive generous and regular coverage in the financial press (to say nothing of my own blogs!)
So far so good but have you factored in the possibility that the act of commissioning such a report could heighten the very risk you are trying to minimise? The chances are that you haven’t and yet this seems to have been precisely the fate of a number of Dutch companies recently.
The Dutch Case
The trouble started when The Dutch Competition Authority (ACM) ordered a forensic IT firm to produce a list of companies active in that sector for which it had carried out competition compliance audits. It refused, accusing the ACM of being on a fishing expedition. In a recent judgment, however, delivered by the Dutch Court of Appeal in The Hague, this argument was rejected.
Instead the Court took the view that the ACM had a legitimate interest in determining whether or not to commence investigations into cartel activities and that the forensic IT firm had a statutory obligation to cooperate with the ACM.
What is striking is that there did not seem to be any smoking gun here, or at least the ACM was not basing its case on any ongoing investigations. So it seems that the very act of commissioning a report into whether a company was (or might have been) in breach of competition laws seems to have landed a number of them on a list on which they presumably would have preferred not to feature. At least it seems that so far the actual findings of the IT experts on each company have not been handed over to the authorities.
Although I am far from an expert in this field, I see no reason in principle why the same thing could not happen here in the UK. Indeed our own Supreme Court has only recently refused to extend the cloak of legal professional privilege to forensic accountants who were arguing that their advice to clients should be so protected.
So what is the moral of this tale? Surely it is not that directors should refrain from asking any questions or do any probing? One practical solution may be to ensure that if you are minded to retain an industry expert (or similar) for any purpose you do so through lawyers for the express purpose of obtaining legal advice. I do not know (but suspect) that legal professional privilege may even have been a good defence to the ACM request in The Netherlands, albeit one which it was not open to the forensic IT firm to run.