Sergey Vitorov, Legal Compliance and Quality Director, BACIS, NOVO Nordisk

Working together is pivotal for companies wanting to protect against white collar crime. Sergey Vitorov, legal and compliance and quality director at NOVO Nordisk discusses how and why compliance and legal teams should take a collaborative approach.

My role in Moscow is heading up the legal and compliance team. I am responsible for this whole area, which includes things such as: risk management, internal investigations, preparation and execution of compliance and legal plans, litigation, contractual work and really everything you can think of.

I am not aware of any multinational organisations nowadays which does not have a compliance policy and framework. Almost all of them have a compliance specialist or in-house legal person in place. In order to move forward, the biggest challenge nowadays is to foster a proper compliance mindset. This is so that people will not perceive compliance as merely a ‘tick the box’ exercise. That is the challenge that I believe remains in place in many parts of the world. Even many senior colleagues in large companies still view compliance as a ‘tick the box’ exercise. They view it as only being the responsibility of legal and compliance departments.

Obviously, corporate ethics is not only about compliance with applicable laws and regulations, it is also about sustaining the long-term business success of an organisation. It is up to us lawyers to understand technicalities. But when it comes to business clients, they have to understand the principles behind why specific rules were introduced. Also, the more our internal clients believe and understand corporate ethics, the fewer number of white-collar crimes will be committed, and in-house counsel will be able to dedicate their time to other important matters. Promoting ethical culture means not only constant training efforts in this direction, but also fostering the right mindset. It is important for us to ensure our clients will understand not only the letter of the law, but also its spirit, and the rationale behind a certain legislative provision, therefore enabling them to make the right choice in a dilemma.

When looking at my own team, further improvements can be made to promote ethical business culture. For instance: making legal and compliance functions independent from the business (solid reporting lines should flow into that function and not into business. Legal and compliance should have their own independent budget); making sure that legal and compliance directors are part of the management teams for respective business units; and when deciding where to hire a legal and compliance professional it is necessary to take into account not only business considerations (size of the business, its growth and profitability) but also a risk profile of a given jurisdiction.

When it comes to bribery and corruption and due diligence, the pharmaceutical industry is highly regulated. It inherently requires us to deal a lot with governmental officials (while registering products, running clinical trials, selling medicines to the government etc). Moreover, due to the state-owned nature of many healthcare systems, administrators in clinics and doctors can be classified as governmental officials from both the FCPA (Foreign Corrupt Practices Act) and UKBA (UK Bribery Act) angles. Thus, bribery risks are at the top of the agenda of international pharma companies. Due diligence risks primarily relate to the difficulties in identification of real ultimate beneficiaries in high risk jurisdictions (Latin America, CIS, Southeast Asia) due to the sophisticated techniques used by those who try and conceal real ownership.

‘Bribery risks are at the top of the agenda of international pharma companies.’

For instance, we had a case where the real ownership of one of our distributers was concealed. According to the official registers the shareholder of the company was person X, but it transpired that the real beneficiary behind was a completely different person. In fact, that person was a governmental official. This created a lot of legal risks. We hired a private investigator to run an in-depth compliance check mandated by our compliance policy and procedure. When we received the report from the investigator, we took a risk-tailored approach and discussed each and every red flag related to the situation. As a team we tried to find a meaningful solution. We then took it to the senior levels of our company so that management would be aware and endorse our actions, and offer their advice based on their knowledge and experience. We of course took independent legal advice as well. In the end we decided to run more enhanced due diligence checks over our critical high-risk partners.

Also, when it comes to crisis management, we have a very solid risk management framework in place which enables us to address crises in a speedy and coherent way. For example, we ran a whole risk assessment when things started to go off recently due to the coronavirus outbreak. We immediately decided to make all our sales calls virtual, even in regions where the government had not yet mandated it. Legally, it was permissible to do face to face meetings in some countries at the start of the pandemic. However, we considered the safety of our customers and our own personnel, and we decided to take everything virtual. We also created some new platforms, and as a result tweaked our compliance rules and procedures to the virtual working environment.

I think when we look to the future, white-collar crime is going to become more sophisticated. If we look back five or ten years ago, if a person wanted to defraud a company, he or she would simply use his or her credit card improperly. Now, corporate fraud is more sophisticated. People are becoming more underhanded when it comes to white-collar crime; it is getting harder to detect and prevent. In addition, the regulatory framework for the pharma industry is not getting easier.

Cyber-crime is also a growing risk area going forward. The main thing here is to make people aware of the core techniques that criminals can use. It is important to be on high alert and to no longer perceive the virtual world as not real; it is very much real. Also, people should not look at cyber-crime as purely the responsibility of IT. It is the responsibility of every employee and people should be trained to detect phishing emails and be aware of their VPN when sending corporate sensitive data.

When overcoming these future and current challenges, it helps when compliance and legal teams come together in a co-ordinated effort. They may be two separate functions, but a collaborative approach is best when preventing white-collar crime.