Reports of misconduct are rarely far from the news in Japan, yet no organisation wants to find itself in such a situation. In this article I will explain the how and why of being prepared against corporate misconduct as well as how to respond to an incident should one actually occur in your organisation. 

Being Prepared Against Corporate Misconduct 

Corporate misconduct needs to be recognized in relation to the organisation’s internal control systems. It is important to recognize that prior preparation against corporate misconduct is an issue that needs to be addressed within the general operation of the compliance system and risk management system. Therefore, it is necessary to review these systems from the perspective of preventing and discovering compliance risks, with consideration of three key points: 

1. 1. Prevention of compliance risks
   2. Discovery of compliance risks, and 
   3. Preparation for crisis response 

1. Prevention of compliance risks 

In order to prevent compliance risks, a company needs to analyse the compliance risks specific to the company’s business and build a suitable risk-management system. In doing so, it’s important to: 

• thoroughly address the predictable risks,  
• perform a dispassionate risk assessment based on objective data, and avoid assuming an attitude of not expecting anything bad to happen, and 
• avoid creating black boxes within the company, that is, workplaces or businesses that cannot be monitored by other parties. In particular, if there are differences in the nature or business conditions of a subsidiary, you need to take into account those differences. 

The design of the system should also distinguish between “worm-type” misconduct and “mould-type” misconduct. Worm-type misconduct refers to misconduct willingly performed by an individual employee for their own benefit. This can be a single act, with the same problem never occurring again. For this type of misconduct, a pesticide, that is to say, a severe penalty is effective to “kill the worm”. 

Mould–type misconduct, on the other hand, can spread throughout an organization like mould. In this situation, misconduct is performed for the benefit of the organization, and not under the volition of individual employees. An employee who is posted to a certain position within the company may have to engage in such misconduct whether they want to or not. So, like mould, such misconduct cannot be eradicated without first removing the underlying dirt and moisture that is the cause. 

In addition, the system should be designed based on the idea that humans are “born evil” and “born weak”. Because we humans are “born evil” – namely, inherently evil – employees generally tend to ignore rules, which renders the making of such rules virtually meaningless, so employee behaviour must be monitored and restricted using technology. Meanwhile, because humans are weak-willed according to the idea of being “born weak”, it is the company’s responsibility to protect employees from the dangers of misconduct and to create an environment where misconduct is not easily committed or difficult to discover. Also, you should consider the science of human behaviour with regard to human error. Thus, it’s important to design a system based on real people, taking into account these ideas. 

The following steps are also important in preventing compliance risks: 

• Be conscious of social trends and Corporate Social Responsibility (CSR). 

• Make use of external experts such as lawyers and the “no–action letter” system under the Prior Confirmation Procedures on the Application of Laws and Regulations by Administrative Agencies. 
• Establish and operate important individual compliance systems and programs such as exclusion of anti-social forces, a compliance program under the anti–trust law, insider transaction compliance programs, reliability assurance systems for financial reporting, and timely disclosure systems. 
• Establish a system or department for routine employee consultations. 
• Strictly enforce sanctions for personnel who breach compliance requirements. 
• Conduct effective and continuous compliance training, education and raising awareness of the whistle-blowing system, especially the functions of the whistleblowing system, the prohibition of adverse dispositions against whistleblowers, and education regarding basic legal knowledge.

2. Discovery of compliance risks 

The most important thing in dealing with corporate misconduct is to ensure that risk information reaches top management promptly and reliably, without delay or concealment in the middle of the organization’s chain of reporting. 

It is important to establish and operate an early detection system for compliance risks. For example, establishing an escalation program, namely, a system that allows information on misconduct to be communicated to upper management in a timely and appropriate manner, creating a double-track information reporting route, securing a reporting route to internal audit departments, corporate auditors and outside directors, setting reporting obligations, introducing in-house leniency system (self-reporter liability reduction or exemption system) and so on. These are important for early detection of compliance risks in a company. 

These procedures should also be put in place to help the timely discovery of compliance risks: 

• Improve the compliance risk sensitivities of top management and employees through training that uses case studies of past near–misses and cases from other companies in the same industry 
• Establish a risk information gathering department 
• Establish and operate a system for verifying accounting figures, in order to identify suspicious changes in major financial indicators such as sales, balance of receivables, inventory, etc. This should include a verification system with sufficient personnel and IT systems for supporting the work 

• Establish and publicize the whistle–blowing system and operate it appropriately 
• Make use of digital forensic survey services 

3. Preparation for crisis response

The third and final point is preparation for crisis response. Prior formulation and prior training for the crisis response system are quite important. It should be noted that without prior training, the system will fail in a real crisis situation. 

Responding to an Actual Incident 

How should a company respond if an incident of misconduct is discovered? From an overall corporate point of view, the response to an incident of corporate misconduct should be recognized as a problem in the risk management system that addresses crisis response. The following six points should be considered when responding to an incident of misconduct. 

1. 1. Prevention of secondary misconduct 
   2. Assuming the worst 
   3. When the establishment of a third-party committee is required 
   4. Should the incident be publicly disclosed? 
   5. Damage control 
   6. Media response from the perspective of CSR and risk management

1. Prevention of secondary misconduct

The first step in responding to an incident of misconduct is to ensure that a secondary scandal is not caused by failing to respond appropriately to the initial incident. Common causes for such failures include delay in the company’s initial response, failures in responding to the media, incorrect or inappropriate reporting to relevant government agencies, and inappropriate internal handling of the incident, for example, unreasonably lenient punishment of the staff involved. Other causes of secondary scandal are providing an explanation for the cause of an accident that is not based in fact, concealment of an incident or of relevant information, or attempting to divert responsibility away from the company. 

In relation to this point, it should be noted that if an incident occurs within a subsidiary company, the response should be handled by the corporate group as a whole, which will ensure a consistent and proper response. 

2. Assuming the worst  

It is necessary to approach the problem by assuming the worst, in order to avoid underestimating the problem. An overall view of the incident should be considered, including the type of incident, the level of damage caused and the level of involvement of the people responsible for causing the incident. This includes looking at whether the top management was involved, the level of involvement of the organization as a whole and the involvement of particular departments and employees. It is also necessary to consider whether any laws or regulations have been violated and the degree of such violations. From these factors it will be possible to gauge the level of public criticism that the company could potentially face. 

3. When the establishment of a third-party committee is required 

It is also necessary to consider whether the establishment of a third-party committee is required to investigate the incident. In general, an independent investigation is required in the following cases. 

• Cases of a highly criminal nature involving personnel at the management level 
• Cases that will have a significant impact on shareholders, such as the risk of delisting  
• Cases where the damage or impact upon the company is serious 

• Cases where damage and impact are likely to continue or spread  
• Cases that are unlikely to be clarified through an internal investigation 
• Cases in which the details spoken about in a press conference held by the president are likely to draw suspicion  
• Cases where there is a request from an administrative authority. The government tends to impose harsher penalties if a company fails to establish a third-party committee in such circumstances. 

4. Should the incident be publicly disclosed?

A decision whether to publicly disclose misconduct should be made after having taken all of the circumstances into consideration. Typically, this will include the following: 

• the type of incident 
• the severity of loss or damage suffered by the company or other parties 
• the possibility of the damage increasing and/or reoccurring  

• the level of involvement of company personnel 
• whether there has been a breach of any laws or regulations 
• the likely level of social condemnation if the matter is publicised. 
• the possibility of the company surviving and continuing its business. 

However, in principle, misconduct should be publicly announced in the following circumstances: 

• If any particular action is required by law  
• Victims have been personally identified. In this case, guidelines relating to the protection of personal information should be followed. 
• When legal infringement to the third party is likely to increase if disclosure is not made 
• Scandals relating to food, in particular the safety of food.  

5. Damage control

This raises the question – should a public announcement be made even if it will probably lead to the company suffering serious damage? In principle, the answer to this question is yes, a public announcement should still be made. However, the manner of making the disclosure should be carefully considered. The options that need to be considered include media announcements, publication of notices on the company’s website, or the printing of leaflets. Of course, the contents of these publications need to be carefully checked and approved before publication. 

6. Media response from the perspective of CSR and risk management

When preparing the company’s media response following the disclosure of an incident of misconduct, the following points are important from the perspective of CSR and corporate risk management. 

First, it is necessary to clearly display the company’s attitude towards the incident. In particular, it should be shown that the company is taking the matter seriously and is working to prevent damage to customers or any other related parties. 

Secondly, the company’s response to the media should not be confrontational or excessively defensive. Instead, the media should be used to allow the public to gain an understanding of the company’s response and to request any necessary cooperation. Explanations should be given clearly and in language that is easy for stakeholders to understand. 

Thirdly, it is important not to cause concern or any adverse reaction, both within the company and externally, by being unprepared, conducting insufficient investigations, or using inappropriate language.  

Fourthly, if there are rumours circulating or inaccurate reports have been made in the media, it is important to respond to these with reasonable and objective evidence. 

Finally, the company’s response to an incident of misconduct is important due to how it is linked to the recovery of the company’s value and how it can reaffirm the company’s benefit to society. 

Conclusion 

In conclusion, the next step to take is to review your organisation’s existing internal control system while taking into account the key points of this presentation, in order to improve the effectiveness of the system’s functions. This can prevent and minimise damage caused by corporate misconduct. If a corporate misconduct related to Japan occurs in your organisation, please feel free to contact us. 

Adapted from a presentation given at a seminar hosted by PETERS Rechtsanwälte in Dusseldorf, Germany on 28 August 2019.
Translated by Shohei Tezuka, Peter Cassidy and Kazuya Yamashita.