Explaining what compliance does usually takes a while. We probably don't associate this concept with gaming either. Why is there compliance in our industry?

Let's try to explain what compliance actually does. The concept does bring to mind mainly corporations, lawyers, or possibly the world of politics. In simple terms, however, it is a set of activities and tools that help manage internal and external risks in a number of industries. These may be risks of various types - compliance is mainly associated with counteracting corruption and detecting abuses thanks to the so-called whistleblowers, but this obviously does not exhaust the scope of our activities.

At Techland, compliance focuses mainly on counteracting corruption in business, conflict of interest management, rules regarding gifts (i.e. the rules on which we will be able to accept and give various types of gifts from business partners). In addition, there is the verification of our business partners - e.g. on the basis of sanctions lists, especially those that were created after Russia's aggression against Ukraine. With the help of an external tool, we also want to obtain knowledge from the so-called whistleblowers about whether there may be abuses in the company or if the company may fall victim to them. We also want to provide people who report such situations with the maximum possible level of protection.

Are these risks also common in the gamedev environment?

There are no reliable research results on this subject, but it can be said for sure that these risks occur everywhere, regardless of the industry. However, there are other studies that provide interesting conclusions. The Association of Certified Fraud Examiners, for example, reports that, on average, internal fraud in a company typically lasts about 14 months and costs $1.5 million. More than half of them come to light thanks to compliance tools, including reports from whistleblowers. Compliance systems also mean that fraud is statistically detected 50% faster and causes half as much damage.

We are a large enterprise. It is a group of great people, and of course I don't suspect anyone of trying to harm the company. However, we must remember that our – very numerous – business environment consists of people from outside, e.g. suppliers, subcontractors and partners. Statistically, unfortunately, it is unlikely that in such a large group of companies cooperating with us there will be no cases of abuse of which we may fall victim. Therefore, the level of development of the organization requires action, adaptation to the situation, and protection of those who may be victims of fraud.

In addition, there are new legal requirements that must also be adapted to, e.g. the upcoming regulations on whistleblowers. This makes compliance in a Polish company slowly becoming a “must have” option, not a “nice to have” one. In gamedev itself, compliance is also becoming the norm around the world. Global players, especially if they operate in countries that require, for example, anti-corruption policies, impose specific solutions on others. If someone does not meet them, they may be treated as a less reliable partner.

As you can see, compliance provides specific value and profit to the company. The market (including our business partners) forces some of these steps, and in addition, at Techland we like to be pioneers - that's why, as a compliance unit, we give our best every day and do nothing halfway.

What can gaming be most sensitive to? Is there a risk of data leakage, copyright infringement? These are often purely intellectual values, but they must be protected.

Compliance also deals with these issues, but, for example, the risk of data leakage may more directly relate to security competences, while the risk of infringement of our copyrights - to the competences of the legal department. However, one has to agree that in gamedev some risks may be more unique than others. For instance, in a large industrial company, these are usually the risks of a classic nature, related to failure to comply with obligations, health and safety, waste management, etc. As for game development - it seems to me that these risks are slightly different. In particular, with such a diverse environment of companies providing intangible services, we are probably slightly more exposed than other industries to various designs by dishonest suppliers.

This sounds a bit like working in the legal area, so what is the difference between a compliance officer and a lawyer/attorney or an auditor? How did you get into the profession yourself?

I devoted my earlier professional life to work in large law firms as an advocate. Criminal law has always been the most interesting for me. I worked mainly for large businesses, but in the early years, when I was gathering my first experience, the demand for this specialization was slightly less. Later, however, it changed - the state began to check entrepreneurs, pay attention to their activities, and control individual initiatives. This created new risks that required the same expertise as mine to hedge. At that time, interest increased - companies wanted to counteract various types of abuse to protect themselves, for example, in the event of an inspection. In this way, the original interest in criminal law began to grow into an interest in compliance, i.e. activities that, on the one hand, are to detect various abuses and, on the other hand, prevent them (i.e. also prevent criminal liability). Such prevention is an important element of the work of every compliance officer - entrepreneurs want to avoid the risk of penalties when the state often imposes strict and unclear requirements. It is worth showing that one is diligent in his or her actions, because it is a better and more profitable thing to do than a reaction after the milk is spilled.

Sounds like "Minority Report" - preventing an event before it happens. That's intriguing, do you have any interesting case studies to tell?

I have a few, but of course I am bound by professional secrecy. Criminal law, though, is often not as bloody and merciless as people make it out to be. On many occasions, however, I have dealt with cases where it was known that the state apparatus checked the company's activities thoroughly, although the control resulted only from a small and inadvertent error. It was easy to attract attention even by accident. After the fact, the client wanted to prevent such situations in the future. You had to set standards, show diligence, describe reality well, and be proactive.

What does your employee training consist of? Each of us participates in it, but how is it useful to us?

As part of our meetings, I draw attention to an important postulate - that we all remember that compliance is not a set of procedures compiled "for one’s own pleasure". In order for all these tools to be useful and applied, it is worth meeting and describing, for instance, what a conflict of interest is and how to learn to prevent abuse. I would fail as a compliance officer if I sent people a bunch of documents and then just required them to memorize them. I would like people to get to know me personally, to ask questions and learn about the value of compliance. It is also important what is required of each of us when it comes to the implemented procedures - we can also learn this during the training.

Do compliance processes apply to each of us equally? Maybe some departments should be more attentive than others?

Some documents or regulations actually apply to selected teams to a greater extent, but, for example, the anti-corruption policy or whistleblowing policy apply to every employee. Each of us can theoretically encounter an instance of corruption or abuse, also outside the company's structures.

Does compliance also help in building the image? After all, we react before a potential crisis occurs, act proactively and positively influence the company's reputation.

Indeed, thanks to such actions in advance, we can avoid additional crises, we are also able to face challenges ourselves, by detecting the problem and fixing it before we would find out about it from the outside, e.g. from the state authority controlling us. There is also an additional benefit - the implementation of the compliance system is one of many initiatives implemented by various teams at Techland that build trust in our company outside, showing that we are a reliable business partner.

I also have a good example of how compliance tools help detect issues before they become a storm. During the training, I talked about the example of a lady who, taking over the duties of a retiring purchasing director, found out quite by accident that this director had been receiving bribes from some suppliers for many years. Only thanks to the fact that she herself had recently completed anti-corruption training and knew how to behave, it was possible to detect the true scale of this practice, stop it and probably protect the company from a major legal and PR crisis.

Are there good practices that each of us can use on a daily basis?

The mere awareness of the existence of compliance and the use of the proposed solutions is already very valuable. It is worth taking part in training and getting involved in this process, it is beneficial for each of us individually and for the entire company. Even if we are not sure about a situation, it is worth reporting to the compliance officer to make sure and simply ask for more information. If in doubt, don't hide it under the rug. It is also worth reporting irregularities not only from your own experience. This is how we care for the environment around us. Reporting abuse – whether in your own case or another – is not a denunciation or a complaint.

Do we look at such situations all the time and call them denunciations? Are we afraid of being whistleblowers?

The authors of the parliamentary act covering this subject face two challenges. On the one hand, we have the expectations of the market and the requirements set by the European Union, which obliges our country to introduce regulations enabling the submission of such notifications and the protection of applicants. On the other hand, you have to face the social approach on a national scale. We have a historically ingrained sense of avoiding the transmission of such information, calling it "snitching". This is a feature taken from the times of the fight against the oppressive state apparatus in the previous system, but it must be distinguished from the repair of unfavorable situations. It is very, very important to show and remind people that it is worth reacting to evil. This is not informing on someone, especially since anyone who chooses to react will be protected from any form of retaliation they might fear after their reaction.

It will sound grandiose, but from the point of view of ethics one cannot remain passive in clear-cut situations. For me, it works in the same way as reacting when someone near me is stealing in a store. I just feel that my value system tells me to counteract. I counteract in the same way when I see that a company may be a victim of abuse, e.g. by a dishonest supplier.

This is also one of the values of the compliance system – it helps to make employees aware of what behaviors are worth paying attention to and what to do with such attention later.

Can we say that by implementing compliance we are blazing a trail in gamedev?

In a way, for sure. Abroad, similar changes in corporations are often enforced by local legal regulations. There are a lot of companies in Poland that have started building compliance structures, but currently it is certainly not a market standard yet. We are paving the way, because in some time the presence of compliance in a developed company will cease to be a "nice to have" service and will become a "must have" one. At the moment, however, we impose this obligation on ourselves - we like to be pioneers, we treat compliance as a development option as well as investment in the future.