With increased exposure to anti-corruption laws and investigations, how does an organization respond to anti-corruption compliance obligations?
The best offense in anti-corruption is a good defense. Organizations must be prepared to show that they have a strong compliance program in place to mitigate or avoid exposure to penalties. In today’s complex business environment, incidents do happen — the organization defends itself by demonstrating it has implemented appropriate compliance measures to prevent and detect issues of corruption and noncompliance. The goal is to have preventive measures in place to avoid corruption issues, while at the same time having detective measures to monitor for instances of corruption and respond quickly and efficiently. This includes reporting and cooperating with authorities in investigations.
While there are different laws around the world aimed at anti-corruption, the compliance aspects to these laws are based on common requirements that are the backbone of any good compliance program. From a U.S. perspective, the best defense is to show that the organization has met the elements of an effective compliance program as established by the United States Sentencing Commission Organizational Guidelines. The U.S. guidelines compliment and coordinate well with the U.K.’s guidance requiring a company to demonstrate adequate procedures to prevent bribery. It is a full defense in the U.K. Bribery Act when an organization proves that despite a particular incident of bribery it nevertheless has proper compliance practices in place to prevent corruption and bribery. Both the U.S. and U.K. guidance aligns with and supports OECD Good Practice on Internal Controls, Ethics, and Compliance.
An integrated view of the U.S., U.K., and OECD guidance requires that an organization have the following compliance elements in place:
- Understand your risk: An organization must have a risk-based approach to managing anti-corruption. This includes periodic assessment (e.g., annual) of the exposure to the organization for corruption and unethical conduct. However, the risk-assessment process should also be dynamic — completed each time there is a significant business change that could lead to exposure (e.g., mergers and acquisitions, new strategies, and new markets). Risk assessments should cover exposure to corruption in specific markets, business partners, and geographies.
- Approach compliance in proportion to risk: How an organization implements compliance procedures and controls is based on the proportion of risk it faces. If a certain area of the world or business partner carries a higher risk for corruption, the organization must respond with stronger compliance procedures and controls. Proportionality of risk also applies to the size of the business — smaller organizations are not expected to have the same measures as large enterprises.
- Tone at the top: The compliance program must be fully supported by the board of directors and executives. Communication to and from top-level management must be bidirectional. Management must communicate that they support the anti-corruption compliance program and will not tolerate corruption in any form. At the same time, they must be well-informed about the effectiveness and strategies for compliance and anti-corruption initiatives.
- Know who you do business with: It is critical to establish a risk-monitoring framework that catalogs third-party relationships, markets, and geographies. Due diligence efforts must be in place to make sure the organization is contracting with ethical entities. If there is a high degree of corruption risk in a relationship, additional preventive and detective controls must be established in response. This includes knowing your own employees and conducting background checks to understand if they are susceptible to corruption and unethical conduct.
- Keep information current: Due diligence and risk assessment efforts need to be kept current. These are not point-in-time efforts that happen once; they need to be done on a regular basis or when the business becomes aware of conditions that point to increased risk of corruption.
- Compliance oversight: The organization needs someone who is responsible for the oversight of anti-corruption compliance processes and activities. This person should have the authority to report to independent monitoring bodies, such as the audit committees of the board, to report issues of corruption.
- Established policies and procedures: Organizations must have documented and up-to-date policies and procedures that address corruption. The code of conduct is the governing policy that filters down to other policies that address anti-corruption, gifts, hospitality, entertainment and expenses, customer travel, political contributions, charitable donations and sponsorships, facilitation payments, and solicitation and extortion. Compliance requirements and processes must be clearly documented and adhered to.
- Effective training and communication:Written policies are not enough — individuals need to know what is expected of them. Organizations must implement anti-corruption training programs to educate employees and business partners at risk of exposure to bribery, corruption, and fraud. This includes getting acknowledgements from employees and business partners to affirm their understanding, and attestation of their commitment to behave according to established policies and procedures.
- Implement communication and reporting processes:The organization must have channels of communication where employees can get answers on policies and procedures. This could take the form of a help line that allows an individual to ask questions, or a FAQ database, or via form processing for approval on activities and requests. The organization must also have a hotline reporting system for individuals to report misconduct — in the U.S. this is called a whistleblower system, and in the U.K. it is referred to as a speak-up line.
- Assessment and monitoring:In addition to periodic risk assessment, the organization must also have regular compliance assessment and monitoring activities to ensure that policies, procedures and controls to prevent corruption and bribery are in place and working.
- Investigations:Even in the best organization, things go wrong. Investigation processes (hotlines, surveys, management reports, and exit interviews) must be in place to quickly identify potential incidents of corruption, and quickly and effectively investigate and resolve issues. This includes reporting and working with outside law enforcement and authorities.
- Internal accounting controls: Organizations must keep detailed books, records and accounts that fairly and accurately reflect transactions and disposition of assets that could be implicated in corruption issues. This includes contract-pricing review, due diligence and verification of foreign business representatives, accounts payable payments, financial account reconciliation, and commission payments.
- Manage business change: The organization must monitor the business environment for changes that introduce greater risk of corruption. The organization must document changes required to business practices as a result of observations and investigations, and address deficiencies through a careful program of change management. This requires that business change be monitored by compliance personnel to proactively prevent corruption.
Coruption. The first article can be found at:
I would love to hear your MEETING ANTI-CORRUPTION OBLIGATIONS. This series is a collection of pieces from a published paper – the rest of the paper can be found at: