Category: Blogs

Compliance must be an active part of the organization and culture to prevent and detect corruption, bribery and fraud. This continuous and ongoing process must be monitored, maintained and nurtured. The challenge is establishing corruption prevention and detection activities that move the organization from a reactive fire-fighting mode to one that actively manages, monitors, prevents and detects risk.

The distributed and dynamic nature of business makes anti-bribery, corruption, and fraud compliance a challenge. Compliance in the context of a complex and dynamic business environment is particularly challenging as organizations face broadening anti-bribery and corruption laws and regulations. Ultimately, the best offense is a good defense. Regardless of the models, technologies and strategies enabled to help, organizations must be prepared to show they have a strong compliance program in place to mitigate or risk exposure to investigations, penalties and possible prosecution. This is the example that the DoJ and SEC put forward when they praised Morgan’s Stanley’s compliance program in result of their FCPA investigation.

This requires technology to manage anticorruption compliance. Technology can help organizations manage and monitor anti-bribery, corruption, and fraud compliance by enabling and automating:

• Compliance program management: The organization needs a 360-degree view of compliance activities and reporting. This requires a system for managing compliance activities, metrics and reports. From this system the organization should be able to produce reports and metrics relevant to the board of directors and executives, to assure them they are meeting fiduciary obligations to have a compliance program for anticorruption in place. All compliance management personnel and employees should be able to access the system and see contextually relevant tasks and items.
• Regulatory intelligence and change management: The integration of regulatory content feeds and technology enables the compliance program to determine how new developments — such as new anti-bribery and corruption laws, requirements, enforcement actions, and other matters and decisions — impact business. Organizations should leverage technology to integrate legal and regulatory feeds and route them to the correct subject matter expert for review and business impact analysis.
• Compliance risk assessment: Risk assessments are mandatory for compliance initiatives. The organization needs technology to manage risk surveys, assessments, and related risk information to report, analyze, model, and treat anti-bribery and corruption risk.
• Policy management: A core component of a compliance program is the ability to document policies and procedures to maintain a state of compliance. All policies for anti-bribery, corruption and fraud should be documented, maintained, communicated and attested to, with a robust audit trail and content management. This includes code of conduct, anticorruption and other related policies.
• Training and communication: It is not enough to make written policies available — the organization also needs to train individuals on policies. Organizations increasingly use online training to deliver courses on anticorruption and to test employee understanding of policies and requirements. Some organizations are building portals of anti-bribery and corruption information that integrate policies, training, games, scenarios, and more in an intuitive interface to educate employees.
• Third-party management and due diligence: Central to an anti-bribery and corruption compliance program is the ability to manage risk presented by third-parties such as agents. Due diligence processes are built upon review of third-parties and checking against databases of known politically exposed persons. Technology and integration of content feeds enables ongoing due diligence to monitor and score vendor and third-party risk, communicate policies, deliver training, track attestations and deliver surveys and assessments.
• Internal Control Monitoring: Anti-bribery and corruption also requires (e.g., FCPA enforcement has a books and records and internal control provisions) that the organization have defined and operating controls over financial reporting. This includes a control environment that covers approvals, authorizations, reconciliations, transactions, master data, and segregation of duties.
• Forms processing and automation: A critical component of an anti-bribery and corruption program is the ability to process and automate forms related to policies and procedures. Transactions and requests for gifts, entertainment, travel, customs and cross-border shipping, charitable giving, political contributions, conflicts of interest, and facilitated payments should be managed through online forms and workflow for approvals with integration into the transaction environment to review history in the course of approval.
• Issue reporting & investigations management: Technology enables the organization to manage and monitor issues and incidents and collaborate and document investigations. This includes the ability to record issues reported from hotlines and other mechanisms, what actions were taken and the results of the investigation.

Some related GRC 20/20 events happening in October are:

• New York: Addressing Anti-Bribery and Corruption Workshop, October 07, 2014 7:00 am to October 07, 2014 11:00 amAt New York, NY, USA Categories: Workshops
• New York: Effective 3rd Party Management Workshop, October 07, 2014 12:00 pm to October 07, 2014 4:00 pmAt New York, NY, USA Categories: Workshops
• The Intersection of Legal and Compliance, October 15, 2014 12:00 pm to October 15, 2014 1:00 pmAt Online Webinar Categories: Webinars

To effectively prevent and detect issues of corruption, bribery and fraud in business, compliance has to be an active part of the organization and culture. It is a continuous and ongoing process that must be monitored, maintained and nurtured. This requires a new paradigm that moves away from reactive fire-fighting to managing, monitoring for, preventing and detecting corruption and compliance risks: a paradigm to effectively manage anti-bribery and corruption (ABC) across global or domestic business.

There are two primary models to manage compliance to anticorruption obligations:

1. One approach is build-your-own, ad hoc and ultimately labor-intensive, and produces significant manual processes and documents. Siloed ABC initiatives never see the big picture. An ad hoc approach to ABC results in poor visibility across the organization and its control environment, because there is no framework or architecture for managing bribery and corruption risk and compliance. When the organization uses scattered documents and processes that do not collaborate, there is no way to be intelligent about risk and understand its impact.
2. A more strategic approach focuses on technology designed to manage the complex and diverse needs of anticorruption compliance. In a mature ABC program, the organization has an integrated process in an information and technology architecture that provides visibility across compliance tasks and interactions.

The best offense in anticorruption is a good defense. In today’s complex business environment, incidents do happen. The organization defends itself by demonstrating it uses appropriate compliance measures to prevent and detect corruption and noncompliance. The goal is to have preventive measures in place to avoid corruption issues, while at the same time having detective measures to monitor for instances of corruption and respond quickly and efficiently. This includes reporting and cooperating with authorities in investigations.

An integrated view of the U.S., U.K. and OECD guidance requires that the following compliance elements be in place:

• Understand your risk: An organization must have a risk-based approach to managing anticorruption. This includes periodic assessment (e.g., annual) of corruption and unethical conduct. However, the risk-assessment process should also be dynamic — completed each time there is a significant business change that could lead to exposure (e.g., mergers and acquisitions, new strategies and new markets). Risk assessments should cover exposure to corruption in specific markets, business partners and geographies.
• Approach compliance in proportion to risk: How an organization implements compliance procedures and controls is based on the proportion of risk it faces. If a certain area of the world or a business partner carries a higher risk for corruption, the organization must respond with stronger procedures and controls. Proportionality of risk also applies to the size of the business — smaller organizations are not expected to have the same measures as large enterprises.
• Tone at the top: The compliance program must be fully supported by the board of directors and executives. Communication with top-level management must be bidirectional. Management must communicate that they support the anticorruption compliance program and will not tolerate corruption in any form. At the same time, they must be well-informed about the effectiveness and strategies for compliance and anticorruption initiatives.
• Know who you do business with: It is critical to establish a risk-monitoring framework that catalogs third-party relationships, markets and geographies. Due diligence efforts must be in place to make sure the organization is contracting with ethical entities. If there is a high degree of corruption risk in a relationship, additional preventive and detective controls must be established in response. This includes knowing your employees and conducting background checks to understand if they are susceptible to corruption and unethical conduct.
• Keep information current: Due diligence and risk assessment efforts must be kept current. These are not point-in-time efforts; they need to be done on a regular basis or when the business becomes aware of conditions that point to increased risk.
• Compliance oversight: The organization needs someone who is responsible for the oversight of anticorruption compliance processes and activities. This person should have the authority to report to independent monitoring bodies, such as the audit committees of the board, to report issues of corruption.
• Established policies and procedures: Organizations need documented and up-to-date policies and procedures. The code of conduct filters down to other policies that address anticorruption, gifts, hospitality, entertainment and expenses, customer travel, political contributions, charitable donations and sponsorships, facilitation payments and solicitation and extortion. These requirements and processes must be clearly documented and adhered to.
• Effective training and communication: Written policies are not enough — individuals need to know what is expected of them. Organizations must implement anticorruption training to educate employees and business partners at risk of exposure to bribery, corruption and fraud. This includes getting acknowledgements from employees and business partners to affirm their understanding, and attestation of their commitment to behave according to established policies and procedures.
• Implement communication and reporting processes: The organization must have channels of communication where employees can get answers on policies and procedures. This could take the form of a help line that allows an individual to ask questions, or a FAQ database, or via form processing for approval on activities and requests. The organization must also have a hotline reporting system for individuals to report misconduct — in the U.S. this is called a whistleblower system, and in the U.K. it is referred to as a speak-up line.
• Assessment and monitoring: In addition to periodic risk assessment, the organization must also have regular compliance assessment and monitoring activities to ensure that policies, procedures and controls to prevent corruption and bribery are in place and working.
• Investigations: Even in the best organization, things go wrong. Investigation processes (hotlines, surveys, management reports and exit interviews) must be in place to quickly identify potential incidents of corruption, and quickly and effectively investigate and resolve issues. This includes reporting and working with outside law enforcement and authorities.
• Internal accounting controls: Organizations must keep detailed records that fairly and accurately reflect transactions and disposition of assets. This includes contract-pricing review, due diligence and verification of foreign business representatives, accounts payable, financial account reconciliation and commission payments.
• Manage business change: The organization must monitor for changes that introduce greater risk of corruption. The organization must document changes that result from observations and investigations and address deficiencies through a careful program of change management. This requires that business change be monitored by compliance personnel to prevent corruption.