This article originally appeared on Richard Bistrong’s FCPA blog and is republished here with permission.
In 2014, I wrote about the Kroll and Compliance Week 2014 Anti-Bribery and Corruption Benchmarking Report, subtitled Untangling the Web of Risk and Compliance. I found the 2014 report to be extremely relevant and engaging, focusing, among the conclusions, upon the peril of “vetting and forgetting” (link here). Accordingly, when the 2015 report was recently released, subtitled How Companies Navigate Bribery and Corruption (link here to Kroll for the entire Report), I was anxious to see what, if anything, had changed from the 2014 report data and conclusions. After reading the report, I contacted Kroll with a number of questions pertaining to its conclusions, and with thanks to Kroll Compliance Director of Global Marketing & Communications, Cathy Johnson, my questions were submitted to the Kroll Managing Director of EMEA Compliance, Kevin Braine. The following represents the Q&A in its entirety.
RB: Kevin, first, thank you for your assistance in responding to my follow-on questions. The report speaks of the “frustrating picture of compliance officers struggling to implement a global strategy for anti-bribery compliance and to tame vendor/third-party risks.” Do you think that it is just due to the overwhelming nature of the endeavor, or perhaps in part due to internal “compliance fatigue” where there is a lack of organizational support and hence commitment of resources?
KB: I do not believe that there is a simple answer here. I have yet to meet a CCO happy with the resources he or she has at hand to tackle their tasks, and yet most large corporates have bigger compliance functions now than five or 10 years ago. The financial downturn has put some real pressure on all operational budgets and, in many sectors, CCOs have felt the pinch along with the rest of their senior colleagues. However, overall, there still appears to be widespread and ongoing Board-level commitment to maintaining robust ABC controls.
Some “compliance fatigue” may spring from a combination of maturing ABC programs – which perhaps lose a bit of steam after initial enthusiastic roll outs – and a drop in the number of high-profile fines and prosecutions (especially in the UK, where there still has not been a significant corporate prosecution under the 2010 Bribery Act), which act as reminders of the importance of having effective programs in place.
RB: The report focuses upon “poor reporting relationships or collaboration” where finance personnel are not part of the compliance regime. From my perspective, this might be the buried headline, as it takes more than one person to “get the money out.” From your experience, what are some of the steps organizations can take in order to remove finance from the compliance silo and hence, make them an essential part of the internal compliance team? As Ms. Zoe Newman (Kroll, Managing Director) well states, it is often the finance personnel, throughout the organizational chart, who understand “how the financial controls work and therefore how they potentially can be manipulated.” So, what can be done? This looks to be like a major gap you just unearthed.
KB: I fully agree that this is an important point and one that we do not always see tackled effectively. In some companies, this is a structural issue: compliance departments are purposefully ring fenced to protect their independence and objectivity, and this can become a barrier to closer cooperation with both operational units (who will typically have a much better grasp of the details of a proposed relationship with a commercial counter party) and finance departments. Many companies seek to remedy these silos with multidisciplinary approval committees to review any relationship flagged as “higher risk” from both a compliance and commercial perspective. Best practice is to have Finance represented on these committees.
RB: In the 2014 report, you warned, “don’t vet and forget.” It seems that this recommendation in the context of your “ongoing care and monitoring” responses did not make much progress. Any additional thoughts on this topic, given that only “33 percent feel as confident about monitoring third parties after the business relationship is underway”?
KB: Ongoing monitoring is indeed still a huge challenge for many ABC programs. A lot of programs rely solely on a mixture of refreshing existing due diligence files at regular intervals (every one, two or sometimes five years) and some form of regularly updated self-certification by third parties, but very few have dynamic processes in place allowing them to monitor and re-evaluate ever changing risk profiles. More sophisticated programs – as typically found in regulated industries – include automated reviews of third parties against certain data sets, but this can remain a fairly crude binary process. In a perfect world, ABC programs should be able to pick up a commercial counter party’s change of beneficial ownership, exposure to new higher-risk markets or reported involvement in some issue of controversy in a “live” manner and these changes would automatically lead to a re-evaluation of previous risk assessments.
RB: I found it fascinating that training intensity and frequency dropped as it got further away from the “Compliance suite,” which is where risk remains the greatest. Why do you think that exists, given that the front-line teams in foreign remote offices, often unsupervised, are those who need such training in greater regularity than their domestic counterparts, who may never confront corruption risk? As the report states, “the further away the risk, the confidence in its effectiveness wanes.” This seems to be fraught with peril from my front-line perspective.
KB: I think there has been some progress on this front. We typically see effectiveness wane in remote offices when:
- ABC programs are developed at corporate headquarters in splendid isolation;
- Tone from the top is handed down with no consultation with business units;
- Companies stick with a “one-size fits all” ABC training program/processes, which may be inadequate for certain business units that operate under very different models (arbitrary cash thresholds or country exposure rules put every single relationship of a business unit in higher-risk categories);
- International groups only roll out ABC training program/SOPs in one language, or fail to take into account local and cultural differences.
RB: Self-certification. Well, I am not a believer, as I have seen third parties collude with internal business sponsors to circumvent such assessments. Plus, as the report well states, they often “will not get much enthusiasm from third parties who may view it as one more compliance exercise,” to which I would add: Or not take it seriously, as they don’t consider themselves as locally subject to anti-bribery laws. Accordingly, the report speaks to “participation in training” as getting third parties “to start taking this a bit more seriously.” Can you elaborate a little more specifically as to what you would recommend?
KB: Self-certification can be effective. We notice that, when internal business sponsors have to countersign third parties’ disclosure documents and clearly engage their responsibility should they overlook serious misrepresentations, this type of exercise is taken very responsibly. To be fully effective, companies also have to conduct regular audits and tests on the whole self-certification process.
RB: Do you think online or web-based training for overseas field personnel is helpful, or is it necessary to bring them to the home office for anti-bribery training, or is it a combination of both that resonates the most?
KB: Face-to-face training will always be more effective than web-based. However, it is only worthwhile for employees in higher-risk functions and often most effective when delivered in country and tailored to a particular business unit. We have come across many very successful “train the trainer” programs where local managers were given training centrally and then adapted it and rolled it out locally.
RB: Automation. It seems to me that the report is a strong proponent of automation but with an “initial bit of consulting work to make it an actually worthwhile exercise.” Given the proliferation of automation services, especially when it comes to third-party on-boarding, is there a danger that automation might lead a company to a false sense of security or “passing the buck” when it comes to automating third-party on-boarding and assessments?
KB: As you rightly point out, automation can be a boon or a trap. However, with the right initial risk assessment in place, automation is the only way for regulated institutions to conduct some form of regular searches on huge volumes of lower-risk entities. Getting the risk assessment wrong, or lowering the bar to the point that the automated searches conducted do not pick up issues or are conducted on entities operating in countries where the data sets are either lacking or woefully inadequate are the two common failures that we continue to come across.
RB: Thank you, Kevin, for sharing your work and additional perspective. If someone would like to contact you, do you have a preference?
KB: My pleasure, Richard. Feel free to share my e-mail address: firstname.lastname@example.org.