Managing Corruption Risk

Fighting corruption has become a major global initiative. The consequences of corruption violations can be severe. Firms that were found to have violated the Foreign Corrupt Practices Act (FCPA) in the United States and paid bribes to foreign officials have been subjected to criminal and civil enforcement actions, resulting in disgorgement of profits obtained through the illicit payments, large fines reaching into the hundreds of millions of dollars and suspension from federal procurement contracting. In addition, their employees and officers have gone to jail.

The FCPA is not the only game in town. In 2010, the United Kingdom passed the first major overhaul of its anti-corruption laws in more than a century, putting companies operating in that country under even more stringent regulations than set down by the FCPA by prohibiting commercial bribes in addition to bribes to foreign officials. Since then, several other countries, including Russia and China, have issued new anti-corruption regulations.

For multinationals, the proliferation of new requirements raises the compliance bar. The point is that reputational damage due to negative headlines revealing egregious violations can devastate the bottom line and impair business relationships and shareholder value.

To avoid these consequences, firms should ensure their compliance program is effective in preventing, deterring and detecting improper payments by employees and agents. A robust corruption risk management program typically includes the following elements:

• Risk assessment: The risk identification process should inventory the applicable legal and regulatory requirements and explicitly consider the risk of corruption involving foreign officials and employees or agents who operate out of the home country, especially at foreign locations known for unethical business practices, as well as the risk of commercial bribery as applicable under relevant laws and regulations. For example, when assessing corruption risk, consider the risk profile of the countries in which the company operates (including the cultural, political and regulatory environment), foreign and commercial relationships and the nature of payments made in order to conduct business (e.g., business licenses, permits, certifications and inspections), among other things.
• Board oversight: The board of directors should make it a priority to understand potential corruption risks and oversee the enterprise’s anti-corruption compliance program.
• Executive management supervision: A designated senior executive should coordinate and manage the compliance program. That executive should be supported by appropriate resources and his or her efforts should be reinforced through consistent and ongoing “tone at the top” messages about the importance of compliance.
• Policies, standards, procedures and reporting mechanisms: The organization must document the global anti-corruption policies and standards and communicate them to employees. Also, effective mechanisms for individuals to report criminal conduct and other concerns involving potential anti-corruption violations should be in place. There isn’t an authoritative “one-size-fits-all” approach to designing policies, standards, procedures and reporting mechanisms as part of implementing an anti-corruption risk program – implementation will vary depending upon the nature of a company’s business. However, there were several key points made by the U.S. Department of Justice (DOJ) that led it to decide not to prosecute a large global financial services firm even though one of the firm’s employees violated the FCPA:
  • The firm’s policies prohibited bribery and addressed corruption risks associated with the giving of gifts, business entertainment, travel, lodging, meals, charitable contributions and employment.
  • The firm updated its policies on a frequent basis to reflect new regulatory developments and specific emerging risks.

Other points contributing to the DOJ’s conclusion are provided below.

• Due diligence activities: Ensure appropriate due diligence is performed on employees, vendors, suppliers, potential business partners, representatives and third-party agents.
• Effective internal controls and monitoring: Internal controls should be in place for books and records, as well as proper accounting, including effective controls over cash accounts. Active monitoring of anti-corruption controls within financial and operational processes should identify and report potential red flags. Periodic audits of the anti-corruption program policies, procedures and controls should assess their effectiveness at ensuring compliance at all levels and across the entire organization. With respect to its decision not to prosecute the global financial services firm, the DOJ acknowledged:
  • The firm’s compliance department included anti-corruption experts in various high-risk areas where the company operated.
  • Compliance personnel regularly monitored transactions, tested transactions and randomly audited particular employees, partners, transactions and business units to identify illicit payments.
  • The program’s inclusion of transaction monitoring provided a sure sign that the firm understood that the need for due diligence is ongoing.
• Communication, training and awareness programs: Internal communications should convey that bribery and corruption will not be tolerated. Anti-corruption awareness education and training should be provided for employees, third-party agents and consultants conducting business on behalf of the organization to ensure they are knowledgeable of the appropriate behavior and legal requirements. With respect to the global financial services firm that was not subjected to a DOJ enforcement action even though one of its employees went rogue:
  • The firm trained various groups of Asia-based personnel on anti-corruption policies over 50 times during the six-year period in which the employee’s FCPA violations occurred.
  • During the same period, the firm trained the executive in question seven times on the requirements of FCPA.
  • In addition, the company’s compliance officer warned the executive that he was dealing with a foreign official, and reminders of the company’s code of conduct prohibiting bribery of foreign officials and requiring FCPA compliance were sent to the executive at least 35 times during the six-year period.

In effect, training should spell out the company’s expectations for compliance with its corporate policies and procedures, as well as the applicable anti-corruption or anti-bribery laws and regulations. Retraining should occur periodically, and all employees and third parties should certify that they comply with the company’s compliance policies. Whenever policies and procedures are updated, the updated information should be recirculated to employees and employees should be retrained with emphasis on the updated information.

Training sessions should be well documented, and records of when employees received training, as well as the corresponding materials, should be kept in employees’ personnel files. The date, time and location of each training session conducted should be tracked, along with compliance communications delivered. A copy of the training programs each employee attends and each compliance policy communication sent to the employee should be archived and stored.

• Investigation and disciplinary mechanisms: The organization must conduct thorough investigation and remediation of reported potential corruption violations. Disciplinary mechanisms must be enforced consistently for those who violate the company’s global corruption compliance policy.

While it is not feasible for a company to monitor every transaction of every amount by every employee, companies should establish risk-based policies, procedures and systems of internal controls that provide reasonable assurance that the organization is adhering to the provisions of applicable anti-corruption laws. That said, no large company can ever protect itself entirely from the actions of rogue employees who engage in collusion. If that occurs, an effective compliance program can not only help prevent compliance violations, but can also – as demonstrated by the case involving the global financial services firm – help mitigate the fallout from a serious corruption violation.

With this example as a benchmark, companies in all industries can take practical steps to improve their compliance processes to reduce the risk of prosecution.

To learn more, click to see Scott Moritz, Protiviti’s Investigations and Fraud Risk Management leader, discussing fraud risk and anti-corruption measures.

Understanding Fraud Risk Enables You to Better Manage It

Overcoming Roadblocks to Effective Anti-Corruption Measures