With increased exposure to anti-corruption laws and investigations, and defined anti-corruption practices, how does an organization go about using technology to manage anti-corruption compliance?

Compliance needs to be an active part of the organization and culture to prevent and detect corruption, bribery, and fraud. This continuous and ongoing process must be monitored, maintained, and nurtured. The challenge is establishing corruption prevention and detection activities that move the organization from a reactive fire-fighting mode to one that actively manages, monitors, prevents, and detects risk. This requires the organization to implement technology to manage anti-corruption compliance.

• Compliance program management: The organization needs a 360-degree view of compliance activities and reporting. This requires an end-to-end system for managing compliance activities, metrics, and reports. From this system the organization should be able to produce reports and metrics relevant to the board of directors and executives, to assure them they are meeting fiduciary obligations to have a compliance program for anti- corruption in place. All compliance management personnel and employees should be able to access the system and see contextually relevant tasks and items.

• Regulatory intelligence and change management: The integration of regulatory content feeds and technology enables the compliance program to monitor changes in anti-corruption laws, requirements, and cases to determine how new developments impact the business. The organizations must use technology to take in legal and regulatory feeds and route them to the correct subject matter expert for review and business impact analysis.

• Compliance risk assessment: Risk assessments are mandatory for compliance initiatives. The organization needs a technology platform to manage risk surveys, assessments, and related risk information and report, analyze and model risk.

• Policy and procedure management: A core process of a compliance program is the ability to document policies and procedures to maintain a state of compliance. All relevant policies related to anti-corruption should be documented, maintained, communicated, and attested to within a technology platform with a robust audit trail and content management capability. This includes code of conduct, anti-corruption, and other related policies.

• Training and communication: It is not enough to make written policies available — the organization also needs to train individuals on policies. Organizations are increasingly using the economies of online training to deliver courses on anti-corruption, and to test employee understanding of policies and requirements.

• Third-party management: Central to an anti-corruption compliance program is the ability to manage the risk of third-party entities you interact and do business with. Technology, and the integration of content feeds, enables the ongoing due diligence effort to monitor and score vendor/third-party risk, communicate policies to vendors, track attestations, and deliver surveys and assessments.

• Forms processing and automation: A critical component of an anti-corruption program is the ability to process and automate forms related to compliance policies and procedures. Interactions for contributions, gift, entertainment, and facilitated payments should be managed through online forms and workflow for approval or disapproval.

• Investigations management: Technology enables the organization to manage and monitor issues and incidents, and collaborate and document investigations. This includes the ability to record the range of issues reported from hotlines and other mechanisms, what actions were taken, and the results of the investigation.

With increased exposure to anti-corruption laws and investigations, how does an organization respond to anti-corruption compliance obligations?

The best offense in anti-corruption is a good defense. Organizations must be prepared to show that they have a strong compliance program in place to mitigate or avoid exposure to penalties. In today’s complex business environment, incidents do happen — the organization defends itself by demonstrating it has implemented appropriate compliance measures to prevent and detect issues of corruption and noncompliance. The goal is to have preventive measures in place to avoid corruption issues, while at the same time having detective measures to monitor for instances of corruption and respond quickly and efficiently. This includes reporting and cooperating with authorities in investigations.

While there are different laws around the world aimed at anti-corruption, the compliance aspects to these laws are based on common requirements that are the backbone of any good compliance program. From a U.S. perspective, the best defense is to show that the organization has met the elements of an effective compliance program as established by the United States Sentencing Commission Organizational Guidelines.[2] The U.S. guidelines compliment and coordinate well with the U.K.’s guidance requiring a company to demonstrate adequate procedures to prevent bribery. It is a full defense in the U.K. Bribery Act when an organization proves that despite a particular incident of bribery it nevertheless has proper compliance practices in place to prevent corruption and bribery. Both the U.S. and U.K. guidance aligns with and supports OECD Good Practice on Internal Controls, Ethics, and Compliance.

An integrated view of the U.S., U.K., and OECD guidance requires that an organization have the following compliance elements in place:

• Understand your risk: An organization must have a risk-based approach to managing anti-corruption. This includes periodic assessment (e.g., annual) of the exposure to the organization for corruption and unethical conduct. However, the risk-assessment process should also be dynamic — completed each time there is a significant business change that could lead to exposure (e.g., mergers and acquisitions, new strategies, and new markets). Risk assessments should cover exposure to corruption in specific markets, business partners, and geographies.
• Approach compliance in proportion to risk: How an organization implements compliance procedures and controls is based on the proportion of risk it faces. If a certain area of the world or business partner carries a higher risk for corruption, the organization must respond with stronger compliance procedures and controls. Proportionality of risk also applies to the size of the business — smaller organizations are not expected to have the same measures as large enterprises.
• Tone at the top: The compliance program must be fully supported by the board of directors and executives. Communication to and from top-level management must be bidirectional. Management must communicate that they support the anti-corruption compliance program and will not tolerate corruption in any form. At the same time, they must be well-informed about the effectiveness and strategies for compliance and anti-corruption initiatives.
• Know who you do business with: It is critical to establish a risk-monitoring framework that catalogs third-party relationships, markets, and geographies. Due diligence efforts must be in place to make sure the organization is contracting with ethical entities. If there is a high degree of corruption risk in a relationship, additional preventive and detective controls must be established in response. This includes knowing your own employees and conducting background checks to understand if they are susceptible to corruption and unethical conduct.
• Keep information current: Due diligence and risk assessment efforts need to be kept current. These are not point-in-time efforts that happen once; they need to be done on a regular basis or when the business becomes aware of conditions that point to increased risk of corruption.
• Compliance oversight: The organization needs someone who is responsible for the oversight of anti-corruption compliance processes and activities. This person should have the authority to report to independent monitoring bodies, such as the audit committees of the board, to report issues of corruption.
• Established policies and procedures: Organizations must have documented and up-to-date policies and procedures that address corruption. The code of conduct is the governing policy that filters down to other policies that address anti-corruption, gifts, hospitality, entertainment and expenses, customer travel, political contributions, charitable donations and sponsorships, facilitation payments, and solicitation and extortion. Compliance requirements and processes must be clearly documented and adhered to.
• Effective training and communication:Written policies are not enough — individuals need to know what is expected of them. Organizations must implement anti-corruption training programs to educate employees and business partners at risk of exposure to bribery, corruption, and fraud. This includes getting acknowledgements from employees and business partners to affirm their understanding, and attestation of their commitment to behave according to established policies and procedures.
• Implement communication and reporting processes:The organization must have channels of communication where employees can get answers on policies and procedures. This could take the form of a help line that allows an individual to ask questions, or a FAQ database, or via form processing for approval on activities and requests. The organization must also have a hotline reporting system for individuals to report misconduct — in the U.S. this is called a whistleblower system, and in the U.K. it is referred to as a speak-up line.
• Assessment and monitoring:In addition to periodic risk assessment, the organization must also have regular compliance assessment and monitoring activities to ensure that policies, procedures and controls to prevent corruption and bribery are in place and working.
• Investigations:Even in the best organization, things go wrong. Investigation processes (hotlines, surveys, management reports, and exit interviews) must be in place to quickly identify potential incidents of corruption, and quickly and effectively investigate and resolve issues. This includes reporting and working with outside law enforcement and authorities.
• Internal accounting controls: Organizations must keep detailed books, records and accounts that fairly and accurately reflect transactions and disposition of assets that could be implicated in corruption issues. This includes contract-pricing review, due diligence and verification of foreign business representatives, accounts payable payments, financial account reconciliation, and commission payments.
• Manage business change: The organization must monitor the business environment for changes that introduce greater risk of corruption. The organization must document changes required to business practices as a result of observations and investigations, and address deficiencies through a careful program of change management. This requires that business change be monitored by compliance personnel to proactively prevent corruption.

Organizations across industries have global clients, partners, and operations. The larger the organization is, the more complex its interactions with external entities (e.g., government, regulators, contractors, vendors, and other third-parties) around the world.

Adding to the complexity and distribution of global business is a constantly changing business environment. In the brief moment spent reading this paper, your business has probably changed: New employees are hired, others change roles, and some leave. New business partner relationships are established — others terminated or changed. Business executes on strategy and enters new markets, opens up new facilities around the world, contracts with agents, or introduces new products and services. New laws are introduced that impact the organization, regulations change, and the environment around business changes, introducing risk (e.g., economic, geopolitical, operational) and impacting how business is conducted.

Global compliance in the context of a complex and dynamic business environment is particularly challenging as organizations face greater exposure to anti-corruption laws and regulations. How does an organization validate that it is current with legal, regulatory, and other obligations in the face of an ever-changing business environment?

First there was the U.S. FCPA

Laws such as the Foreign Corrupt Practices Act (FCPA) have been in place in the U.S. for nearly 35 years.[1] Despite this length of time, each year shows increasing noncompliance and growing fines and penalties by the US Department of Justice[2]. In 2010, the number of enforcement actions were double any previous year.[3]

BOX HIGHLIGHT/Call out

Growing liability:

• The court found Frederic Bourke, Jr. was willfully blind, and that as an investor he should have done more due diligence and should have knows that the energy company he invested in bribed foreign officials.
• The government told Nature’s Sunshine’s CFO and COO they should have had better controls over financial reporting, even though the SEC never stated they specifically knew of the bribery happening within the corporation.

Fines are skyrocketing:

• The U.S. Department of Justice assessed nearly $2 billion in fines in 2010
• Eight of the top 10 FCPA settlements occurred in 2010
• BAE Systems was the third largest fine at $500 million
• Daimler AG had $185 million in fines and disgorgements
• Snamprogetti had $365 million in fines (fourth-largest)
• The average cost of an FCPA settlement is $50 million plus the expense for an external monitor to validate a compliance program is in place for the next 10 to 20 years. This does not include investigation expenses.

Executives can go to jail:

• Charles Jumet, former VP of Ports Engineering Consulting Corporation, was sentenced to 87 months in prison

Investigation costs are significant:

• Siemens spent $850 million in fees and expenses to investigate anti-corruption
• Daimler had a five-year investigation that cost over $500 million

Harsh collateral sanctions, in which the government can also:

• Terminate government licenses
• Disbar the organization from government contracting
• Disgorge company profits on contracts secured by improper payments

Now Organizations Have to Comply with the U.K. Bribery Act As Well

If the FCPA was not enough, the United Kingdom approved the U.K. Bribery Act (UKBA) legislation in 2010, which went into force in July 2011.[4] This anti-corruption law brings broader scope and implications to anti-corruption compliance. Both the FCPA and the UKBA are country-specific initiatives in support of the Organization for Economic Cooperation and Development’s (OECD) anti-corruption initiatives in 34 democratic countries around the world.[5] The OECD has released Good Practice Guidance on Internal Controls, Ethics, and Compliance to combat anti-corruption around the world.[6]

The UKBA makes it illegal for a company operating or listed in the U.K. to make unofficial payments to public officials to secure or expedite performance of routine or necessary business transactions. The scope of the UKBA includes anyone with business operations in the U.K. and covers acts and omissions anywhere in the world. Organizations need to be prepared to defend themselves — UKBA has a rebuttable position that an employee is acting on behalf of the organization. This requires that the organization is able to demonstrate it has an appropriate compliance program in place to overcome this burden of proof.

The U.K. Bribery Act establishes four criminal offenses for corporations[7]:

1. Offering or paying a bribe
2. Requesting or receiving a bribe
3. Bribing a foreign public official
4. Failing to prevent bribery

Dodd-Frank Whistleblower Provisions Makes Matters Worse

In the U.S., anti-corruption has become much more complex: The U.S. Federal Government whistleblowing provisions in the Dodd-Frank Act entice employees to report ethical violations, such as bribery and corruption, to the government. It gives the SEC powers of enforcement of a whistleblower bounty program and whistleblowers a bounty from fines and penalties resulting from the investigation should the organization be culpable.[8] The scope includes areas of fraud, antitrust, insider trading, corruption, and bribery. Corporate whistleblowers who provide information which leads to a successful SEC enforcement receive 10 percent to 30 percent of the monetary sanctions over $1 million. In an era of increased scrutiny and judgments for anti-corruption, this is a significant concern keeping executives, the board, legal, and compliance professionals up at night.[9]

Policy, done right, articulate corporate culture, the boundaries of individual and business behavior, and personal conduct. Consider that:

• Policies articulate the governance culture and structure: Without policies there are no written standards about acceptable and unacceptable conduct. Without good policy, culture morphs, changes, and takes unintended paths without a compass to guide its way.
• Policies articulate a culture of risk: This includes risk responsibilities, communication, appetite, tolerance levels, and risk ownership. Every organization takes risk — it is part of business. Without clearly written guidance and ownership, risk governance policy will be ineffective.
• Policies articulate a culture of compliance: Policies define what is acceptable and unacceptable. This starts with legal and regulatory requirements:  communicating how the organization will stay within legal boundaries given the various jurisdictions in which it operates. Policies establish the values, ethics, commitments, and social responsibility of the organization, when it comes to matters of discretion.

It is important to be clear: Policy does not provide corporate culture, nor does it resolve the issues of  governance, risk or compliance (GRC). An organization can have a wide array of policies that are not adhered to, and end up in very hot water. However, policies are a necessary means to clearly define, articulate, and communicate the organization’s boundaries, practices, and expectations. An organization can have a corrupt and convoluted culture with good policy in place, though it cannot have a strong and established culture without it. The right policy is necessary to define and communicate what the organization is about.

Policies are the vehicle that communicates and defines culture so culture does not morph out of control. This requires policy to be adhered to at every level, exceptions to policy be governed, and violations be dealt with consistently and responsively. Because policy can establish liability, mismanagement of policy can introduce liability to the organization as a policy establishes a duty of care for the organization. Reliance upon policy violation as a duty of care can be used by regulators, prosecuting and plaintiff attorneys, and others to place culpability on an organization. It is paramount for an organization to establish policy it is willing to enforce – but also necessary to closely manage and monitor the policies that are in place.

I would love to hear your thoughts on Why Policies Matter and corresponding GRC strategies.

From the SCCE:

In the recent Corporate Integrity Agreement between Pfizer and the Office of the Inspector General of the Department of Health and Human Services, Pfizer agreed that its Chief Compliance Officer will report directly to the CEO; will neither be nor be subordinate to the General Counsel or CFO; and will make periodic reports to the Audit Committee of the Board. Does it negatively impact a compliance program when the GC is also the head of ethics and compliance? To whom should the chief compliance and ethics officer report? And how can a company create the right level of independence for the compliance function?

In order to gather valuable benchmarking data for our members, the SCCE has compiled 9 short questions regarding compliance officer positioning. Please take a minute to answer the survey, then check back to view the valuable benchmarking data. Thanks very much for your participation and your important contribution to compliance and ethics benchmarking research.

Thank you very much for providing your valuable input.
http://scce.informz.net/z/cjUucD9taT00OTEzMTImcD0xJnU9MTAwNzkwOTEwOCZsaT0xODExMTE4/index.html

Besides taking the survey – please post your comment on this LinkedIN group.

During my latest OCEG GRC Strategy & Red Book 2 Bootcamp, one attendee stated they had seen the job title of Chief Punishment Officer in China. Any takers?

On a related note – one attendee had asked if anyone had a disciplinary matrix – wrongs with associated punishments – for their organization.

“. . .the measure of the likelihood of something happening that will have an effect on achieving objectives; most importantly, but not exclusively, an adverse effect. Thus, Risk Management is the systematic application of processes and structures that enable an organization to identify, evaluate, analyze, optimize, monitor, improve, or transfer risk while communicating risk and risk decisions to stakeholders. The overriding goal of risk management is to realize potential opportunities while managing adverse effects of risk.”

News . . . the roller-coaster of information pouring into us about the tumultuous times we live in can be overwhelming.  The current focus on the economy in the wake of an ongoing shake-up in Wall Street has many living on the edge of their seats – uncertain about the future.