by Keith Martin
In the face of ever more aggressive enforcement of anti-corruption and wider anti-financial crime legislation, the management teams of even the most well-prepared multinational companies are asking themselves not “if,” but “when” they will have to take their organization through a regulatory investigation.
One need only look at the list of active corruption investigations in the U.S. or U.K. to understand the concern. No matter the robustness of a compliance program, the likelihood of running afoul of the FCPA, the U.K. Bribery Act, or a national anti-corruption statute under the umbrella of OECD’s Anti-Bribery Convention is high and rising. In the face of the threat, compliance teams of large organizations are seeing their remit expand to include not only prevention and detection activity (through policy and audit) but also “corruption event” response and wider business continuity management.
The real and present danger of being investigated by a prosecuting authority and the need to manage the impact (financial, operational, reputational, legal and otherwise) of such an event is therefore shifting the compliance function from a business support unit to a department with huge strategic importance, hence the increasing inclusion of a chief compliance officer on the boards of multinational organizations.
A strategic approach to managing corruption risk is more prevalent in certain sectors and among large, multination businesses. The declared strategy of the Department of Justice and Securities and Exchange Commission to target specific sectors – including defense, oil and gas and pharma – has made these industries more sensitive to the risk and their response more robust. However, there still remains a huge number of “smaller” companies (but still billions of GBP in turnover) who have yet to adopt this approach, although they face similar risks.
As the DOJ, SEC or U.K.’s Serious Fraud Office rattle their sabers, it is still common to field requests from potential clients seeking to perform initial due diligence on existing third parties, undertake efforts to train employees or write specific program policies. In many instances, it soon becomes apparent that the service is being asked for in isolation; that it does not form part of a robust program adopted by the company to manage corruption risk in all its forms; and that the company may not even fully understand how the service being requested actually helps to manage the risk in the first place. Often, the reason for this is that the company is not dealing with the issue strategically, and is instead taking a checklist approach. Larger organizations who appreciate the business reality of being investigated – often from bitter direct experience – know that such an approach is not enough to protect and organization from the damage a scandal can do.
My message to those companies that have yet to embrace anti-corruption compliance as a core strategic issue is to learn from the mistakes of other organizations and acknowledge the increasingly investigation-prone business environment in which we operate and its implications. This is a particularly important message for those companies that intend to expand into ever more unfamiliar overseas markets in the next few years, as sluggish economic growth at home continues. More specifically, companies need to ask themselves some fundamental strategic questions:
1. What is at stake and what is our risk appetite? Companies should begin by asking themselves what they are trying to achieve in their anti-corruption program, based on the threats they face. Putting anti-corruption compliance in a business context is of paramount importance. Questions that can help clarify these fundamental issues include “What is the corporate risk tolerance?” and “How to enable the business through compliance?”
Asking these questions will necessitate immediate collaboration to adopt a strategy that does not inhibit successful business, but develops buy-in from the senior executive leadership and achieves top-down commitment. This exercise will also inform the need to develop program elements that effectively prevent, detect and remediate corruption.
2. What is our risk exposure and priorities? A meaningful approach to this end is an interactive risk workshop with all appropriate stakeholders to identify and/or understand: macro and micro corruption risks based – at a minimum – on jurisdictional politics and geography, transactional models and industry sector; the company’s risk tolerances specific to corruption likely and/or realistic corruption scenarios; in the context of these risk tolerances, identify the company’s tactical policy and planning development/implementation requirements from a current state; based on the above, identify and outline the decision strategies to be employed by the executive leadership in implementing elements in prevention, detection and response; with respect to proactive and reactive program elements, understand the priorities, resource requirements and operational needs at headquarters, business unit hubs and individual locations.
3. Prioritize and implement thoughtfully and consistently. No two businesses are alike, nor should any two compliance programs necessarily be identical. This is particularly true in the global marketplace and in Europe where companies differ widely not only in culture, but in the divergent compliance requirements they face. Data privacy, export control, anti-corruption, HSE and duty of care requirements are just a few of the compliance hurdles facing European companies. Each of these can trip up companies individually, or increasingly as intertwined one with another due to their often interconnected nature.
These overlapping dangers require an iterative approach to roll out of compliance programs. Far more important than the what – which frankly is self-explanatory in the wake of countless criminal and civil corporate corruption settlements in the U.S. and Europe – is the how of compliance. A deliberate approach to development and implementation is likely necessary due to the implications of cost to the business.
In addition, this route facilitates effective understanding of emerging requirements that inevitably shift a company’s risk profile along the road to program development. Enforcement authorities want companies to adopt meaningful and robust compliance programs, irrespective of the time required to establish them. Companies should take the time then to think strategically in their development.
Source : corporatecomplianceinsights