In the long-running television drama “House,” the ornery and unconventional medical genius Dr. Gregory House masterfully diagnoses the sources of mysterious illnesses. The secret to House's success stems from his ability to see the big picture, understand how all of a human body's various systems interact with each other, and spot patterns that no one else detects.
The same skills would enable House to thrive in the complex field of corruption issue intake and management. Conventional wisdom holds that this is a relatively simple, straightforward, and discrete process. But the conventional wisdom is wrong.
Companies with the most sophisticated anti-corruption capabilities do more than resolve the issue and identify its direct cause. They also periodically examine their entire portfolio of corruption issues to better understand how they interact and to identify ways to improve corruption defenses throughout the entire organizational system. By conducting such “portfolio examinations” on a periodic basis, these companies continuously improve their anti-corruption capabilities in several different ways, including process improvements, efficiency gains and more effective crisis communications, and litigation preparation in the event that a significant corruption issue arises.
The last point is important. When an instance of corruption is raised, communications about the event (and the response) must be quickly disseminated to all relevant stakeholders while initial review of the issue takes place. In some cases, a crisis response effort and litigation preparation activities must also begin right away. So, even a single investigation involves a tangle of moving parts.
Consider how complex issue intake and management becomes in an enterprise that operates in dozens of countries around the world. Each response produces a body of information related to what went wrong, why it went wrong, and the steps to be taken to prevent the issue from arising in the future.
Companies with leading anti-corruption capabilities—those that occupy the third level of the following maturity scale—leverage this body of information to their benefit:
Level 1: Response. Almost every company has achieved this level of maturity (if they have not, the first bribery issue that arises might put them on life support). Once an issue occurs, it is assessed, assigned, investigated, and resolved.
Level 2: Root Cause Analysis. Many organizations try to operate at this level; as part of resolving a corruption issue, those responsible for the investigation also attempt to understand why the individual event occurred in the first place.
“Wasting time, personnel, and money chasing low-priority items while critical issues remain unattended can be the undoing of a compliance program and the organization.”
Global Head of GRC Product Management,
Level 3: True Continuous Improvement. Achieving continuous improvement requires a periodic analysis of all corruption issues, including a systemic examination that helps expose patterns of problems and other vulnerabilities. These findings and insights in turn stimulate the sharing of best practices throughout the enterprise, as well as the identification of specific process improvements designed to lessen the likelihood of future occurrences of corruption problems. And when push comes to shove, in some cases tough decisions must be made about whether the company should avoid using specific agents, or even cease operations in some markets.
The risk of not evolving beyond the second level of this maturity model can be significant: Without a big-picture understanding, any individual root cause analysis may be incorrect or incomplete. What looks like a root cause in isolation may actually turn out to be a symptom of a more systemic problem.
To ensure a strong prognosis for success in international markets, more anti-corruption managers should consider diagnosing corruption issues the way Dr. House would: by taking a big-picture view and tenaciously examining all of the causal factors, and how they influence each other, until the issues are understood and resolved in a holistic manner.
The Challenge of Corruption Issue Management: An OCEG Roundtable
Switzer: Companies learn of corruption issues through many pathways, including hotlines, comments to supervisors, and unfortunately sometimes only when a government investigation takes place. What are the best ways to drive early notice so that the problem can be addressed quickly?
Mefford: Employees really can be the best eyes and ears of the organization because they see the action from the front lines. I am always amazed at how many employees knew something was going on, but didn't say anything. The challenge is making employees feel safe and secure enough that they are willing to say something when they see it. It takes a lot of courage to step forward. We have to fight the negative stigma associated with being a “snitch” and help employees understand how speaking up helps protect the company, their co-workers, and themselves. Expressing appreciation and ensuring there is no retaliation is the best word of mouth advertising you can do. Having an employee who tells co-workers “it's OK to say something, because I did and nothing happened to me, in fact I was thanked for my help,” is powerful and the grapevine will spread that message quicker than any corporate communication or training program.
Campbell: It is so true that companies must establish an ethical, “speak-up” culture, and they should make it as convenient as possible for employees and third parties to report issues internally. A multi-pronged approach is critical. Provide and advertise multiple points of contact; offer anonymity, but encourage personal contact; acknowledge receipt of issues and act promptly; develop an internal process and enforce it, limiting data access to required personnel; and maintain centralized, accurate records and documentation. Companies are well-advised to develop easy-to-understand policies and procedures requiring internal reporting, ensuring anti-retaliation and limiting information flow. It's important to train and remind employees and third parties about reporting options and responsibilities. Managers must be trained on how to properly handle concerns. And using a sophisticated case management system ensures accurate collection of issues, facilitates workflow, and helps in managing investigations and generating useful reports.
Reisman: I agree with everything said and can add a few points. First, help employees and others know how to identify corruption risks, and train managers about communicating reports to compliance officers and company lawyers. Second, paradoxically, reduce reliance on employee calls and tips by pro-actively monitoring known risk areas and capturing data from your compliance processes. For example, periodically assess payments or commissions made to certain third parties, due diligence reports for appointment of agents and distributors, T & E accounts in high risk countries, and any charitable or political contributions. Also hold periodic face-to-face reviews with sales teams in remote locations. Last but not least, promptly identify and escalate potentially significant issues with a structured and tested process for communication, assessment and assignment of cases, and metrics for cycle time.
Switzer: Given the number of sources of information and the volume of potential issues, what are the key steps in filtering and ensuring the right level of investigation for each?
Reisman: First, get the issue to a knowledgeable first responder - - someone in the compliance or legal department who can sift through potentially unclear reports, ask follow-up questions, and identify a bribe or corrupt practice. Whether the issue was communicated in person, by telephone, e-mail or instant message, the first responder should create a record in an electronic case-management system, for routing to the compliance officers or company lawyers responsible for the second step - - mobilizing investigations and assembling global teams. Now, for that second step to be effective, the global teams have to be pre-positioned: on stand-by for quick response in places where a risk assessment indicates that a significant issue is likely to surface. They have to be ready to handle a hot case quickly and comprehensively: secure the evidence; contact the witnesses; conduct interviews; keep employees and management informed; handle customer and public inquiries. Standard protocols and team rehearsals are important.
Campbell: Of course you have to be ready to deal with the highest risk issues first, and that is part of what the first responder has to determine. Wasting time, personnel, and money chasing low-priority items while critical issues remain unattended can be the undoing of a compliance program and the organization. Issues can be prioritized based on the risk they carry to the organization and your objectives and available resources. And it's helpful to estimate how successful an investigation might be, measured by the likelihood of issue resolution as well as successful risk mitigation. Companies that have leveraged technology have an advantage in sorting through all this. They can easily filter accumulated data by the risk criteria they deem important such as allegation type, vendor type, or gift recipient and identify the riskiest issues.
OCEG ROUNDTABLE PANELISTS
Global Head of GRC Product Management,
VP Business Process Assurance,
Fraud Investigation and Dispute Services,
Ernst & Young
Mefford: A good first step is discussing what sorts of issues demand the highest attention before you receive any issue. Most companies have some sort of categorization of issues into buckets, which the compliance governance group should rank by priority and impact to the organization. This allows the first responder to make a better initial assessment. Having the right people involved in the governance group is also important to ensure you are thinking of each issue holistically and assessing it from different points of view. We have a representative from human resources, legal, finance and internal audit in our governance group to ensure each issue is viewed from those perspectives. Another factor to consider is the level of individual in the organization against which the claim is made. An organization faces greater liability if a country manager or executive is involved than if it is a low level employee.
Switzer: Some issues are so hot they require immediate escalation. What are some triggers for sending issues up the chain quickly, even to the point of informing the board?
Campbell: As a general rule, any report regarding suspected corruption needs to be escalated as soon as possible to the General Counsel and the Chief Compliance Officer, or to a specific individual designated by them. Also, there needs to be a single focal point in the organization with the perspective to make connections between reports. Having this kind of process helps organizations identify areas of emerging risk. Escalation up from that point will depend on the nature of the allegation, the type of risk involved, such as reputation or financial, the credibility of the report, and whether the issue has been previously investigated. Given the size of the potential penalties and the need to demonstrate integrity in this area, escalation should be prompt once some level of credibility has been established, especially if there has been a history of problems.
Reisman: Ask yourself a few key questions. First and foremost: is there evidence to indicate that a crime has been committed, so that the company might need to make a voluntary disclosure to prosecutors and regulators? Is it likely that the claim is true? Is it probable that other people know and might make a disclosure before the company can respond, for example, an employee seeking a bounty under the Dodd-Frank whistleblower rules? Is there significant legal, operational financial or reputational risk to the company?
Mefford: This will vary from organization to organization, so it is extremely important to understand your board's expectations. That is the most important criteria for knowing when to escalate an issue and notify the board. As a general rule, if a high level employee is involved, if the magnitude of the wrongdoing or potential fines are material, or if there is the chance of a significant reputation risk, you should notify the board sooner than later. One of the worst things that can happen is for the board to read about an incident in the media before they were made aware of the issue.
Switzer: What are some of the information management and communication needs when an investigator determines criminal investigation or voluntary disclosure to prosecutors may be likely?
Campbell: Information must be readily available and in one central location. This is where technology can really help in effective responses. For example, having all the communication between constituents (company, employees, and third parties) on one centralized platform makes data collection and disclosure more cost-effective and accurate. A centralized platform should include a case management system, a system for tracking or registering gifts and entertainment, and a mechanism for capturing information about third party due diligence. Clearly, centralized oversight, on-demand reporting and data storage are real advantages of such a system.
Mefford: Once an investigator determines criminal investigation or voluntary disclose to prosecutors may be likely, it is time to check back in with the governance group responsible for investigations. There should be one procedure for determining if this is necessary and how to notify prosecutors and the board. This is a decision that needs to be made by the right individuals, who are usually represented on the governance group. I think one of the biggest issues is to ensure that any statements made by the company or its employees are factual and consistent. Nothing is more damning, to the public or prosecutors, than an organization changing its story as the events unfold.
Reisman: Keep in mind one central point: nothing in today's world stays secret for long, despite attorney-client legends on documents and admonitions to employees. I have this vision of people tweeting as the investigation team walks down the hall. Employees being interviewed tend get nervous, and understandably so. That makes planning communications to the people who might be involved critical. Be prepared to describe the issue and the investigation process, and to let employees know whether the company will retain counsel for them. Have a communication plan for local managers who need to answer customer inquiries and keep the business going, and who answer questions from employees when the investigation team leaves the building; and for senior management - - the clients who will need to be involved in legal decisions, or make changes in business operations. And ensure strong coordination and information flow between the investigation teams and the compliance officer and general counsel, who may need to provide information to the board.