One of the most frequently asked questions I hear about managing corruption risk demonstrates the compliance profession's passion for benchmarking: “What do companies with the best anti-corruption programs do differently?”
The answer I give does not offer details about process or technology, at least not directly; instead, it boils down to philosophy and vision. Compliance, risk, internal audit, and other executives leading the most effective (and, not coincidentally, the most efficient) anti-corruption programs think of their efforts as an integral part of their organization's offensive capability—efforts that enable business agility and business resiliency to flourish.
This vision does not downplay the importance of process and other building blocks of anti-corruption capabilities. Indeed, leading practitioners also share a penchant for crafting comprehensive, dynamic programs—the sort of capabilities that this six-part “Anti-Corruption Illustrated Series” will examine in detail. Each installment conducts this analysis through diagrams, guidance, and field insights provided by leading experts.
While the focus of this series centers on process—the “how” of anti-corruption programs—it is valuable for those overseeing and managing these programs to also reflect on “why” they invest in these programs. The executives at the helm of organizations with leading anti-corruption programs say their intent is twofold: to strengthen organizational agility and resiliency while also bolstering anti-corruption mindsets and capabilities throughout their business ecosystems. This external reach not only helps customers, suppliers, and other business partners and stakeholders strengthen their anti-corruption programs, but also helps the competitive playing field by reducing the frequency and severity of corruption in their markets.
Executives who foster this point of view through the development of an effective and efficient anti-corruption program pursue a similar approach to those embraced by any top-notch CFO, CIO, or business continuity manager. These functional leaders continually strive to share leading finance, information technology and business resiliency practices throughout their supply and demand chains. And they also strive, through continual process improvement, to make their “lights-on” finance, IT, and disaster recovering capabilities as efficient as possible, so that they can invest more time and effort marshaling their resources to support strategic offensive.
This approach calls to mind the philosophical concept of a paradox; call it the “process paradox:” the more leading practitioners focus on their anti-corruption processes and programs, the less time these efforts ultimately consume. This occurs as anti-corruption becomes more integrated into strategic decision making and daily work throughout the organization. Additionally, by investing in a sturdy anti-corruption framework, leading practitioners create a foundation from which they can more easily add lean GRC principles and practices that can help achieve continual improvements over the long haul.
This process work begins with a philosophy; one that envisions anti-corruption as a valuable enabler of business agility and business resiliency—qualities whose strategic value has never been higher.
Managing Corruption: An OCEG Roundtable
Switzer: There's a lot of talk about FCPA enforcement and U.K. Bribery Act requirements, but there is confusion about what to do. How do you determine how well your company is managing corruption risk?
Martin: A thoughtful and comprehensive risk assessment is fundamental for any anti-corruption program. An adequate risk assessment gives an organization a systematic view of its compliance risks so that it can develop detailed policies, procedures, and controls to effectively manage these risks.
Kuzma: Take a phased approach to validate whether efforts are sufficient given the risk assessment. First, ensure that the program covers all necessary areas for the company's industry and geographic footprint, including outside counsel review and consideration of information such as industry guidelines and programs of other companies. Then, regularly conduct an assessment to determine if there are any unidentified or poorly controlled risks that require program changes.
Executives at the helm of organizations with leading anti-corruption programs say their intent is twofold: to strengthen organizational agility and resiliency while also bolstering anti-corruption mindsets and capabilities throughout their business ecosystems.
Switzer: We often hear “It is overwhelming; I don't know where to start.” What steps do you recommend to begin the process and gain some “quick wins”?
Martin: A strong anti-corruption policy and a good set of supporting procedures enable the implementation of the company's values and strategies, create the framework for consistent and fair practices across business units, mitigate risk, and ensure accountability among employees.
Kuzma: Two more quick-win areas are training and analytics. Train throughout the company and focus on raising awareness about how bribery and corruption can occur, including real-world examples; what regions in the company are at most exposure and why; relevant legal requirements; and details of the company's anti-corruption policy. Then perform analytic testing to expose expenditures that may create potential for corruption. Data analytics focusing on accounts payable, travel and entertainment, and petty cash provide great insight.
Slavin: To avoid becoming overwhelmed, address highest risk areas first. Successfully remediating a few high-risk areas through improved training, a more effective hotline system, or better third-party due diligence, will create early wins and help build momentum. A well-conceived, multi-year plan that considers relative risks, budgets, and available manpower will make an overwhelming undertaking feel much more manageable.
Rost: It's key to start with the most significant risk, and for many this is the risk presented by vendors and suppliers. Since these firms may be located where the organization does not have in-country resources, it's important to have up front and ongoing due diligence which includes assessing risk based on country of origin; targeted screening of the organization and key employees; and enhanced due diligence for high risk areas in the form of detailed background reports.
Switzer: How do you establish oversight and ownership of each aspect of the anti-corruption program to avoid, confusion, gaps and unnecessary overlaps?
Slavin: Decisions regarding ownership, oversight, and tactical responsibility differ by company and are impacted by staff size, budget and corporate structure. That said, high-level central oversight is critical. Individual components may be delegated to different people, departments, or regions as necessary, but someone must have broad oversight of the entire program with authority to make executive decisions.
Martin: It is important to have a chief compliance officer at the vice president level, over a centralized compliance group; to provide thought leadership and staff support for essential elements of the program. To succeed and ensure program also must be embraced by the employees and business partners.
Kuzma: That's right, and to establish comprehensive ownership you have to review the program that is in place, determine who is responsible for each element, and identify areas where no one is currently responsible. You also need to make sure that there are effective compliance officers in countries where corruption risks surface, and that the chief compliance officer back at headquarters has strong working relationships with them. A facilitated group discussion can be the starting point to iron out responsibilities to avoid confusion, gaps and duplication of effort.
OCEG ROUNDTABLE PANELISTS
Global Leader, Corporate Compliance
Ernst & Young
Vice President, Chief Compliance Officer,
Senior Deputy General Counsel,
Senior Director, Advisory Services,
Bribery & Corruption Risk Management,
SAI Global Compliance
Thomson Reuters GRC Source: OCEG.
Rost: Also, an important way of achieving coordinated ownership is by standardizing a common taxonomy of policy, risk, and control with identified owners responsible for the documentation, communication, testing, and monitoring of each. Standardizing common methodologies and systems will enforce the consistency and transparency of information.
Switzer: What specific steps should corporate leadership take to establish and drive home the proverbial “tone at the top” to build corporate culture that is intolerant of corruption?
Martin: Senior management must consistently demonstrate the correct tone at the top through clear statements on the commitment of a culture of integrity and a zero tolerance approach to corruption. Also, for a compliance program to succeed, line managers at all levels of the organization must be held accountable for the compliance performance of the employees in their organization.
Slavin: Employees will quickly discount these messages as hollow rhetoric unless executives not only “talk the talk” but also “walk the walk.” The steps that leadership takes must show employees that they are willing to walk away from deals requiring bribes; that anyone, regardless of their contributions or stature, will be fired for unethical behavior; and that the CEO's commitment to profitability does not overshadow commitment to ethical behavior. Employees must believe that good-faith reporting of suspected wrongdoing is not only welcome, but expected.
Rost: Senior management should communicate zero tolerance for bribery and corruption, with messages tailored to different audiences. U.K. Ministry of Justice guidance suggests that messages include:
A commitment to carry out business fairly, honestly, and openly
Zero tolerance toward bribery
Consequences of breaching the policy
Articulation of the business benefits of rejecting bribery
Reference to bribery prevention procedures the organization has, or is putting in place
Reference to the organization's involvement in any collective action against bribery
Switzer: Today, many companies have a lot of data but not a lot of information because they can't easily consolidate and analyze what they have. How can technology help?
Rost: Two important technology investments are an enterprise GRC platform and a third party due diligence solution. The platform provides a common environment to manage the documentation, testing, communication, workflow, and reporting related to policy, compliance, and risk management and internal audit. It supports a common language for policy, risk, and control which enhances information transparency. Third-party due diligence solutions provide global intelligence on heightened risk individuals and entities, including screening for Politically Exposed Persons, enhanced due diligence reporting, and geopolitical risk solutions that provide the means to address the full spectrum of risk across all markets and industries, no matter what type and size organization.
Slavin: Third-party due diligence is a great example. Making consistent and defensible partnership decisions based upon efficiently collected and accurately analyzed data is important for all organizations. Inquiries to legal, audit, HR, or procurement departments may uncover existing technologies that compliance departments can leverage to meet these objectives. For example, many companies utilize litigation case management, GRC, and hotline systems that are suitable for use in the anti-corruption arena. Also, a software tool with features such as e-mail distribution, workflow management, external data integration, a secure & centralized repository, and a business rules engine is essential for large-scale data analysis and risk profiling.
Martin: Baker Hughes has successfully employed technology solutions in key areas such as the vetting and certifying of third-party agents, delivery of the worldwide training program, maintenance of a comprehensive case management system, and ongoing delivery of a wide variety of compliance messages.
Kuzma: Data analytics tools and techniques used in regular audits and investigations also can be used proactively to prevent, detect, and monitor against corruption. These systems test and analyze data by looking at trends and abnormal activity, uncovering exposure in key areas such as petty cash, accounts payable, and travel and expense submissions. Companies are starting to use tools to look at the unstructured data that is resident in the financial systems such as the text within journal entries, a/p disbursement descriptions, entries in the travel system that describe individual submissions, and information that describes how and why petty cash was used. Internal e-mail communication also is often a treasure chest of information.