One of the most frequently asked questions I hear about manag­ing corruption risk demonstrates the compliance profession's passion for benchmarking: “What do companies with the best anti-corruption programs do dif­ferently?”

The answer I give does not offer details about process or technology, at least not directly; instead, it boils down to philoso­phy and vision. Compliance, risk, inter­nal audit, and other executives leading the most effective (and, not coincidentally, the most efficient) anti-corruption programs think of their efforts as an integral part of their organization's offensive capability—efforts that enable business agility and business resiliency to flourish.

This vision does not downplay the importance of process and other build­ing blocks of anti-corruption capabilities. Indeed, leading practitioners also share a penchant for crafting comprehensive, dynamic programs—the sort of capabili­ties that this six-part “Anti-Corruption Illustrated Series” will examine in detail. Each installment conducts this analysis through diagrams, guidance, and field in­sights provided by leading experts.

While the focus of this series centers on process—the “how” of anti-corruption programs—it is valuable for those over­seeing and managing these programs to also reflect on “why” they invest in these programs. The executives at the helm of organizations with leading anti-corrup­tion programs say their intent is twofold: to strengthen organizational agility and resiliency while also bolstering anti-corruption mindsets and capabilities throughout their business ecosystems. This ex­ternal reach not only helps cus­tomers, suppliers, and other busi­ness partners and stakeholders strengthen their anti-corruption programs, but also helps the competitive playing field by re­ducing the frequency and sever­ity of corruption in their mar­kets.

Executives who foster this point of view through the development of an ef­fective and efficient anti-corruption pro­gram pursue a similar approach to those embraced by any top-notch CFO, CIO, or business continuity manager. These func­tional leaders continually strive to share leading finance, information technology and business resiliency practices through­out their supply and demand chains. And they also strive, through continual pro­cess improvement, to make their “lights-on” finance, IT, and disaster recovering capabilities as efficient as possible, so that they can invest more time and effort mar­shaling their resources to support strate­gic offensive.

This approach calls to mind the philo­sophical concept of a paradox; call it the “process paradox:” the more leading prac­titioners focus on their anti-corruption processes and programs, the less time these efforts ultimately consume. This occurs as anti-corruption becomes more integrated into strategic decision making and daily work throughout the organi­zation. Additionally, by investing in a sturdy anti-corruption framework, lead­ing practitioners create a foundation from which they can more easily add lean GRC principles and practices that can help achieve continual improvements over the long haul.

This process work begins with a phi­losophy; one that envisions anti-cor­ruption as a valuable enabler of business agility and business resiliency—quali­ties whose strategic value has never been higher.

Managing Corruption: An OCEG Roundtable

Switzer: There's a lot of talk about FCPA enforcement and U.K. Bribery Act requirements, but there is confu­sion about what to do. How do you determine how well your company is managing corruption risk?

Martin: A thoughtful and compre­hensive risk assessment is fundamen­tal for any anti-corruption program. An adequate risk assessment gives an organization a systematic view of its compliance risks so that it can develop detailed policies, procedures, and con­trols to effectively manage these risks.

Kuzma: Take a phased approach to validate whether efforts are sufficient given the risk assessment. First, ensure that the program covers all necessary areas for the company's industry and geographic footprint, including out­side counsel review and consideration of information such as industry guide­lines and programs of other companies. Then, regularly conduct an assessment to determine if there are any unidenti­fied or poorly controlled risks that re­quire program changes.

Executives at the helm of organizations with leading anti-corruption programs say their intent is twofold: to strengthen organizational agility and resiliency while also bolstering anti-corruption mindsets and capabilities throughout their business ecosystems.

Switzer: We often hear “It is overwhelm­ing; I don't know where to start.” What steps do you recommend to begin the process and gain some “quick wins”?

Martin: A strong anti-corruption poli­cy and a good set of supporting proce­dures enable the implementation of the company's values and strategies, create the framework for consistent and fair practices across business units, miti­gate risk, and ensure accountability among employees.

Kuzma: Two more quick-win areas are training and analytics. Train through­out the company and focus on raising awareness about how bribery and cor­ruption can occur, including real-world examples; what regions in the company are at most exposure and why; relevant legal requirements; and details of the company's anti-corruption policy. Then perform analytic testing to ex­pose expenditures that may create po­tential for corruption. Data analytics focusing on accounts payable, travel and entertainment, and petty cash pro­vide great insight.

Slavin: To avoid becoming over­whelmed, address highest risk areas first. Successfully remediating a few high-risk areas through improved training, a more effective hotline sys­tem, or better third-party due dili­gence, will create early wins and help build momentum. A well-conceived, multi-year plan that considers relative risks, budgets, and available manpower will make an overwhelming undertak­ing feel much more manageable.

Rost: It's key to start with the most sig­nificant risk, and for many this is the risk presented by vendors and suppli­ers. Since these firms may be located where the organization does not have in-country resources, it's important to have up front and ongoing due dili­gence which includes assessing risk based on country of origin; targeted screening of the organization and key employees; and enhanced due diligence for high risk areas in the form of de­tailed background reports.

Switzer: How do you establish over­sight and ownership of each aspect of the anti-corruption program to avoid, confusion, gaps and unnecessary over­laps?

Slavin: Decisions regarding ownership, oversight, and tactical responsibility differ by company and are impacted by staff size, budget and corporate struc­ture. That said, high-level central over­sight is critical. Individual components may be delegated to different people, departments, or regions as necessary, but someone must have broad oversight of the entire program with authority to make executive decisions.

Martin: It is important to have a chief compliance officer at the vice president level, over a centralized compliance group; to provide thought leadership and staff support for essential elements of the program. To succeed and ensure program also must be embraced by the employees and business partners.

Kuzma: That's right, and to establish comprehensive ownership you have to review the program that is in place, de­termine who is responsible for each ele­ment, and identify areas where no one is currently responsible. You also need to make sure that there are effective compliance officers in countries where corruption risks surface, and that the chief compliance officer back at head­quarters has strong working relation­ships with them. A facilitated group discussion can be the starting point to iron out responsibilities to avoid confu­sion, gaps and duplication of effort.

OCEG ROUNDTABLE PANELISTS

Carole Switzer,Moderator

President,

OCEG

Steven Kuzma,

Global Leader, Corporate Compliance

Advisory Services,

Ernst & Young

Jay Martin,

Vice President, Chief Compliance Officer,

Senior Deputy General Counsel,

Baker Hughes

Jim Slavin,

Senior Director, Advisory Services,

Bribery & Corruption Risk Management,

SAI Global Compliance

Mike Rost,

Vice President,

Thomson Reuters GRC Source: OCEG.

Rost: Also, an important way of achiev­ing coordinated ownership is by stan­dardizing a common taxonomy of policy, risk, and control with identified owners responsible for the documenta­tion, communication, testing, and mon­itoring of each. Standardizing common methodologies and systems will en­force the consistency and transparency of information.

Switzer: What specific steps should cor­porate leadership take to establish and drive home the proverbial “tone at the top” to build corporate culture that is intolerant of corruption?

Martin: Senior management must con­sistently demonstrate the correct tone at the top through clear statements on the commitment of a culture of in­tegrity and a zero tolerance approach to corruption. Also, for a compliance program to succeed, line managers at all levels of the organization must be held accountable for the compliance performance of the employees in their organization.

Slavin: Employees will quickly dis­count these messages as hollow rheto­ric unless executives not only “talk the talk” but also “walk the walk.” The steps that leadership takes must show employees that they are willing to walk away from deals requiring bribes; that anyone, regardless of their contribu­tions or stature, will be fired for un­ethical behavior; and that the CEO's commitment to profitability does not overshadow commitment to ethi­cal behavior. Employees must believe that good-faith reporting of suspected wrongdoing is not only welcome, but expected.

Rost: Senior management should com­municate zero tolerance for bribery and corruption, with messages tailored to different audiences. U.K. Ministry of Justice guidance suggests that messages include:

A commitment to carry out busi­ness fairly, honestly, and openly

Zero tolerance toward bribery

Consequences of breaching the policy

Articulation of the business ben­efits of rejecting bribery

Reference to bribery prevention procedures the organization has, or is putting in place

Reference to the organization's in­volvement in any collective action against bribery

Switzer: Today, many companies have a lot of data but not a lot of information because they can't easily consolidate and analyze what they have. How can technology help?

Rost: Two important technology in­vestments are an enterprise GRC plat­form and a third party due diligence solution. The platform provides a common environment to manage the documentation, testing, communica­tion, workflow, and reporting related to policy, compliance, and risk manage­ment and internal audit. It supports a common language for policy, risk, and control which enhances information transparency. Third-party due dili­gence solutions provide global intel­ligence on heightened risk individuals and entities, including screening for Politically Exposed Persons, enhanced due diligence reporting, and geopo­litical risk solutions that provide the means to address the full spectrum of risk across all markets and industries, no matter what type and size organi­zation.

Slavin: Third-party due diligence is a great example. Making consistent and defensible partnership decisions based upon efficiently collected and accu­rately analyzed data is important for all organizations. Inquiries to legal, au­dit, HR, or procurement departments may uncover existing technologies that compliance departments can leverage to meet these objectives. For example, many companies utilize litigation case management, GRC, and hotline sys­tems that are suitable for use in the anti-corruption arena. Also, a software tool with features such as e-mail distribu­tion, workflow management, external data integration, a secure & centralized repository, and a business rules engine is essential for large-scale data analysis and risk profiling.

Martin: Baker Hughes has successfully employed technology solutions in key areas such as the vetting and certifying of third-party agents, delivery of the worldwide training program, mainte­nance of a comprehensive case manage­ment system, and ongoing delivery of a wide variety of compliance messages.

Kuzma: Data analytics tools and techniques used in regular audits and investigations also can be used proac­tively to prevent, detect, and monitor against corruption. These systems test and analyze data by looking at trends and abnormal activity, uncovering exposure in key areas such as petty cash, accounts payable, and travel and expense submissions. Companies are starting to use tools to look at the unstructured data that is resident in the financial systems such as the text within journal entries, a/p dis­bursement descriptions, entries in the travel system that describe individual submissions, and information that describes how and why petty cash was used. Internal e-mail communication also is often a treasure chest of infor­mation.