In a compliance utopia, all business would take place within a gated community of noble vendors, unimpeachable business agents, and beyond-reproach sales teams.

That fantasy of comical simplicity is far from modern reality, especially amid increasingly common bribery and corruption threats. There are also the risks inherent in complex supply chains that keep extending upstream, tier-by-tier, like nested dolls.

If the enforcement agencies ever come knocking on your door, you need an anti-corruption program that meets standards and is defensible. But, with abundant reputation risks and potentially massive legal defense costs, what is really needed are programs that prevent corruption in the first place. That was the consensus of an expert panel that participated in a session, “From Defensible to Effective: Anti-corruption Programs,” at the Compliance Week 2018 conference in Washington, D.C., on Monday.

Scott Lane, CEO and chairman of The Red Flag Group, led the discussion on a topic near and dear to him. He has led training sessions on compliance, corporate governance, director duties, anti-trust compliance, and anti-corruption compliance in multiple countries.

Panelists included Alan Levesque, vice president and chief ethics and compliance officer at Raytheon Co.; Steph Vogel, vice president and deputy chief compliance officer and assistant general counsel for the National Basketball Association; and Forrest Deegan, chief ethics and compliance officer for Abercrombie & Fitch.

Lane introduced the session by recalling a keynote address earlier in the day by Rod Rosenstein, deputy U.S. attorney general. 

“It was interesting to hear Rosenstein talking about ownership and how compliance needs to be part of the fabric of a business,” he said. “How do you make the program a business-driven program, if indeed that’s part of the company’s strategy?”

The good news, Lane said, is that among very different companies, like those represented on stage, many have seen anti-corruption programs become more embedded in the business over the past 10 years.

These efforts and “integrity programs are a near-necessity for any defense contractor,” Levesque said.

“This industry is global, and it does business in risky areas. There is a general recognition amongst business development and all the other functions of this company that says this is extremely important. The key is getting these to take ownership.”
Alan Levesque, Chief Ethics and Compliance Officer, Raytheon Co.

“This industry is global, and it does business in risky areas,” he said. “There is a general recognition amongst business development and all the other functions of this company that says this is extremely important. The key is getting these to take ownership.”

The challenge in creating a top-notch anti-corruption compliance program, he said, is not to be overly hierarchical and dictate how things will happen and how they won’t. Others “need to have skin in the game.”

“We try to take a much more collaborative approach to the functions of the business units,” Levesque said. “If they know that they have ownership, generally, the results are better. They have accepted the sorts of issues that you’re trying to build into the compliance program.”

Vogel, however, cautioned against surrendering too much control from the compliance function.

“We are the ones who are experts. We’re the ones that are thinking about risk 24/7,” she said. “Businesses have different priorities … They don't have the same perspective. Obviously, they’re looking to make money or close a deal and they want to do that as quickly as possible. Compliance gets in the way of that and holds it back. They can’t know everything they need to know without looking through a compliance lens.”

Vogel does agree that “skin in the game is important,” but “a partnership is different than ownership.”

Deegan’s suggestions, and his company’s best practices, include compliance outreach to those associated with the riskiest jurisdictions in the supply chain.

Books and records reviews are also of the utmost importance. “We’ve got plenty of examples where contracts were overcharged or there are duplicated invoices,” Deegan said. “Good records will shield a company by reflecting what money was spent on, and who did what activities.”

As for region-based and geopolitical risk, Lane sees that many companies “really need to dig deep to find out where the top 10 places where [troubles are likely] to occur and really focusing on those top 10 corruption risks, while not necessarily ignoring the next 100.”

Deegan said he no longer makes a pronounced distinction between approaches to government corruption threats and non-governmental risks.

“When you raise an issue or a question comes through our systems that involve a government official, we pay very close attention to that, but we use the same tools and communicate the same guidance regardless, whether it’s commercial,” he said.

Levesque also agreed and added that he used to devote excessive time with outside counsel merely defining who was a government official and who wasn’t.

“You had to determine who might be a relative to the royal family or somebody else,” he said. “If you make a policy that just says, ‘don't bribe anybody,’ it makes things a lot simpler.”

The NBA airs content in roughly 250 countries. That gives Vogel her own perspective of jurisdictional risk.

While scanning resources, like Transparency International’s scale of risk, can be informative, the reality of doing business in a country can diverge from its reputation.

Brazil, despite its reputation for bribery and corruption, has been a great place to do business. China, although feared by many outside of its borders, has plenty of rules and regulations intended to weed out illegitimate business deals.

“If you come at [matters] from an academic perspective, it’s important to also consider some business perspectives,” Vogel said.

The vast array of supply chain partners can be daunting, Lane said

“You’ve got thousands and thousands of partners, potentially tens of thousands,” he cautioned. How can you possibly conduct face-to-face reviews or foster trust with that many vendors?

Deegan tries to invite key foreign partners to the United States at least once a year. On-site visits abroad are handled with care. “You’ve got to get out there and see where they are,” he says. “Generally speaking, it’s good to schedule a meeting at their offices and not at your local office. You really want a sense of how they operate from actually seeing it.”

Questionnaires, simplified but not one-size-fits-all, are another important, although not foolproof, way to collect vendor data.

Vogel stressed the importance of the data reviews conducted by internal audit.

“I actually became the person who oversees internal audit,” she says. “There’s a reason for that. Every audit, if you read the report, has something that touches upon compliance or legal. It was important for us to have somebody with that knowledge and work with them to understand [those with supply chain responsibilities], what they’re looking at, and make sure that they even knew what to look for.”

“Our internal auditors are great at auditing, but they don’t know anything about the NBA” Vogel added, “I have to teach them, and I took some of that on by helping them set their audit plan.”

“What we do in compliance is constantly monitoring the business, but monitoring is different than auditing. If you can get involved in what’s being audited, you’re going to get information that’s going to be helpful to you. That’s why I don’t mind that I have to oversee audit. I don’t mind that I have to edit their reports before they go out. I’m getting something valuable out of it and getting to see the business from their perspective.”