Corporate compliance departments are increasingly uneasy about their exposure to bribery risks, and many say they are still not up to snuff when it comes to policing third parties and eliminating facilitation payments.

According to a recent study from Kroll Advisory Solutions, 69 percent of 139 compliance executives surveyed say their companies have either high or moderate exposure to bribery risk. And in the pharmaceutical industry, all of the respondents say risks are high or moderate.

The biggest concern comes from corruption risks related to third parties, such as resellers, distributors, agents, or joint-venture partners. “In general, companies are still incredibly uncomfortable about the process of managing third parties,” says Bill Pollard, a partner in Deloitte's Foreign Corrupt Practices Act consulting practice.

The Kroll study comes at a time when several oil giants, including Chevron and ExxonMobil, have launched internal investigations over allegations of bribery payments made on behalf of the companies to customs officials in Kazakhstan.

The probes illustrate the difficult time companies that operate in emerging markets are having of mitigating third-party corruption risk. One of the greatest challenges for companies is simply identifying all of their third parties, never mind the due-diligence that then needs to be performed, says Pollard.

Once they do, they should conduct risk assessments to identify those that require more attention than others. Some companies end up spending more money than they need to by conducting the same level of due diligence on every third-party, says Alexandra Wrage, president of TRACE International, a non-profit association that provides anti-bribery compliance solutions. “That just isn't sustainable,” she says.

At the other end of the spectrum are companies that are not doing anything at all to rein in third-party corruption risks and are paralyzed because they don't know how to get started. “Both of those extremes are bad for business and bad for compliance,” Wrage adds.

According to the Kroll study, 71 percent of respondents say their companies require third parties to list any affiliations they have with foreign officials, 65 percent verify that third parties adhere to the company's code of ethics, and 73 percent confirm that each third party is free from sanctions pertaining to compliance with anti-bribery regulation. Twelve percent said they conduct no due diligence on third parties at all.

Part of the problem for many companies is a lack of a centralized system to send, collect, and analyze third-party questionnaires, the Kroll study found. Of the 71 percent of respondents from companies that require third parties to complete questionnaires, 60 percent say they use a manual, paper-based process.

That's far too high say FCPA experts. “We're never going to get rid of the element of judgment, nor should we try, but what technology can do is key things up and take away a lot of the repetitive work and help with storage, sourcing, and prioritizing,” says Wrage. “Those are all very important.”

Some industries are farther along in the process than others. While pharmaceutical companies are the most concerned about bribery risk, they are also the most vigilant about managing third-party risk. For example, 100 percent of drug company respondents say they conduct screening to confirm each third party is free from sanctions pertaining to compliance with anti-bribery regulations, compared to 65 percent in all other sectors. They were also unanimous in having policies that prohibit facilitating payments, compared to 87 percent of all respondents who say they prohibit such payments.

“In general, companies are still incredibly uncomfortable about the process of managing third parties.”

—Bill Pollard,

Partner, FCPA Consulting Practice,


David Holley, a senior managing director at Kroll who co-authored the survey, reasons that pharmaceutical companies rely very heavily on third parties—from drug testing to packaging to market approval—that it's “really prepared them very well for what needs to be done in the FCPA context.” 

The Kroll study also revealed that companies tend to have more control over their employees than their third parties; nearly all respondents (99 percent) said they had anti-bribery provisions for employees in their companies' codes of conduct, but only 73 percent have the same in place for third parties. While that number is good, “it should be higher,” says Holley. 

M&A Transactions

The study also found that more companies are conducting rigorous due diligence on mergers and acquisitions to identify and mitigate corruption risk. In fact, that work is leading to changes in merger terms or even scuttling deals altogether when FCPA red flags appear, according to Deloitte's Pollard. As companies continue to invest in emerging markets, “the request to do anti-corruption due diligence as part of an overall risk assessment is significantly on the rise,” he says.

Findings from the Kroll study reveal a similar trend. Eighty-one percent said they require the other party to complete due diligence questionnaires to vet their compliance levels with anti-bribery regulation.

Additionally, 78 percent reviewed existing contracts and third-party relationships of M&A targets to minimize non-compliance with regulations; 65 percent reviewed their target companies' third parties for potential corruption; and 48 percent screen the targets of third-party acquisitions. Nineteen percent of all respondents said they abandoned or re-negotiated a merger or acquisition as a result of failed anti-bribery compliance.

Facilitation Payments

The survey also identifies some surprising views on facilitation payments. While 60 percent of respondents said they do not permit facilitating payments for any reason, 36 percent said that they do under certain circumstances. That's “quite surprising,” says Holley. “Those that I talk to have no tolerance for facilitation payments at all.”


The following chart from Kroll Advisory Solutions provides details on specific industries' exposure to bribery risk.

While perceived exposure to risk varies from industry to industry, the majority of compliance executives participating in the survey expressed vulnerability to bribery risk. Sixty-nine percent of all respondents said their companies were either moderately or highly exposed to bribery risk; this number jumps to 100 percent in the pharmaceutical industry and drops to 46 percent in the financial services industry.

Source: Kroll Advisory Solutions.

“The trend is definitely moving toward no facilitation payments,” says Pollard. More and more companies are putting such prohibitions into their policy or program in some way, he says. In the Kroll study, just 19 percent said they do not have a written policy to address facilitation payments.

Companies that have been silent on the issue in the past are either “severely restricting” or becoming more explicit about the rare instances when a facilitation payment would be allowed, such as the threat of the loss of life, says Pollard.

Most all respondents of the Kroll study believe their bribery risks have increased or held steady over the last few years and expect that to continue. Because of the increased enforcement in the United States and overseas and the overall trend toward more cooperation among enforcement agencies, “things are going to get worse before they get better,” says Wrage.

The good news is that compliance departments are investing more in their anti-bribery efforts. Fifty-three percent of respondents said their compliance budgets had increased, and 49 percent said their compliance departments had increased hiring.

Most respondents also expressed confidence in their anti-bribery compliance programs, especially as it applies to effective policies and procedures (56 percent) and anti-bribery training (31 percent).

The top initiatives companies are implementing to minimize bribery risk include: employee training (60 percent) and establishing executive-level commitment to anti-bribery measures (23 percent). 

Education and training are important, but foremost is adopting a policy from the top down throughout the entire organization, says Holley. One example is having senior executives pay visits to the company's offices overseas to personally discuss the importance of compliance. “As small and remote as a part of a business might be,” he says, “it could really affect an entity's compliance track record.”