Last week KPMG released a report on anti-bribery and corruption programs that, at a high level, will surprise nobody: Compliance challenges are growing, and third parties are harder than ever to manage.
After nearly a decade of anti-corruption awareness and compliance programs, then, the real question is this: Why is anti-bribery still so hard?
The numbers from KPMG aren’t exactly soothing: 77 percent of U.S. respondents described anti-corruption compliance as “highly challenging” this year, up from 43 percent in 2011. British respondents reported a similar spike, from 32 percent four years ago to 51 percent today. (Other key challenges cited in the survey are in the sidebar below, right.)
“I don’t think companies have let their guard down,” says Marc Miller, a partner in KPMG’s forensics practice. “I think its global enforcement stepping up. OECD reports would highlight that today some emerging countries are stepping up: We have China and Brazil leading their own initiatives and carrying out investigations; that has gotten the attention of the corporations that have these risks.”
He adds, “I think the boardroom still considers ABC a top risk, as much as a business risk. Some may say it’s their brand at risk, and they don’t want to be associated with showing up in the newspaper for an alleged ABC violation.”
One of the biggest challenges cited in the survey was third-party intermediaries. Violations can run the gamut from failure to perform contracted services to sham vendors to hiring a relative of a government official who would not otherwise be hired. “It gets back to: Is there an exchange or offer … and is it given to a government official? The creativity is endless,” Miller says.
Eric Feldman, managing director at Affiliated Monitors, which serves as an independent monitor in deferred- and non-prosecution agreements, agrees that increased enforcement is the top reason companies feel more challenged. He calls it a new level of international cooperation, something never seen before.
“Take a look at the whole FIFA mess,” he said, where the U.S. Justice Department coordinated with law enforcement in Switzerland and elsewhere to arrest top soccer executives for accepting bribe for bids on hosting the World Cup. Such an investigation “never would have been able to take place a few years ago.”
Third-party risks are so hard for businesses to manage, Feldman says, because there are so many types of risk to manage: high-risk countries, certainly; but also high-risk contracts, high-risk accounts, business expenses, engineering overhead, meals and entertainment, and many other places where bribes can be hidden away.
What’s more, “If you’re going to have a right-to-audit clause in contracts and sub-contracts, you darn well better exercise it,” Feldman says. He notes that part of auditing is the deterrent effect; if you never exercise the right to audit at all, the deterrent effect goes away. Likewise, he warns against companies failing to follow up on allegations of improprieties, since that fuels employee cynicism about a company’s commitment to good conduct.
“I don’t think companies have let their guard down. I think its global enforcement stepping up.”
Marc Miller, Partner, KPMG
Granted, an assessment of corruption risks can be the best way to identify where to put limited resources to improve or mitigate control weaknesses, and demonstrate your commitment to government agencies. Some compliance professionals, however, suspect that some companies still hesitate to undertake that exercise. The fear: that they identify a corruption risk but fail to follow up on it, which might put the company in a worse situation than if it had done nothing at all.
Joseph Spinelli, senior managing director at Kroll, cites Justice Department guidance (Opinion Release No. 08-02, to be precise) that says global organizations must rank risks according to high, medium, and low concerns. The guidance also discusses using technology-based tools. Those efforts, Spinelli says, can demonstrate to the Justice Department that you made a good-faith effort to perform due diligence even if you fail to catch a rogue third party out there somewhere.
For those companies choosing not to do careful due diligence, including risk-based assessments, “My answer is, shame on you if you don’t,” Spinelli says. He says the expectations in Release No. 08-02 are clear: If you fail to do a technology-based due diligence and risk assessment ranking third parties, “I hope you have deep pockets.”
The other difficulty in compliance with the Foreign Corrupt Practices Act, Spinelli says, is understanding how emerging markets function and what their local customs are. “Dealing with India, China, other countries, you have to take into account all the things that are permissible there that would be violations of the FCPA statute. And companies doing business in foreign localities every day, don’t always know who is a foreign official is.”
He gives the example of a payment made by a company to an individual doctor working for a hospital in China, so the company can win an exclusive contract; hospitals are owned by the government, and doctors working in those hospitals qualify as foreign officials.
For anti-corruption training to succeed, Spinelli says, “Make them read it, and certify they understand it; you want to show the government—if it becomes an issue—you have taken steps proactively to address the problem.”
TOP ABC CHALLENGES
Below, KPMG ranks the top anti-bribery corruption challenges in 2015.
Feldman concurs that insufficient training programs, particularly for global businesses, can be a big challenge. Many rely on computer-based training out of necessity, he says, but they must follow up to insure the message is really understood by people in the head office as well as at the plant or production facility.
“One of [my first requests when] I go into a company is, ‘Show me what your performance appraisals look like, the promotion and bonus criteria’,” Feldman says. He wants to check whether employees get mixed messages, that despite exhortations for good compliance, “all the company really cares about is financial performance … what gets measured gets done, and I will achieve it, no matter what it takes—and sometimes no matter what it takes is unacceptable from an [anti-corruption] standpoint.”
Justice Department attorneys warn that some of the highest corruption risks reside in mergers and acquisitions, Miller says. ”Every M&A transaction is different; there may be only so much you can do before closing, or so much access; but are you taking steps after closing, when you do have better access, to see where potential risks are?”
He adds that data analytics can be a useful tool, for tasks such as trying to find anomalous pricing data across a group of distributors. Even if no problem actually exists, good analytics can help a compliance officer understand training needs, the effectiveness of due diligence, or even whether an entity-level process or control needs reevaluation.
“The government has never been more aggressive,” Spinelli says. He strongly recommends being active, and notes that Britain’s Bribery Act provides a compliance defense if the company can demonstrate that it implemented adequate procedures. Here in the United States the FCPA does not allow a compliance defense, although the trend is that federal prosecutors do take into account whether the company took the initiative to design and implement a compliance program, including conducting due diligence with third parties.