The list of companies facing charges from the Securities and Exchange Commission and the Department of Justice over violations of the Foreign Corrupt Practices Act continues to grow. Many of the more recent additions to that list, however, thought they had rock solid anti-bribery compliance programs in place.
So why are so many companies still getting hit with charges even though they are putting measures and programs in place to combat bribery and corruption? The answer, say anti-bribery advisers, is that there is a big difference between adopting a program and ensuring that it is effective.
“Just adopting a compliance program is not enough,” says Shruti Shah, senior policy director at Transparency International USA, which issued a new report this month that looks at how companies can verify the effectiveness of their anti-corruption compliance programs. “You need to verify that the program is actually working effectively. Without verification, you don’t know whether you have an effective program, or whether you have a program that’s designed to be a paper tiger.”
Proving the effectiveness of anti-bribery compliance programs, however, continues to elude many companies. “Few organizations have a really solid handle on this,” says Ingrid Fredeen, vice president of advisory services for Navex Global. It’s one area that continues to evolve, she says.
Conducting a thorough risk assessment is a good place to start. “It’s a foundational element for any compliance initiative,” Fredeen adds.
Another solution is to connect the dots on different elements of anti-bribery compliance. Tim Mazur, chief operating officer for the Ethics and Compliance Officer Association, says enforcement authorities “have the utmost respect” for companies that can show a clear connection between the risk assessment and the training and audits they conduct based on the findings of that assessment. “A lot of organizations don’t do that,” he says. Many companies perform risk assessments, audits, and training, but typically don’t link the results of each one together.
“A targeted, risk-based approach is what enforcement agencies are looking for,” Fredeen says. They’re looking to see that compliance departments are being smart about the decisions they’re making, and where they can make the biggest impact in their companies, she says.
According to Transparency International, it’s more important to focus on effectiveness and risk than on thoroughness. “It’s not possible to visit every location, interview every person, or test every transaction,” Shah says. Taking a risk-based approach helps put focus to compliance anti-corruption efforts, she says.
A truly effective risk assessment will identify not only a company’s high-risk areas, but also specific issues that may exist in those areas, or within certain business units. “What are the company’s most pressing risks?” Fredeen says. “That’s where you can take that risk assessment and figure out what group needs what kind of help to manage that risk better.”
Compliance departments can then use the findings of the risk assessment in the company’s annual planning process to effectively allocate resources. “You can’t just have this great risk assessment, and not budget the initiatives that need to follow,” Fredeen says.
Sight Testing
Risk assessments also serve as an important tool to determine where to allocate resources to perform sight testing and visits. “Nothing beats being able to get out and speak with people,” Fredeen says.
While that’s not always possible, many multinational companies have established effective compliance programs by embedding compliance heads into the business units to be the eyes and ears in various locations. “That can be very effective,” Fredeen says.
Without verification, you don’t know whether you have an effective program, or whether you have a program that’s designed to be a paper tiger.
Shruti Shah, Senior Policy Director, Transparency International-USA
The importance of performing on-site testing and visits can best be summed up by the experience of an investigator in an accounting firm, hired by a company to test its anti-corruption controls throughout various locations. “So one of my colleagues went to Brazil and checked the hotline,” Shah explains. “There was only one place in the entire location where he could call the hotline from—and that was the CFO’s office.”
But that wasn’t the worst part. Language can also trip up companies on anti-bribery compliance. “When he called the hotline—keep in mind, this is Brazil, where Portuguese is the primary language—the recording said, ‘Press 1 for English. Press 2 for Spanish.’”
Measuring Training Results
Verifying the effectiveness of training is another emerging area that compliance departments are now paying closer attention. Historically, compliance departments have spent a significant amount of time and resources training employees, but they haven’t really stopped to assess whether it’s been effective.
“One of the major trends we’re seeing is that compliance professionals want to measure effectiveness,” Fredeen says. According to a recent ethics and compliance training benchmark report conducted by Navex, 46 percent of more than 750 compliance professionals polled cited “measuring training effectiveness” as one of their top priorities in the next year.
They’ll have their work cut out for them. When it comes to measuring training effectiveness, 72 percent of respondents to the Navex benchmark report said they rely on completion rates. Completion rates, however, are “not a measure of effectiveness,” Fredeen says.
“To test whether training is effective, you need to assess whether your employees understand the training,” Shah says. Interviews or employee surveys are examples of how to achieve that, she says.
Employee surveys, however, are only as effective as the questions that are asked. “What behaviors do you want to know about? Make those surveys meaningful,” Fredeen says.
TOP TRAINING CHALLENGES
NAVEX Global asked respondents to its 2014 training benchmark report to rank their top ethics and compliance training concerns and challenges. See their responses below.
Source: NAVEX Global.
“Training is meant to be skill-building,” Mazur says. One way for companies to prove to enforcement authorities the effectiveness of its compliance and ethics program is to test employees on ethics- and compliance-related skills, the most obvious being decision making, he says.
One innovative and measurable metric that more companies are beginning to use, for example, is pre-testing and post-testing. Employees go through a training program to learn skills, or enhance existing skills, and then they’re tested again to gauge how their knowledge has progressed, Mazur says.
“Pre-testing and post-testing really works,” Mazur says. It sends a message to enforcement authorities that the company isn’t just going through the motions by simply having employees complete the training, he says.
According to the Navex report, companies also have significant progress to make in the area of third-party training. Most companies do some form of initial due diligence, but don’t have much interaction with third parties beyond that, Fredeen says. According to the report, for example, 57 percent of respondents said they don’t perform any third-party training, while another 36 percent said they do only one to five hours of training per year.
“Do not take the approach that every third party needs the exact same level of attention,” Fredeen says. “This is where the risk assessment can help to some degree.” When it comes to training, target your resources to your highest risk third parties, she says.
“If you want to make sure your efforts are really effective, get critical about your program,” Fredeen says. “Identify those gaps, and then train to those gaps.”
No comments yet