Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Shop Talk: Building an Effective Anti-Corruption Compliance Program

Joe Mont | October 8, 2013

Companies that conduct business internationally have always faced tough decisions on bribery and corruption. The gray area of what constitutes a reasonable gift, meal, or stipend versus what could be considered a bribe has caused plenty of sleepless nights for compliance officers.

With U.S. regulators and their counterparts abroad continuing to ramp up enforcement of anti-bribery laws, such as the U.S. Foreign Corrupt Practices Act and the U.K. Bribery Act, those risks are only growing.

Last month we held a series of roundtables in Chicago and Cincinnati where compliance and risk executives, along with experts from Kroll, met to discuss the challenges of building an effective anti-corruption compliance program and reining in the global risks of running afoul of anti-bribery laws. The group discussed such topics as: what bribery and corruption risks are rising, and why; how to incorporate third parties in an anti-corruption program and the challenge of doing so; and how to train and monitor employees in far-flung units of the company with different languages and cultures.

“International corporations already have global compliance programs in place, but with the maturation of anti-corruption legislation outside the U.S. and the move to enforcement in China, Brazil, and Russia, we are going to see increased risks,” says Kate Collins, chief ethics and compliance officer for Abbott Laboratories. “We are all in for a heck of a ride.”

“The risk has always been there, but companies are increasingly aware of where those gaps are and how to close them,” said Ann Marie Wick, formerly of Johnson Controls. At right is David Tulbert of Assurant.

To smooth the potential bumps along the way, companies are looking to build out their anti-corruption programs and add more sophisticated mechanisms to rein in risks. “A risk assessment needs to be done right at the very beginning of all this,” said Kroll Managing Director Michael Varnum. “That's the launch point. Companies really need to have an understanding of the corruption risks they are facing for risk and be able to articulate it and build the appropriate compliance program.”

Attendees of the executive forums generally agreed that companies are doing a better job of managing corruption risks. “Our risks are going to be increasing, but we have greater awareness and continue to improve the effectiveness of our own internal programs,” said Anne Frye, general counsel and secretary for Vertellus Specialties, a privately held chemical company.

“The risk has always been there, but companies are increasingly aware of where those gaps are and how to close them,” added Ann Marie Wick, former global financial compliance executive for Johnson Controls. 

Despite the progress, many participants cited the need for continued improvement. Even for those companies that have successfully offset the rising tide of enforcement, vigilance is necessary.

Third-Party Due Diligence

Therein lies one of the biggest difficulties for companies as they work to eliminate bribery and corruption: how to oversee what can be thousands of third parties, including vendors, contractors, resellers, distributors, and others. State-sponsored entities, often injected into any foreign business deal, add to the risk.

 Garrison Phillips, general counsel, ethics and compliance for United Airlines, and at left, Anne Frye of Vertellus Specialties.

Varnum advises companies to identify, assess, and segment the corruption risk level of any given third party considering such factors as country, interaction with government officials, type of business, size, length of operation, and history of the relationship. He noted that it can be a challenge for companies that try to do it on their own.

“You need, for instance, to have somebody read all of the due diligence reports that are going to be generated as a result of the third-party vetting,” Varnum said. “It can be a monumental task. It is encouraging to see that companies [represented at the roundtable] are taking the path of assessing their third-party relationships by categorizing companies by low, medium, and high risk.”

An important assessment, says Lisa Silverman, a managing director in Kroll's Chicago office, is identifying the owners of the third-party partners. It's not enough to know the executives. Companies should require their third-party vendors and partners to detail any individual or corporate entity that owns a share of the business. “Companies should require notification every time there is a change in partnership or ownership structure,” she suggests. The smallest threshold of ownership can, oftentimes, “come back and bite you,” she said.

When surveying third parties, the data you get back is only as good as the questions asked. “You need to know if the parties  have been cited before for violations and ask the questions—to the extent they will answer—who their business partners are, what other joint ventures they are in, and to whom they outsource,” said Silverman.

A top-notch screening system, however, may not always be enough to keep regulators at bay, especially in an environment where budget cuts are the norm, warns Darcy Morowitz, director of internal audit and Sarbanes-Oxley compliance for Navistar International.

Pictured above: David Foster of Kraft Foods and Abbott CECO Kate Collins.

“Regulators are pushing for more analytics, and that concerns me,” she says. “My concern is that companies will end up with this population of data that tells them, ‘here are all these red flags,' but companies may not have enough  resources to do the necessary due diligence. When regulators see that you have all this data and analytics they may say, ‘Great, but look at all these red flags you didn't respond to.”

At Johnson Controls the approach to wrangling all those third parties starts by categorizing them by type and risk profile, said Wick. Those with greater risk are subjected to greater due diligence requirements. Certain vendors, based upon category, are required to sign-off on an agreement to comply with FCPA requirements.

What of contractual obligations that demand vendor compliance or the right to audit? While some saw these as increasingly popular, getting vendors to agree to them is a challenge. One roundtable participant said he treats these agreements as akin to a lie detector test: “You can learn a lot just by the refusal.”

Training Day

While it can be an uphill climb, companies can protect themselves with a top-notch compliance program that incorporates face-to-face training. When training programs are a focus and third parties properly vetted, regulators are more likely to accept that an infraction was the result of a rogue third party or an individual, the group agreed.

Participants also stressed the need to make training materials work in the local language and culture. “Whenever we had to provide training materials to another country, we made sure it was translated right,” Wick said. “We would have a local advocate with excellent English and local language skills who could say, ‘Yes, that does translate right.' The translation was the critical piece.”

Cultural norms that pose problems often relate to gift giving, how to appropriately decline one, and when grants, sponsorships, or advertising amounts to no more than a pay-off. “We retain a cultural specialist,” said Sue Morris, head of global anti-corruption for BMO Financial Group. “That individual has given me insight into the cultures of the various areas where we operate and not just geographic areas. Is there a specific culture in a type of business?” This has helped her firm craft more relevant training materials, including Q&A documents and even a script on how to decline gifts from a business relationship. 

Above, Jeff Johnson, senior counsel in Motorola's office of ethics, listens in as Allscripts Chief Compliance Officer Tejal Vakharia addresses the panelists.

Another key ingredient of a successful anti-bribery and corruption program, as it is with so many compliance efforts, is buy-in from the board and executive leadership. “You've got to get the board to buy in,” Varnum said. “They have to acknowledge that there is this potential risk, and they will fund and budget all the necessary resources to do what you need to do.”

“The CEO doesn't want to be caught short, so he pushes it down to the sales managers, and they don't want a tongue lashing from the CEO, so they push it down to their sales organizations throughout the globe,” said one of the executives.

How to best approach a busy CEO for buy-in? Make the case that the compliance effort "has both an offensive and defensive purpose,” says John Steiner, chief compliance officer for Cancer Treatment Centers of America. “With respect to the ‘offense' it is critical to engage with the workforce and encourage them to address questionable patterns or practices early." For defense, "a sound compliance program is invaluable for a strong legal defense."

Some noted that each country they operate in has company-set limits on how much they can spend, or receive, on gift-giving and charitable contributions. One company took the extra step of engraving all its various tchotchkes with a company logo to discourage inappropriate gifting.

Determining those thresholds can be challenging, Silverman said. Internal policies should establish differences between a free pen and bribing a government official. She suggested that benchmarking a company's policies and actions against industry best practices can be useful for setting limits.

According to Varnum, any benchmark needs to be considered in terms of how prosecutors are approaching cases and what measures are effective in developing a strong anti-corruption program.

“My hope is that what will happen is that you get a better understanding of the risks—of what will be prosecuted and what will not be,” he says. Over time that will allow companies to build greater efficiencies and economies of scale into their compliance programs by focusing solely on the most paramount risks their companies face.