On April 25, the big news in anti-corruption circles was that Morgan Stanley got in no trouble at all.
he U.S. Department of Justice and the Securities and Exchange Commission on that date announced resolutions of their separate cases against Garth Peterson, a former managing director of the investment bank's real estate investment and fund-advisory business in China. Peterson's crime had been “conspiring to evade internal accounting controls that Morgan Stanley was required to maintain under the Foreign Corrupt Practices Act,” according to the Justice Department. Both agencies decided against pursuing Morgan Stanley for charges related to Peterson's actions. It's the first time Justice declined to go after a company whose employee had violated the FCPA, says Thomas Fox, a Houston attorney, author, and blogger on anti-corruption and ethics.
“Morgan Stanley was not prosecuted because of the robustness of their compliance program,” Fox says. “It was a stamp of approval, and a good reason to do this properly.”
Much goes into doing anti-corruption properly, Fox and other experts say. But there are four broad categories that top companies focus on: assessing corruption risks, devising controls against them, implementing those controls and procedures with the local workforce, and then follow-up with constant monitoring.
Morgan Stanley did all these things. Between 2002 and 2008, the company trained various groups of Asia-based personnel on anti-corruption policies 54 times, the DOJ says. Peterson himself was trained on the FCPA seven times and reminded to comply with the FCPA at least 35 times. Morgan Stanley's compliance personnel regularly monitored transactions; randomly audited employees, transactions, and business units; and tested to identify illicit payments. Moreover, Morgan Stanley did “extensive due diligence on all new business partners and imposed stringent controls on payments made to business partners,” according to the Justice Department.
One doesn't need the resources of a 60,000-employee Morgan Stanley to do anti-corruption well. Chicago-based communications and public relations firm Edelman has 4,000 employees and a growing overseas presence, including offices in places like Russia, China, Indonesia, India, the Middle East, and South America, which generally don't rate well on Transparency International's Corruption Perceptions Index.
It all starts with risk assessment, says Randall Corley, Edelman's executive vice president and global compliance officer. It means looking hard at where and how you do business. Edelman, a professional services firm, may not have the corruption-risk exposure of an energy or a mining company making deals in West Africa, but the company does work with government entities around the world. On the sales side, while Edelman has “very few outside agents out there trying to bring us clientele,” there is the risk of “some rogue manager or someone who is having trouble meeting their numbers in a risky market tempted to do something that they shouldn't,” Corley says.
Edelman also employs thousands of third-party vendors and service providers worldwide. To focus its risk assessment, the company pares the list down by considering the countries involved, they types of services being rendered, and whether the job involves government work, Corley says.
No one has the resources to thoroughly vet every corporate touch point with the outside world. Tyco, for example, works with tens of thousands of vendors; but that company identified about 1,200 of them as truly high risk, Fox says.
Where the Risks Are
Checking assumptions at the door is fundamental to successful risk assessment, says Howard Sklar, senior counsel at e-Discovery software firm Recommind and former head of FCPA compliance and anti-corruption at Hewlett-Packard. Sklar describes risk assessment as “something that everybody agrees is crucially important, but that very, very few people do well.”
“I'm a big believer in single points of contact–or more colloquially, a single neck to choke. If you're bringing on a risky third party, you want somebody in your company who owns that relationship. That just makes your life easier.”
—Howard Sklar,
Senior Counsel,
Recommind
That means gathering data, because assumptions about where risks lie often turn out to be wrong, he says. There's a hidden benefit to doing a thorough risk assessment, too: It involves compliance staff working closely with the business, Sklar says.
“It allows you to get buy-in not only on where the risks are, but also on what we need to do to mitigate them,” Sklar says. “Otherwise, it's, ‘Oh, here comes compliance again—the business-prevention department.'”
With risks and mitigation strategies in hand, the business can also see the workload and budgets involved up-front and aren't as likely to push back later when headquarters asks for proof of compliance, Sklar says.
There's an equally important bit of up-front work to be done at headquarters, adds Daniel Wagner, CEO of Country Risk Solutions and author of “Managing Country Risk.” Anti-corruption programs may differ widely depending on company, industry, and country, but they all share strong buy-in at the top, he says.
“The education process at the board level and senior management is the starting point,” Wagner says.
When it comes to devising and implementing those controls and procedures with the local workforce, and then monitoring them, Edelman has a multi-pronged approach. One line of defense is seeding offices with a healthy presence of expatriates from low-corruption countries. They set the cultural tone and ethical standards.
That's not enough, of course, as the Justice Department's case with Morgan Stanley demonstrates. So Corley visits offices in high-risk countries, performing his own anti-corruption audits (in addition to the annual ones associated with external audits) and sits down with managers and staff. He talks about corruption risks, consequences, and how to raise red flags.
Other typical types of monitoring include internal transaction monitoring, establishing and tracking key performance indicators for third parties, and giving responsibility to one individual for the relationship with a given high-risk supplier or business partner, Sklar adds.
“I'm a big believer in single points of contact—or more colloquially, a single neck to choke,” Sklar says. “If you're bringing on a risky third party, you want somebody in your company who owns that relationship. That just makes your life easier.”
In terms of training, Edelman has a formal online anti-corruption training program, which includes short videos, case studies, and a test at the end, which Corley himself narrates.
Solid anti-corruption training also involves more than aspirational statements and reviews of the law itself. It's more important for employees to understand how they're expected to do business within that legal context, Sklar says. For example, rather than having employees memorize a line-item list of exceptions under the FCPA's facilitation clause, they should know simply that “the company has decided that facilitation payments are not how we want to do business,” he says.
And while training is a vital part of a successful anti-corruption program, companies are finding increasing success with informal communications too, Sklar says. That may mean periodic e-mails, YouTube videos, even graphic novels and smartphone applications. A key benefit is that, with anti-corruption messages coming through diverse channels, the message gets woven into the very fabric of the firm.
No comments yet