In all respects—by company size and type, diversity of industries, and geographic scale—anti-bribery and anti-corruption compliance programs are growing in prominence, a new benchmark report finds.
The results, revealed in a Sept. 13 webinar, emanate from a survey jointly conducted by Compliance Week and Steele Compliance Solutions that highlight the types of risk mitigation strategies companies are using today and how they are managing, monitoring, and assessing their third-party anti-bribery and anti-corruption (ABAC) programs over time.
“We developed this survey in conjunction with Compliance Week to give corporate compliance officers and managers benchmarking data that they can use to understand industry practices and, hopefully, data that helps drive more efficient and effective compliance programs in the future,” said Tony Charles, chief client officer at Steele Compliance Solutions.
Although some of the findings were not surprising, “we did find a number of insights that we didn’t anticipate,” Charles added. The demographics of the survey respondents, alone, “indicate that the landscape of third-party [ABAC programs] may, in fact, be changing,” he said.
For example, the survey showed that nearly one-third of respondent companies are headquartered internationally. That finding speaks to “the incredible growth of compliance programs outside of the United States,” said Kristy Grant-Hart, founder and CEO of Spark Compliance Consulting. ABAC programs are only going to continue to grow internationally, she said.
Another telling finding from the survey: A significant number of respondents (40 percent) of the 107 compliance professionals surveyed were from privately held companies, versus 55 percent from publicly held companies, and five percent from non-profits. This indicates that it’s not just public companies that are increasingly paying attention to their third-party ABAC programs.
“Private companies are definitely paying more attention,” Grant-Hart said, adding that she commonly works with private companies either to start a compliance program or to enhance the one that they have. “All of them are focused on this issue.”
Furthermore, broken down by company size (measured by headcount of full-time employees), small companies, defined as those with fewer than 10,000 employees, made up more than half the respondents (56 percent). That’s a clear indication that small companies are thinking about ABAC as much as the large, global companies. “This bucks the trend we had expected to see, which is that larger companies tend to be more nterested and focused on third-party management,” Charles said.
Although third-party risk management has always been a concern to small companies, as much as it has been to large companies, the sheer growth in compliance as a profession has made small companies much more aware of the risks, Grant-Hart said.
“We developed this survey in conjunction with Compliance Week to give corporate compliance officers and managers benchmarking data that they can use to understand industry practices and, hopefully, data that helps drive more efficient and effective compliance programs in the future.”
Tony Charles, Chief Client Officer, Steele Compliance Solutions
Program structure. The report also examined whether companies take a centralized or decentralized approach to their third-party ABAC compliance programs. “Many of the companies I speak with and do work with like the idea of a decentralized model, but they find it difficult to execute, especially right out the gate as they launch their third-party risk management program,” Charles said.
In the survey, 75 percent of respondents said they take a centralized approach to managing their program, while 25 percent said they take a de-centralized approach. “I personally think a centralized approach always makes the most sense,” Grant-Hart said. “By that, I mean compliance has oversight where the business is able to provide the details of the third parties, but compliance ultimately oversees the decision-making process and the clearing of the red flags.”
Respondents to the Steele Third-Party Benchmark Suvery were asked: Is your third-party complaince program’s approach centralized or decentralize?
Compliance staffing and resources. Another portion of the survey looked at how many full-time employees (FTEs) that companies have that focus on ABAC compliance. Seventy-six percent of all respondents, including large multinationals, said they have up to three FTEs, if any at all—a dismal number.
This finding correlates with another part of the survey, which found that all respondents across all surveyed industries—financial, life sciences, manufacturing, and technology—indicated that they struggled with at least one budget constraint. The one constraint cited across the board: inadequate staffing.
Furthermore, of respondents who said they have FTEs, 67 percent of are responsible for more than ABAC. “We saw this across all industries,” Charles said. In conjunction with ABAC, the other compliance risks that were managed include supply-chain risk, human trafficking and slavery, and export controls.
When it comes to automation, small companies are far more likely to build a solution in-house, using capabilities like SharePoint and Excel. While Excel spreadsheets can be helpful, they don’t have the same record-keeping capacity as a managed third-party program; any sort of turnover in staffing can result in a loss of documents and e-mails, if it’s not all centralized, Grant-Hart said.
As a former chief compliance officer at United International Pictures, the joint venture of Paramount Pictures and Universal Pictures with operations in 65 countries, Grant-Hart knows first head the many benefits automation can bring to a compliance department. “We were in so many countries, we didn’t have the language capacity to do a proper online review,” she said. “I needed expertise. I needed good record-keeping, and I needed the ability to have a strong defensible record.”
WHAT DOES ABAC MANAGE?
Respondents to the Steele Third-Party Benchmark Suvery were asked: What other compliance risks does your ABAC department manage?
Due diligence. The survey also assessed how frequently companies renew their third-party due diligence. On average, large and medium sized companies renew their due diligence more frequently than small companies.
The plurality of respondents (37 percent) said they renew every two to three years, based on risk. The second highest number of respondents (21 percent) said they renew only high-risk third parties, annually. Another 19 percent said they renew all third parties annually, while 15 percent said they never renew due diligence.
“To never do due diligence renewal is indefensible, frankly,” Grant Hart said. “If you stood before a regulator and said, ‘We never do any further due diligence,’ you’d be in real trouble.” This an area where there is significant room for growth, she said.
Sometimes, boards and C-suites aren’t always on top of industry best practices and trends, and so benchmark reports like this help compliance officers make the case to show what industry peers are doing and how to remain competitive. “You can use this data in a proactive way,” Grant-Hart said, “to make sure your program is meeting those best practices and regulatory expectations.”