Study: CCOs Struggle to Navigate Anti-Bribery Risks

Navigating global bribery and corruption risks continues to befuddle chief compliance officers, many of whom still struggle to implement a global strategy for anti-bribery compliance, according to the findings from the 2015 Anti-Bribery and Corruption Benchmarking Report, a joint effort between Compliance Week and Kroll Advisory Solutions.

The report aims to give compliance officers a comprehensive view of the types of “ABC” (anti-bribery and corruption) risks they face, the resources available to mitigate them, and how those resources can be implemented into compliance programs.

For the second year in a row, the report asked respondents what types of misconduct qualify as “corrupt behavior” that the chief compliance officer is responsible for policing. Aside from bribery, respondents cited money-laundering (61 percent), bid-rigging (60 percent), and price-fixing (56 percent) as other prevalent corruption risks, findings that closely mirror last year’s results.

Furthermore, 51 percent of all compliance officers surveyed said they expect their bribery and corruption risks to increase in the coming year, primarily due to their companies expanding into new markets or engaging more third parties. Another 29 percent said they expect their risks to remain steady.

For the first time this year, the report gauged the level of confidence compliance officers have in their companies’ financial controls to catch books-and-records violations of the Foreign Corrupt Practices Act. Forty-eight percent said they’re confident in those controls, meaning more than half are not. Of those who said they were not confident in their financial controls, the most commonly cited reason was poor reporting relationships or collaboration, cited by 71 percent of respondents. Finance department employees might not know to bring concerns about improper payments to the compliance officer, the report explained.

“Compliance needs to be working hand-in-hand with finance to understand, practically, how controls can be implemented, how the financial controls work, and therefore, how they potentially can be manipulated,” said Zoë Newman, managing director for financial investigations at Kroll. Companies often have “wonderful controls” and no understanding of an acquired subsidiary on a legacy financial system that cannot communicate to the head office systems, she added.

Robert Huff, a managing director with Kroll, agreed that better collaboration between the compliance and finance teams is required to know when to raise red flags. “Recent enforcement actions focused on books and records make clear that, when it comes to scrutinizing payments made to third parties, both compliance and finance cannot work independently of each other,” he said.

When it comes to anti-bribery policies, the majority of compliance officers said their anti-bribery policies are formal, written documents, usually embedded in the company’s Code of Conduct and distributed to employees who must then certify that they’ve read and understand the policies. Two-thirds of respondents said that they review their anti-bribery processes at least annually, whereas 10 percent said they do so quarterly.

Third Parties

Perhaps not surprisingly, almost every survey respondent (92 percent) depends on outside vendors and other third parties to some extent. The average respondent this year reports more than 2,900 third-party relationships.

The good news: the vast majority of respondents said they employ a variety of tactics to assess the integrity of their third parties and seem to use risk-based factors to decide the appropriate amount of diligence each party deserves. Fifty-eight percent rate their due diligence procedures as effective.

Only eight percent perform no due diligence at all. The rest of the respondents tackle this effort in numerous ways—from formal contracts to information collected by the business unit to professional investigations, according to the report.

Companies also seem to be using more of a risk-based approach to decide how much due diligence to perform, considering factors such as how much a third party will interact with foreign officials, the nature of the work to be performed, and where the third party is based.

Zoë Newman, managing director for financial investigations at Kroll, believes due diligence on third parties is becoming more proactive, digging deeper into higher-risk relationships. “Five years ago one saw very few compliance officers or legal counsel doing any kind of proactive work (i.e., looking for potential problems and dealing with them in advance). Nowadays we’re finding it being done more and more,” she said.

The ongoing care and monitoring of third parties after a business relationship begins, however, is cause for concern. Forty-eight percent of respondents said that they never train third parties on anti-bribery and corruption concerns, an improvement from the 58 percent of respondents in last year’s survey, “but still alarmingly high given the large number of enforcement actions regulators take that involve third parties,” the report stated.

Companies that do provide ABC training to third parties typically use numerous tactics to deliver those messages, and 74 percent said they provide training in local languages. Still, barely one-third of respondents rated their training “effective,” and even fewer said the same about their efforts to audit anti-corruption risks among their third parties.

Just as self-certification has become a precondition for engaging a third party, participation in training should become “a second distinct precondition for moving a contract forward,” said Kevin Braine, managing director with Kroll’s Compliance practice in Europe, the Middle East and Africa. “That would be the only thing to motivate third parties to start taking this a bit more seriously, therefore it also motivates large corporates to actually spend time and effort in rolling these things out.”

Technology Controls

The number of companies automating at least some part of their anti-bribery compliance program continues to grow, from 49 percent last year to 66 percent this year. That said, the compliance program elements automated most often are training-related.

For example, 50 percent automate training for domestic employees, while 41 percent do so for training overseas employees. This finding correlates with other surveys of compliance functions beyond anti-bribery and corruption, which have found that training is one of the most commonly automated and outsourced tasks that chief compliance officers oversee. Other elements of anti-corruption compliance—vetting third parties, training third parties, tracking payments through subsidiaries, for example—are all automated much less frequently.

Sophisticated data analytics tools can help companies tame their risks by flagging high-risk transactions or relationships before a call to the whistleblower line occurs, Newman said. “The problem is that people want an off-the-shelf program they can apply and then tick the box,” she said. “That’s where it often fails.”

Look for full coverage of the findings of the report in next week’s edition of Compliance Week.